Pretty much at the moment I've enable a deny access to the security and privacy tab in system preferences. We have mainly done this to stop the users changing their password. But this however is really annoying if a user needs to grant permission to an app to allow microphone access, camera access and the rest.
Is there any work around where I can allow users to this but grey out the change password option under security & privacy > general > change password
I'm curious why you want to prevent users from changing their own passwords. Administrators have access to everything users can access without knowing their passwords or forcing the same password for every user.
If you're binding to Active Directory, you can specify there that a user's password cannot be changed. Or you may be interested in looking at the
pwpolicy command line tool. It appears to have a
canModifyPasswordforSelf policy, although it's considered "legacy".
@Steven.jamf did you ever find a way to do this?
@talkingmoose our Identity and Access Management team is rolling out a new IAM system that requires all users to change their passwords through their web interface. I am not sure of the details of why they require that but we have to disable the Ctrl-Alt-Del option on Windows, too.
Man I am also curious on a way of doing the same. On my end we use NoMad that will eventually be subsided by JAMF Connect but for now I have employees who still on occasion not all who change their passwords using System Preferences messing up the FV Encryption and Login of their machines. I then have to fix it with a script deployed to SelfService that does some DiskUtil actions. But I feel if I can just grey our the option not the whole section altogether it would stop that from happening.
Having the option to "change password" greyed out/blocked within System Preferences under both User & Groups as well as Security & Privacy is useful for any admin that is utilizing JAMF connect and does not want their laptop users to accidentally mess up the password change workflow.
To block both options, first create plists for the following two payloads (preference domains).
<?xml version=”1.0” encoding=”UTF-8”?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0”> <dict> <key>dontAllowPasswordResetUI</key> <true/> </dict> </plist>
<?xml version=”1.0” encoding=”UTF-8”?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0”> <dict> <key>ChangePasswordDisabled</key> <true/> </dict> </plist>
In JAMF go to configuration profiles > New > Application & Custom Settings > Upload > add both plists above > scope to devices.
Here is a screen shot of what mine looks like:
And the final result:
Still works great on Ventura. @knuckle-sndwich , where did you find this com.apple.loginwindow key value?
Even Apple's documentation for LoginWindow doesn't list this key even though it definitely works. Is there a way to find out other "undocumented" keys?
Hi JBartkowiak, this works still with macOS Sonoma. You can skip one PLIST though and lock "User & Groups" through the GUI of the Restrictions-Payload (Preferences, Restricts items in System Preferences, disable selected items, User & Groups). I'm still using the PLIST for com.apple.preference.security because I don't want to lock down the whole menu but only the change password option.