Jamf Nation Community

Hi All,

My org is currently hardening macOS 11 computers (fully patched macOS 11.6.1) to CIS' v1.2.0 published benchmark for Big Sur, and one area I am running into trouble with is enforcing password policies. You see, we are binding the machines to an on-prem AD (which I do via a dsconfigad script), and then users are logging in via Mobile Accounts that authenticate with their AD user accounts. When I harden the computer including the required password policies, I can successfully join the domain (over a VPN of course, unless I am on site) and even create new mobile accounts based on existing AD user accounts. I cache the user password by having them login through Terminal while the local admin is signed in and connected to VPN. (The user in this testing is just me).

The problem is that once the user tries to sign in from the login window, they are immediately prompted to reset their password. The login window doesn't display the password policy, and it refuses to accept any password I concoct - even passwords I'm certain fit within the required criteria (which I will list below).

I suspect there is some conflict between the password policy I'm applying to the system, and the domain's user password policy. I confirmed with a domain admin that they only have the domain password policy set to the default, which does not actually comply with our org's password policy - therefore the expectation is that we will enforce it on the machine. Below I will list the password policy set to default in the domain, followed by the policy I'm enforcing locally & how I'm enforcing it.

I should note that in testing, I am hardening the computer (i.e., applying the config profile & script) prior to joining the domain or adding the user account for the first time. 

Any and all help is appreciated!

Domain PW Policy:

• Enforce password history: 24 passwords remembered
• Maximum password age: 90 days
• Minimum password age: 0 days
• Minimum password length: 8 characters
• Password must meet complexity requirements: Enabled
• Store passwords using reversible encryption: Disabled
• Account lockout duration: 15 minutes
• Account lockout threshold: 4 invalid logon attempts
• Reset account lockout counter after: 15 minutes

Password Policies Enforced by Me (Admin):

• Account lockout threshold: 3 attempts
• Minimum password length: 12 characters
• Password age (max): 60 days
• Password history: 24 passwords
• Minimum alpha characters: 1
• Minimum numeric characters: 1
• Minimum special characters: 1
• Minimum uppercase characters: 1
• Minimum lowercase characters: 1
• Script to enforce uppercase/lowercase requirement:

#!/bin/bash

read -p "Press return to enforce mixed case passwords"

/usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresMixedCase=1"

read -p "Policy set. Press return to audit."

/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1 minimumMixedCaseCharacters | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1

• Configuration Profile:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>HasRemovalPasscode</key>
	<true/>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Passcode</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.mobiledevice.passwordpolicy.E7E6E975-FD24-46DA-BFE0-B5A0F655F380</string>
			<key>PayloadType</key>
			<string>com.apple.mobiledevice.passwordpolicy</string>
			<key>PayloadUUID</key>
			<string>5184433D-9E5A-475C-BCA8-B6AA7867B233</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>allowSimple</key>
			<false/>
			<key>forcePIN</key>
			<true/>
			<key>maxFailedAttempts</key>
			<integer>3</integer>
			<key>maxGracePeriod</key>
			<integer>0</integer>
			<key>maxPINAgeInDays</key>
			<integer>60</integer>
			<key>minComplexChars</key>
			<integer>1</integer>
			<key>minLength</key>
			<integer>12</integer>
			<key>minutesUntilFailedLoginReset</key>
			<integer>15</integer>
			<key>pinHistory</key>
			<integer>24</integer>
			<key>requireAlphanumeric</key>
			<true/>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Profile Removal</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.profileRemovalPassword.E3A19672-1075-4127-86FA-BA5A18EC4C6E</string>
			<key>PayloadType</key>
			<string>com.apple.profileRemovalPassword</string>
			<key>PayloadUUID</key>
			<string>2C609514-350F-4DD1-9EF6-472AAC18EB6A</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>RemovalPassword</key>
			<string>obscured</string>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Updated password length minimum to 12 from 8, increased maximum password age from 60 to 90, reduce number of failed attempts from 4 to 3, require alphanumeric, require minimum 1 special character</string>
	<key>PayloadDisplayName</key>
	<string>Password Policy Test 6</string>
	<key>PayloadIdentifier</key>
	<string>obscured.34241D6F-E583-4D07-B6FA-46666D3F3DE2</string>
	<key>PayloadOrganization</key>
	<string>Testing</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>5F9486B2-07FD-4015-8EE7-F6B6FC42FBB8</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>TargetDeviceType</key>
	<integer>5</integer>
</dict>
</plist>

Note: Jamf Nation is flagging some invalid HTML that it is removing. Not sure what was removed!