Posted on 05-18-2020 05:23 AM
I'm working on setting up a Zero-Touch deployment policy for our organization. We have JumpCloud as our SSO, and we have it syncing with several systems, including our AD. The goal is to have it as our SSO when the local user logs on first thing.
The problem is that our current password policy requires not just alphanumeric passwords, but at least one "special" character. JumpCloud needs to install a hidden admin account on the machine called _jumpcloudserviceaccount. However, this account only uses alphanumeric passwords. On a test run, the JumpCloud agent which needs to run on the Mac will not install because it fails the password requirements.
I have found a way around this on a test basis, which is to use the basis of the script here, which generates a new password .plist with a designated exception account.
The relevant information I changed to the Addigy script is noted below. This did work when run on my test machine, and did change the pwpolicy, locally.
LOCKOUT=120 # 90 second lockout
MAX_FAILED=5 # 5 max failed logins before locking
PW_EXPIRE=90 # 90 days password expiration
MIN_LENGTH=8 # at least 8 chars for password
MIN_NUMERIC=1 # at least 1 number in password
MIN_ALPHA_LOWER=1 # at least 1 lower case letter in password
MIN_UPPER_ALPHA=1 # at least 1 upper case letter in password
MIN_SPECIAL_CHAR=1 # at least one special character in password
PW_HISTORY=2 # remember last 2 passwordsexemptAccount1="_jumpcloudserviceaccount" #Exempt account used for SSO synchonization. CHANGE THIS TO YOUR EXEMPT ACCOUNT
However, in the JAMF configuration editor, I see the ability to change Password Policy, but no specific area where I can designate the exception account. Can I enter this anywhere within JAMF admin itself? Or possibly upload a .plist to apply to managed Macs?
I could push out the shell script to run on the machine as soon as it gets management policy downloaded, just before the jumpcloud agent is installed. But this seems to be inelegant way to do it if I could just have the .plist configured as part of the management profile itself instead.