New password requirement during enrollment.

New Contributor


New to JAMF. As part of enrollment to JAMF, we wanted to require a password minimum for each user on a local account since we are not binding our machines.

During testing, I used a simple password (8 characters) on an existing laptop, the requirement will be 12 characters. After enrollment, downloading profiles, and a restart, the login account prompts "This account has been disabled. Please contact your system administrator."

Couldn't find anything on enabling a disabled user on a specific laptop in JSS either. What is the best practice in going forward for this besides telling the user to change their password to meet requirement before enrollment? Is there a way to re-enable a user account in JSS?

Thank you in advance,


New Contributor III

I followed the steps from this discussion and was able to make a policy to change the passwords on our Macs.

During my testing each account prompted to create a new password. The only odd thing that I still haven't figured out is that the computer will prompt even if the password meets the requirements and isn't older than 90 days.

You can scope this script to only touch computers after an enrollment. This way the user will be prompted after their next log on.

As for the re-enabling of a user, I haven't found anything on that.

New Contributor

Thank you jpilege,

The only thing im concerned about is a user being disabled during enrollment.

Honored Contributor II
Honored Contributor II

In the past we've installed the profile before handing the device to the user (deleting the /var/db/.AppleSetupDone file so the setup assistant re-runs).

The DEP process may help as you can get the device enrolled at a very early stage. You'll just need to check if it kicks in before they get the option to create a local user account.

Regarding the disabled user option. This used to be an attribute value in the local user record. I think it was stored in the AuthenticationAuthority attribute as DisabledUser (or something similar).

You could remove that value with dscl in a policy.

New Contributor

The Casper Suite 9.9 has added functionality with the DEP process. One of the new features is the ability to send a Configuration Profile during DEP processes with the Passcode payload. This can help us make sure that new local user accounts created meet security requirements with the passcode. This feature is available in Computers, PreStage Enrollments in the Passcode tab. As always, we love feedback so please let us know if the features help solve the problems we need!