We have a mix of 10.9-10.11 machines. Not bound to any directory service. All patched. FileVault enabled with keys stored in the JSS. No service accounts from login screen.
I've deployed a pwpolicy to the logged in users that forces a password complexity and password expiration. When a user reboots their computer and gets to the login screen, they log in and it's time to create a new password. They create their new password and log in. Sometimes though, when they reboot, their new password is not working at the FV login screen on their computer. Their old password isn't working either. We try different passwords that it might be and no avail. We wind up pulling their recovery key and able to log in. Then it's a mess trying to fix their login keychain.
I guess my question is, what are others doing to force users to change their local computer passwords in a certain amount of time? JSS policy that creates a popup and prompts the user to change their machine password? Just looking for any ideas out there I may have overlooked.
We see the same issue, just assumed that it was AD issues as we bind to AD. Now I think it's an issue with the OS.
I parts of pwpolicy have been deprecated and Apple add the "Account Policies" and dictionary to replace it. I think that the new Account Policies are just a stop gap to get everyone on configuration profiles.
We are testing configuration profiles for password management. : )