I encounter a big issue at one of my customer's with the Passcode Policy. Currently, the maxFailedAttempts is enforced with 7 attempts on macOS. After this number of attempts is reached, the user is locked even if he enters the right password. We had a lot of users these last weeks using non-QWERTY keyboards that had the keyboard reset without prior knowledge to US keyboard. And they try and try, and after a few minutes, if they do type a standard
The problem is that there is no known way to unlock the account, except to remove the passcode profile OR have an additional local admin account on the computer do it. Additional issue here : sometimes the user is not connected to the Wi-Fi network anymore and can't have its machine connected again, so we can't remove the profile remotely. And it was decided years ago that Macs would not have additionnal admin accounts. So sometimes, the one and only way we have is to re-format and re-install the Mac :-/
I found that there is a profile key minutesUntilFailedLoginReset which does seem to reset the attempts number when the maximum number of attempts has been reached and add a delay to the next attempt. Which seemed a good compromise to me as it would force the use to reach support after the lockout, and we could invite him/her to take care of typing his/her password with the right keyboard setting. But the minutesUntilFailedLoginReset key does not seem to work.
What I don't understand is that in the Passcode policy, Jamf specifies that this setting does not work on macOS 10.11 and above, and indeed, the setting does not appear in the profile on a client Mac running, say, 10.14.
However, if I check Apple Configuration profile reference, the minutesUntilFailedLoginReset is available for macOS 10.10 and later, so it should be honored in 10.10 and above !
So, my questions here :
Thanks for your help !
I agree, having this as a supported payload by Jamf would be very helpful. It is also interesting to note that if you download the profile with this key set and manually install it, the payload is there. But if you scope it to a machine 10.12+ the payload isn't there. If I could get this payload to work with a custom payload I would, but it looks like Catalina at least doesn't respect the settings when targeting the com.apple.screensaver domain.
@webkfoe Yes I have. If I manually install the profile the payload stays. If I download the profile and strip the jamf signing and sign it with another cert and then have Jamf deploy that profile the key stays.
Jamf is definitely "Helping" and removing a key that it believes is not supported, that is definitely supported. So this is not a pure MDM issue, it seems to be Jamf's implementation with configuration profiles again/yet/still.