Password Policy MDM

sgoetz
Contributor

I have a password policy Configuration profile set on our machines that only use Local Accounts. What I am wondering after someone puts in the wrong password over 6 times it disables the user. How does that work? Do they get put in a disabled users group that i can see with Directory Utility on the mac? or what? And how do I unlock them? The only way I found out how to unlock them so far is to use JAMF to change the password, which doesn't always work.

Thanks

Shawn

3 REPLIES 3

sgoetz
Contributor

Any thoughts guys?

merps
Contributor III

We're also using local password policy, but using pwpolicy instead of config profiles. Everything I have found points to a bug in the pwpolicy mechanism to automatically unlock accounts after a period of time once they've been locked out. The quick and dirty way we do this is to issue a policy to clear the local password policy. This will unlock the account.

The policy "execute command" we're using is:

pwpolicy -clearaccountpolicies

After the user has been able to log back in, we re-run the policy with a script that enforces the password policy. This may or may not work for you, since you're using profiles, but it's how we do it.

CypherCookie
Contributor

Hi Shawn, there is a lock out option on the MDM profile in which you can specify a timeout period if the password for the account gets put in, incorrectly x number of times. However i do not believe there is an option in MDM to lock the account out.