Configuration Profiles-Passcode Policy

New Contributor III

Hello JAMF Nation,
I am having trouble with the Passcode Policy in Configuration Profiles in my JSS. I am testing this functionality in a Dev environment prior to implementing on my Production instance. I have configured a passcode payload to require alphanumeric value, minimum of 12 characters, 2 complex characters, maximum passcode age in days-1(for testing), Auto-Lock 5 minutes,and -- Maximum number of failed attempts. I have scoped this to a single test client as a computer level profile.

Once implemented, I set the JSS and client Date & Time ahead by 2 days to simulate the Passcode age expiring. Should I not get a message that my passcode has expired and needs to be changed? I know the policy is in effect, because if I go in to System Preferences>Accounts>Change Password and attempt to change password to a simple value i receive a dialog ...does not meet minimum requirements... If this client was being managed by an OS X server it would receive a message to change password.

Is there something I am missing? Or do I have to notify my users manually that it is time to change passwords, and them give them the requirements.

How are the rest of you that need this functionality doing this?

Casper Suite 8.6.2, All clients are 10.8.2 and above.

As always thank you in advance for any help,


Legendary Contributor III

I'm not sure how this all works using a Configuration Profile, but in an AD account environment, in normal operation, the only time OS X seems to alert you to an expired, or about to expire password is at the login screen. While you're already logged in, it doesn't alert you to that, at least not in my experience. I find this to be an area Apple could improve on quite a bit.

Though not exactly the same, my colleague has put together a scripted solution to get the days left before password expiration (from AD) and then depending on the result, using something like jamfHelper to throw up a dialog letting the user know they only have X days left. Most Mac users here don't log out for weeks or sometimes even going on months at a stretch, so they never see the message that their password is expiring until its passed that point. It does alert you in MS Outlook though, so they should at least be seeing it there.

Anyway, you might need to consider doing something similar to that.

Contributor II

This is the script that was posted elsewhere, tweaked slightly by me, and is working in my environment:

# This wrapper is to get around Gatekeeper disallowing AppleScript Dialogs 
# Discover logged in user, $3 never works for me correctly.
user=`stat -f%Su /dev/console`
sudo -u $user /usr/bin/osascript <<ENDofOSAscript
# Password Expiration Script
# Written By: Pete Johnson with some help from the following sources:
# Date: 05/30/2012

# Description: Uses DSCL to query how many days are left until a users password expires and prompts the user to change it if less than 14 days.
# This script is designed to be called from a Casper policy once per day. Compile the script then deploy it to a Shared location on each machine.
# Then create a daily policy in Casper to run a command that runs the script

# Prequisite: Access for Assistive Devices must be enabled for this script to launch System Preference properly.

# Password Expiration Policy in days (typically 90, I chose 89 to make sure the user changes it before the password expires on the 90th day)
set pwPolicy to "89"

# Prompt user if password expires in less than 14 days
set pwNotification to "14"

# Get logged in user
set user to do shell script "whoami"

if user is not "admin" then

    # Query Directory Service and get cryptic password last set value. This may be called pwdLastSet in most cases. In ours it was SMBPasswordLastSet.
    set lastpwdMS to do shell script "dscl localhost -read /Search/Users/" & user & "| grep -i SMBPasswordLastSet | cut -d ' ' -f 2 | sed q"

    # Get the current date in Unix so we can calculate how many days are left
    set todayUnix to do shell script "date "+%s""

    # First part of formula to decode password last set value from directory service.
    set lastpwdUnix to do shell script "expr " & lastpwdMS & " / 10000000 - 11644473600"

    # Subtract that value from todays date
    set diffUnix to do shell script "expr " & todayUnix & " - " & lastpwdUnix

    # Convert to days
    set diffdays to do shell script "expr " & diffUnix & " / 86400"

    # Subtract password policy from days to get our final value
    set passwordExpiration to do shell script "expr " & pwPolicy & " - " & diffdays
    if passwordExpiration is less than or equal to pwNotification then
        tell application "System Events"
            # Prompt a user to change their password if there is less than 14 days remaining. If this value is less than 14, script will exit gracefully without prompting user.
            display dialog "Your network password will expire in less than " & passwordExpiration & " days." buttons {"Change Now", "Change Later"} default button 1 with title "Network Password Expiration" with icon caution

            # If user elects to change their password, this section will bring up System Preferences -> Accounts and launch the change password dialog.
            if result = {button returned:"Change Now"} then
                set os_version_clean to do shell script "/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | cut -d. -f1,2"
                tell application "System Preferences"
                    # Launch System Preferences and go into the "Accounts / Users" pane
                    reveal anchor "passwordPref" of pane id ""
                end tell
                tell application "System Events"
                    tell process "System Preferences"
                        if os_version_clean ? "10.7" then
                            # In version 10.7 and 10.8 the Accounts pane was renamed to "Users & Groups". This will click the "Change Password" button.
                            click button "Change Password…" of tab group 1 of window "Users & Groups"
                        end if
                        if os_version_clean is "10.6" then
                            # In version 10.6 this will click the Change Password button.
                            click button "Change Password…" of tab group 1 of window "Accounts"
                        end if

                    end tell
                end tell
            end if
        end tell
    end if
end if