New MBP with Touch ID, AD lockouts

hkabik
Valued Contributor

So I'm testing the Touch ID option on the new MBP in our AD environment. It allows me to log back in from a locked state but when I do Touch ID instead of password entry it sends 2 bad password attempts to AD. So if a user uses Touch ID twice in 10 minute it will lock out their account (we have a 3 strikes lockout policy).

Any idea for me to see what is going on here? This is just in testing phase at the moment since I'm the only one with a new MBP, but without a doubt executives are going to want to use the Touch ID option.

Any and all advice is appreciated.

2 ACCEPTED SOLUTIONS

hkabik
Valued Contributor

Scratch that... it seems to happen even if I login from a lock screen with my password...
However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

Seems to be related to this issue:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

View solution in original post

philburk
New Contributor III

It's the same problem as the other thread. Any password policy will get locked out if you use your AppleID in the App Store, iTunes or iCloud. AD will be locked if you bind to AD.

View solution in original post

7 REPLIES 7

smithjw
New Contributor III

I was actually noticing this the other day but on Macs without TouchID. I'm going through enrolling all DEP Macs into JAMF and ran across issues if they enter their creds incorrectly at the setup assistance stage. Each incorrect user attempt is seen by AD as 3 failed attempts.

I've expanded on it here

I upped my lockout threshold to 10 attempts in 1 hours which equals 3 incorrect attempts by a user and hopefully they get it right on the fourth go

hkabik
Valued Contributor

Scratch that... it seems to happen even if I login from a lock screen with my password...
However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

Seems to be related to this issue:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

mostlikelee
Contributor

I saw this exact issue when unlocking using an Apple Watch. 2 bad password attempts to AD, and it bypasses locked out account status.

hkabik
Valued Contributor

I can confirm I see the apple watch behavior as well.

philburk
New Contributor III

It's the same problem as the other thread. Any password policy will get locked out if you use your AppleID in the App Store, iTunes or iCloud. AD will be locked if you bind to AD.

Shoesmithlc
New Contributor III

What about Single Sign-On? Can't you have jss sync the AD account to the Touch ID through Single Sign-On???

http://docs.jamf.com/9.93/casper-suite/administrator-guide/Single_Sign-On.html

jason_bracy
Contributor III

I'm seeing this behavior without using an AppleID at all. On macOS 10.12.2 my account gets locked out any time I try to unlock the Mac after waking from sleep or screen saver. I can login successfully, engage the screen saver and then when I try to log back in I am immediately locked out.