As it is now, we have a hidden management account and the local user account. The local user account is the only FV2 user, but we have our FV2 keys escrowed in the JSS. So when you boot, you just have the option to log in as the owner of the computer with their password or the recovery key.
We want to apply a password policy to the owner of the machine only and not our hidden admin account. After much discussion and research, we decided to run the following command passing the console user as the destination of the policy:
pwpolicy -u $userName -setpolicy "minChars=10 requiresAlpha=1 requiresNumeric=2 usingHistory=5 requiresSymbol=1 maxMinutesUntilChangePassword=259200";
I've noticed that anyone who hasn't changed their password within 180 days will get the prompt to change their password when logging back in, or after a reboot. I expected this to happen.
During testing I wanted to expire the password sooner so I made it expire in 5 minutes on a test machine. After five minutes I logged out and logged back in. I was prompted to create a new password. I entered the password as directed and clicked to continue. But then I was asked again to change my password. OK, so I put in a different password meeting my complexity and click continue. The prompt shakes like I did something wrong. The password is correct in both fields. OK, I tried another different password. Same thing happened. So I hit cancel and get back to the normal login. I type in one of the passwords I set (can't remember which one), and again it asks for me to change my password. I reboot, get to FV2 prompt on boot. It takes one of the passwords I had set and then it again asks me to change my password. Still can't beyond the change password prompt.
So this one edge case I'm having problems with, how can I get rid of the password policy and just get back into the computer to try and reapply the policy again? Apple had an article on resetting the pwpolicy for all the accounts in SU mode. I tried that and it didn't work. I did reinstall the OS and got around it. I'm just looking for a quick fix before I deploy to my company and have a dozen people with the same issue.
If there's a better way to apply pwpolicy to the locally logged in user I'm not seeing, please someone pass on your advice/experience.
The full script I passed on to my test machine was:
#!/bin/sh
userName=`ls -l /dev/console | cut -d " " -f 4`
pwpolicy -u $userName -setpolicy "minChars=10 requiresAlpha=1 requiresNumeric=2 usingHistory=5 requiresSymbol=1 maxMinutesUntilChangePassword=5";
