We have a recently rolled out jamf solution, so we're still getting to grips with some of the less off-the-shelf features. Being able to push a password policy for local accounts has been great, however we have a number of endpoints that were deployed with default passwords that technically meet the restrictions (but are known to most people). Ideally we want to try and see when these haven't been changed so we can nudge users to change them (populating a EA would be fine, for example)
The methods that have been discussed so far have been to write something that compares the logged in user password to known-bad hashes, or to try and use something like dscl (although we have no directory, so I'm not sure if that would work). Is there a less hacky solution that people use, or something obvious we're missing?
