Skip to main content
Question

Passcode Configuration Profile and Active Directory Passwords

  • March 1, 2023
  • 1 reply
  • 0 views
CJohnson1788
Forum|alt.badge.img+4

We have AD-bound Macs in our Jamf environment. Our AD passwords expire after 90 days. We would like to force the change of the local break glass accounts on the Macs every 90 days, as well. I'm trying to avoid flak from users who might have changed their AD password a couple of days ago.

If we deploy a configuration profile that includes the Maximum Password Age set to 90 days (the same as our AD policy), does anyone know if that will conflict with the AD policy? 

    1 reply

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2717 replies
    • March 6, 2023

    MacOS really does not give two poops about AD, even when domain bound. Where yes you are using a "mobile" account on macOS, MacOS itself really does not care what AD is doing or telling that account to do. 

     

    • If you push a configuration profile with tighter password requirements than what your AD Tennant has expect the users to be forced to change their password at log in. If password change fails to sync to AD, then the users account on the Mac will have a different password than their AD password. 
    • If you push a configuration profile with a password configuration that matches your AD Tennant I would expect most users would not notice anything. There is always a risk of a one off.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings