minutesUntilFailedLoginReset support in Jamf and account locked after x mn

ggetenj
New Contributor II

I encounter a big issue at one of my customer's with the Passcode Policy. Currently, the maxFailedAttempts is enforced with 7 attempts on macOS. After this number of attempts is reached, the user is locked even if he enters the right password. We had a lot of users these last weeks using non-QWERTY keyboards that had the keyboard reset without prior knowledge to US keyboard. And they try and try, and after a few minutes, if they do type a standard

The problem is that there is no known way to unlock the account, except to remove the passcode profile OR have an additional local admin account on the computer do it. Additional issue here : sometimes the user is not connected to the Wi-Fi network anymore and can't have its machine connected again, so we can't remove the profile remotely. And it was decided years ago that Macs would not have additionnal admin accounts. So sometimes, the one and only way we have is to re-format and re-install the Mac :-/

I found that there is a profile key minutesUntilFailedLoginReset which does seem to reset the attempts number when the maximum number of attempts has been reached and add a delay to the next attempt. Which seemed a good compromise to me as it would force the use to reach support after the lockout, and we could invite him/her to take care of typing his/her password with the right keyboard setting. But the minutesUntilFailedLoginReset key does not seem to work.

What I don't understand is that in the Passcode policy, Jamf specifies that this setting does not work on macOS 10.11 and above, and indeed, the setting does not appear in the profile on a client Mac running, say, 10.14.

However, if I check Apple Configuration profile reference, the minutesUntilFailedLoginReset is available for macOS 10.10 and later, so it should be honored in 10.10 and above !

So, my questions here :

  • Is minutesUntilFailedLoginReset still a thing or not, and if it is, why does Jamf Pro not enforce it ?
  • Is there another way to unlock the user from Jamf Pro ?

Thanks for your help !

7 REPLIES 7

ggetenj
New Contributor II

Answer to second question: feature to unlock the user is available from Jamf Pro IF the account is enrolled through DEP. Otherwise, no dice.

Still no answer for question 1. Will open a ticket then…

mapurcel
Contributor III

I also opened a ticket with AppleCare and they said it should work, but I'm seeing mixed results in my environment, sometimes it auto-unlocks, sometimes it doesn't..

benbass
New Contributor III

I agree, having this as a supported payload by Jamf would be very helpful. It is also interesting to note that if you download the profile with this key set and manually install it, the payload is there. But if you scope it to a machine 10.12+ the payload isn't there. If I could get this payload to work with a custom payload I would, but it looks like Catalina at least doesn't respect the settings when targeting the com.apple.screensaver domain.

G_M__webkfoe_
New Contributor III

@benbass Have you tried manually installing the profile directly on the Catalina device, without passing through jamf..?

Just to understand if the issue is with the OS or with the MDM..

benbass
New Contributor III

@webkfoe Yes I have. If I manually install the profile the payload stays. If I download the profile and strip the jamf signing and sign it with another cert and then have Jamf deploy that profile the key stays.

Jamf is definitely "Helping" and removing a key that it believes is not supported, that is definitely supported. So this is not a pure MDM issue, it seems to be Jamf's implementation with configuration profiles again/yet/still.

ericbenfer
Contributor III

FYI there is a PI for this since it's a bug in Jamf Pro.  Open a ticket with support and request to be linked to it to increase it's impact.