Help

New MBP with Touch ID, AD lockouts

Go to solution
hkabik
Valued Contributor

Posted on ‎12-07-2016 04:21 PM

So I'm testing the Touch ID option on the new MBP in our AD environment. It allows me to log back in from a locked state but when I do Touch ID instead of password entry it sends 2 bad password attempts to AD. So if a user uses Touch ID twice in 10 minute it will lock out their account (we have a 3 strikes lockout policy).

Any idea for me to see what is going on here? This is just in testing phase at the moment since I'm the only one with a new MBP, but without a doubt executives are going to want to use the Touch ID option.

Any and all advice is appreciated.

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
hkabik
Valued Contributor

Posted on ‎12-07-2016 06:39 PM

Scratch that... it seems to happen even if I login from a lock screen with my password...
However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

Seems to be related to this issue:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

View solution in original post

0 Kudos
Reply

Go to solution
philburk
New Contributor III

Posted on ‎12-14-2016 10:59 AM

It's the same problem as the other thread. Any password policy will get locked out if you use your AppleID in the App Store, iTunes or iCloud. AD will be locked if you bind to AD.

View solution in original post

0 Kudos
Reply
7 REPLIES 7

Go to solution
smithjw
New Contributor III

Posted on ‎12-07-2016 05:09 PM

I was actually noticing this the other day but on Macs without TouchID. I'm going through enrolling all DEP Macs into JAMF and ran across issues if they enter their creds incorrectly at the setup assistance stage. Each incorrect user attempt is seen by AD as 3 failed attempts.

I've expanded on it here

I upped my lockout threshold to 10 attempts in 1 hours which equals 3 incorrect attempts by a user and hopefully they get it right on the fourth go

0 Kudos
Reply

Go to solution
hkabik
Valued Contributor

Posted on ‎12-07-2016 06:39 PM

Scratch that... it seems to happen even if I login from a lock screen with my password...
However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

Seems to be related to this issue:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

0 Kudos
Reply

Go to solution
mostlikelee
Contributor

Posted on ‎12-14-2016 10:01 AM

I saw this exact issue when unlocking using an Apple Watch. 2 bad password attempts to AD, and it bypasses locked out account status.

0 Kudos
Reply

Go to solution
hkabik
Valued Contributor

Posted on ‎12-14-2016 10:07 AM

I can confirm I see the apple watch behavior as well.

0 Kudos
Reply

Go to solution
philburk
New Contributor III

Posted on ‎12-14-2016 10:59 AM

It's the same problem as the other thread. Any password policy will get locked out if you use your AppleID in the App Store, iTunes or iCloud. AD will be locked if you bind to AD.

0 Kudos
Reply

Go to solution
Shoesmithlc
New Contributor III

Posted on ‎12-14-2016 01:45 PM

What about Single Sign-On? Can't you have jss sync the AD account to the Touch ID through Single Sign-On???

http://docs.jamf.com/9.93/casper-suite/administrator-guide/Single_Sign-On.html

0 Kudos
Reply

Go to solution
jason_bracy
Contributor III

Posted on ‎12-15-2016 10:25 AM

I'm seeing this behavior without using an AppleID at all. On macOS 10.12.2 my account gets locked out any time I try to unlock the Mac after waking from sleep or screen saver. I can login successfully, engage the screen saver and then when I try to log back in I am immediately locked out.

0 Kudos
Reply