Allowing Users to Security & Privacy but grey out change password

Steven_jamf
New Contributor

Hi All,

Pretty much at the moment I've enable a deny access to the security and privacy tab in system preferences. We have mainly done this to stop the users changing their password. But this however is really annoying if a user needs to grant permission to an app to allow microphone access, camera access and the rest.

Is there any work around where I can allow users to this but grey out the change password option under security & privacy > general > change password

10 REPLIES 10

Steven_jamf
New Contributor

501bde4faaed4cc0a17ba7c198b1581e

talkingmoose
Moderator
Moderator

I'm curious why you want to prevent users from changing their own passwords. Administrators have access to everything users can access without knowing their passwords or forcing the same password for every user.

If you're binding to Active Directory, you can specify there that a user's password cannot be changed. Or you may be interested in looking at the pwpolicy command line tool. It appears to have a canModifyPasswordforSelf policy, although it's considered "legacy".

reidg
New Contributor III

@Steven.jamf did you ever find a way to do this?

@talkingmoose our Identity and Access Management team is rolling out a new IAM system that requires all users to change their passwords through their web interface. I am not sure of the details of why they require that but we have to disable the Ctrl-Alt-Del option on Windows, too.

Heavy_D
Contributor III

Man I am also curious on a way of doing the same. On my end we use NoMad that will eventually be subsided by JAMF Connect but for now I have employees who still on occasion not all who change their passwords using System Preferences messing up the FV Encryption and Login of their machines. I then have to fix it with a script deployed to SelfService that does some DiskUtil actions. But I feel if I can just grey our the option not the whole section altogether it would stop that from happening.

Any solution found?

knuckle-sndwich
New Contributor

Having the option to "change password" greyed out/blocked within System Preferences under both User & Groups as well as Security & Privacy is useful for any admin that is utilizing JAMF connect and does not want their laptop users to accidentally mess up the password change workflow. 

To block both options, first create plists for the following two payloads (preference domains).

com.apple.preference.security

<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
 <dict>
 <key>dontAllowPasswordResetUI</key>
 <true/>
</dict>
</plist>

 

com.apple.loginwindow

<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
 <dict>
 <key>ChangePasswordDisabled</key>
 <true/>
 </dict>
</plist>

 

In JAMF go to configuration profiles > New > Application & Custom Settings > Upload > add both plists above > scope to devices.

Here is a screen shot of what mine looks like:

JAMF pro settings for blocking local password changesJAMF pro settings for blocking local password changes

 And the final result:

system preferences "change password" greyed outsystem preferences "change password" greyed out

 

This is great! Adding the Plist was a success and worked beautifully. Thank you!

Still works great on Ventura. @knuckle-sndwich , where did you find this com.apple.loginwindow key value?

<key>ChangePasswordDisabled</key>

Even Apple's documentation for LoginWindow doesn't list this key even though it definitely works. Is there a way to find out other "undocumented" keys? 

https://developer.apple.com/documentation/devicemanagement/loginwindow

JBartkowiak
New Contributor II

Hi Friends, Hey is this still the best way to make this happen with current OS and such? Thanks so much!

Sven_S
New Contributor III

Hi JBartkowiak, this works still with macOS Sonoma. You can skip one PLIST though and lock "User & Groups" through the GUI of the Restrictions-Payload (Preferences, Restricts items in System Preferences, disable selected items, User & Groups). I'm still using the PLIST for com.apple.preference.security because I don't want to lock down the whole menu but only the change password option.
Bildschirmfoto 2023-11-17 um 10.03.25.png