Password expiring policy

dmarcnw
New Contributor III

We have a mix of 10.9-10.11 machines. Not bound to any directory service. All patched. FileVault enabled with keys stored in the JSS. No service accounts from login screen.

I've deployed a pwpolicy to the logged in users that forces a password complexity and password expiration. When a user reboots their computer and gets to the login screen, they log in and it's time to create a new password. They create their new password and log in. Sometimes though, when they reboot, their new password is not working at the FV login screen on their computer. Their old password isn't working either. We try different passwords that it might be and no avail. We wind up pulling their recovery key and able to log in. Then it's a mess trying to fix their login keychain.

I guess my question is, what are others doing to force users to change their local computer passwords in a certain amount of time? JSS policy that creates a popup and prompts the user to change their machine password? Just looking for any ideas out there I may have overlooked.

3 REPLIES 3

gachowski
Valued Contributor II

Wow,

We see the same issue, just assumed that it was AD issues as we bind to AD. Now I think it's an issue with the OS.

I parts of pwpolicy have been deprecated and Apple add the "Account Policies" and dictionary to replace it. I think that the new Account Policies are just a stop gap to get everyone on configuration profiles.

We are testing configuration profiles for password management. : )

C

gachowski
Valued Contributor II

I should have added that configuration profiles uses the OS to "force users to change their local computer passwords " You can pick the number of days you want the password to be in use and after that you will get a OS prompt to change..

C

gachowski
Valued Contributor II

Also here is the link were I think the 1st public example of the "Account Policies" and dictionary that I could find. : ) ( Great work by team at civisanalytics.com)

It' about 2/3 of the way down the thread..

https://jamfnation.jamfsoftware.com/discussion.html?id=18574

C