Password Policy: Configuration Profile vs PWPolicy

Andy_D
New Contributor II

Howdy!

I need some clarification on how Configuration Profiles interact with macOS. Specifically, when managing password policy via a Configuration Profile, should I expect to see output if I run the pwpolicy command locally on a managed Mac?

I have an Extension Attribute that checks the output of that command, but I'm not sure if the output of pwpolicy should contain the controls set in the config profile or not.

Thank you!

 

2 REPLIES 2

jamf-42
Valued Contributor II

its been while since I've used the PWPolicy binary, but to stop clashes with things like JAMF Connect the local password policy was disabled and only the config profiles used. 

Andy_D
New Contributor II

I think I have figured out the problem. My EA logic was flawed. To determine the presence of policy data via pwpolicy, I was assigning the output to a variable and then checking the length of the variable. Then if it was greater than 0, designating that as having policy present. But after doing some testing in a VM, I discovered that a blank policy still has output of 225 characters. I changed the logic in the EA to look for variable length greater than 225 and the machines that are reporting in are showing correctly.

It appears the answer to the original question is that password policy applied by Configuration Profile is reflected with pwpolicy, but only at the global level. Checking for individual accounts will return a blank policy, which looks like this:

Getting account policies for user <test-user>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict/>
</plist>