We are using the pwpolicy binary to set the password complexity requirements of managed Macs. Unfortunately, there's a big loophole in this policy in Yosemite. Using an iCloud password instead of a standard local account password exempts you from pwpolicy settings.
There's little we can do about preventing people from using iCloud password, but we can report on which people are using iCloud password to log in using this extension attribute:
https://gist.github.com/homebysix/207353d2edf2916de081
Expected output:
- Starts with "True" if iCloud password is in use.
- Starts with "False" if iCloud password is not in use, or OS is 10.9 or earlier.
- Starts with "Unknown" if we can't tell (e.g. nobody is logged in).