Posted on 11-10-2021 03:10 PM
Hi All,
My org is currently hardening macOS 11 computers (fully patched macOS 11.6.1) to CIS' v1.2.0 published benchmark for Big Sur, and one area I am running into trouble with is enforcing password policies. You see, we are binding the machines to an on-prem AD (which I do via a dsconfigad script), and then users are logging in via Mobile Accounts that authenticate with their AD user accounts. When I harden the computer including the required password policies, I can successfully join the domain (over a VPN of course, unless I am on site) and even create new mobile accounts based on existing AD user accounts. I cache the user password by having them login through Terminal while the local admin is signed in and connected to VPN. (The user in this testing is just me).
The problem is that once the user tries to sign in from the login window, they are immediately prompted to reset their password. The login window doesn't display the password policy, and it refuses to accept any password I concoct - even passwords I'm certain fit within the required criteria (which I will list below).
I suspect there is some conflict between the password policy I'm applying to the system, and the domain's user password policy. I confirmed with a domain admin that they only have the domain password policy set to the default, which does not actually comply with our org's password policy - therefore the expectation is that we will enforce it on the machine. Below I will list the password policy set to default in the domain, followed by the policy I'm enforcing locally & how I'm enforcing it.
I should note that in testing, I am hardening the computer (i.e., applying the config profile & script) prior to joining the domain or adding the user account for the first time.
Any and all help is appreciated!
Domain PW Policy:
Password Policies Enforced by Me (Admin):
#!/bin/bash
read -p "Press return to enforce mixed case passwords"
/usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresMixedCase=1"
read -p "Policy set. Press return to audit."
/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1 minimumMixedCaseCharacters | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>HasRemovalPasscode</key>
<true/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Passcode</string>
<key>PayloadIdentifier</key>
<string>com.apple.mobiledevice.passwordpolicy.E7E6E975-FD24-46DA-BFE0-B5A0F655F380</string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>5184433D-9E5A-475C-BCA8-B6AA7867B233</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>allowSimple</key>
<false/>
<key>forcePIN</key>
<true/>
<key>maxFailedAttempts</key>
<integer>3</integer>
<key>maxGracePeriod</key>
<integer>0</integer>
<key>maxPINAgeInDays</key>
<integer>60</integer>
<key>minComplexChars</key>
<integer>1</integer>
<key>minLength</key>
<integer>12</integer>
<key>minutesUntilFailedLoginReset</key>
<integer>15</integer>
<key>pinHistory</key>
<integer>24</integer>
<key>requireAlphanumeric</key>
<true/>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>Profile Removal</string>
<key>PayloadIdentifier</key>
<string>com.apple.profileRemovalPassword.E3A19672-1075-4127-86FA-BA5A18EC4C6E</string>
<key>PayloadType</key>
<string>com.apple.profileRemovalPassword</string>
<key>PayloadUUID</key>
<string>2C609514-350F-4DD1-9EF6-472AAC18EB6A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>RemovalPassword</key>
<string>obscured</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Updated password length minimum to 12 from 8, increased maximum password age from 60 to 90, reduce number of failed attempts from 4 to 3, require alphanumeric, require minimum 1 special character</string>
<key>PayloadDisplayName</key>
<string>Password Policy Test 6</string>
<key>PayloadIdentifier</key>
<string>obscured.34241D6F-E583-4D07-B6FA-46666D3F3DE2</string>
<key>PayloadOrganization</key>
<string>Testing</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5F9486B2-07FD-4015-8EE7-F6B6FC42FBB8</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>TargetDeviceType</key>
<integer>5</integer>
</dict>
</plist>
Note: Jamf Nation is flagging some invalid HTML that it is removing. Not sure what was removed!
Posted on 11-10-2021 11:57 PM
Hi, sounds like AD account settings, forcing user to change password on first login.
11-11-2021 10:49 AM - edited 11-11-2021 11:00 AM
You should just demobilize the accounts and use NoMAD or the Apple SSO Extension to do this. That way, you only have to worry about your AD requirements. Managing Mobile accounts is a nightmare. Move away from them as soon as possible.
Posted on 11-11-2021 10:50 AM
Posted on 11-11-2021 10:51 AM