Posted on 10-28-2016 08:34 AM
So, I assume that my position is not that unique. Most of our users are using Macs joined to AD and login in with AD accounts. However we have some systems that are either not joined to AD or have a local account for development or some other reason.
Our CyberSec group wants us to enforce a password policy, but I can't figure out how to limit enforcement to only local accounts. Since our PW Policy in AD is set to require 3 of 4 criteria (A-Z, a-z, 0-9, special) and Apple's Config Profile or pwpolicy tool only allow you to set required or not (and only alphanumeric and special, no option for upper and lower case), I have had situations where a user was not able to login because of the conflict in policy.
Ideally I'd like to enforce a strict password but only for Local users with an ID over 500. Anyone been able to do this?
Posted on 11-05-2016 11:48 AM
So, I think I have done it...
First step is a policy that creates a plist file using echo - crude I know, but it works :-)
The second is a policy set to trigger at login which will apply that plist, but only to accounts in the 500-1000 range. The biggest hurdle is that I don't want to effect any users with local accounts without warning them first, which is why I have the 2 step process. I also don't want to set the global pwpolicy, as that will effect any AD user who tries to login if they don't meet all 4 criteria.
Here is the login script:
#!/bin/sh
pwpolicy -u $3-clearaccountpolicies
cUID=`stat -f %u /dev/console`
if [[ ${cUID} -gt 500 && ${cUID} -lt 1000 ]]; then
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Password Policy' -description "Policy requires that local user accounts conform to the same password policy as Network accounts.
IT will begin enforcing the following requirements on local accounts:
Must contain
• 1 Uppercase
• 1 Lowercase
• 1 Number
• 1 Special character.
• Passwords must be changed every 90 days
• may not reuse any of the last 5 passwords." -button1 'OK' > /dev/null 2>&1 &
pwpolicy -u $3 -setaccountpolicies /path/to/file/pwpolicy.plist
fi
I haven't tested in Casper yet, but my limited testing seems to indicate that it will work.