I am seeing an issue with Password expiration on macOS. Some of the details are the following:
-DEP Enrolled M1 MacBook running Monterey with FV2 and PRK hidden from user while escrowed in Jamf. This is done with Security & Privacy payloads and some policy glue, but end result is FV2 on and users can cold-start the mac with l/p for local account.
-First setup user is break glass account with unique random password per system stored in enterprise password manager.
-End user gets two local accounts, one with admin and one standard. Usual login is to standard, while admin is more for satisfying prompts and occasional logins to install/update software tools.
This has worked okay for a long time, but one thing is we don't expire the local account passwords. I started testing out the Passcode payload in a configuration profile to see what it is like. The first thing was lock/unlock, as it is our most likely scenario. This worked reasonably well and a new password set. There is no prompt to change the password again until the next expiration.
Where I hit a wall was testing if there are any issues when an expiration applies at startup. I deployed the profile, which only has the "Maximum Passcode Age" defined and then shut down the computer. On startup the password is accepted for FV2 and things move on to the login window. At that point the password change prompt appears because the password is expired, but I can't set a new password. The window just shakes and I have to use a non-expired account or remove the profile to get in.
After a little more poking around I found that I was able to set a password from the login window, but only after hitting cancel on the change prompt. At that point you are taken back to the login window with the username already populated. Entering the expired password again and hitting enter will bring the change prompt back up. At this point you can successfully update the password and continue to login.
Has anyone else run into this? Is there a better workaround? There is additional planning to start using Jamf Connect and SSO to manage the passwords going forward, but for right now I am still looking for something to handle the installed base of local accounts that aren't yet migrated.
