Skip to main content

As a software developer, I am working on a macOS app in which one of the features is to check if a user has a password enabled or not. Recently I stumbled across the command dscl . -authonly $(id -un) "" , this command seems to give the desired result, returns nothing when no password is set, and returns an error when a password is set.

The main issue I have, well... question, is how will this command work in a "deployed environment"?(macOS machine in an enterprise environment). This app im building would be deployed using some kind of RMM tool.

Based on common practice, do regular uses(non-admin users) have access to this DSCL command? and can they perform this dscl . -authonly $(id -un) "" command? Perhaps a macOS sysadmin could aid in answer these questions.

The dscl command doesn't require admin privileges because it's not trying to change any local system settings. Any Active Directory domain member who is logged in to an AD-bound Mac with his or her account can use it to look up information in AD by default.

If a user has a password present, there will be a key in dscl that will have data, if not the key will not be found. The is should be AuthenticationAuthority IIRC

You may be able to get this info in a more programatic way using apple's OpenDirectory framework https://developer.apple.com/documentation/opendirectory

Terms & ConditionsCookie settingsAccessibility statement