So, I think I have done it...
First step is a policy that creates a plist file using echo - crude I know, but it works :-)
The second is a policy set to trigger at login which will apply that plist, but only to accounts in the 500-1000 range. The biggest hurdle is that I don't want to effect any users with local accounts without warning them first, which is why I have the 2 step process. I also don't want to set the global pwpolicy, as that will effect any AD user who tries to login if they don't meet all 4 criteria.
Here is the login script:
#!/bin/sh
pwpolicy -u $3-clearaccountpolicies
cUID=`stat -f %u /dev/console`
if [[ ${cUID} -gt 500 && ${cUID} -lt 1000 ]]; then
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Password Policy' -description "Policy requires that local user accounts conform to the same password policy as Network accounts.
IT will begin enforcing the following requirements on local accounts:
Must contain
• 1 Uppercase
• 1 Lowercase
• 1 Number
• 1 Special character.
• Passwords must be changed every 90 days
• may not reuse any of the last 5 passwords." -button1 'OK' > /dev/null 2>&1 &
pwpolicy -u $3 -setaccountpolicies /path/to/file/pwpolicy.plist
fi
I haven't tested in Casper yet, but my limited testing seems to indicate that it will work.
