- Jamf Nation Community
- Products
- Jamf Pro
- Re: Set local machine password policies?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Set local machine password policies?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-15-2013 10:32 PM
Has anyone setup JSS to deploy password policies to local machines? First the basic stuff like "Must have letters and numbers, must be X length", then (and I'm not sure if any of this is even remotely possible) secondarily more complicated policies like "can't use 'password' or username in password, can't use the same password more than once, must change the password every X days".
The trick is no OpenDirectory, AD or anything similar, just local accounts/local computer policy. I'm not seeing anything in Managed Preferences. I tried to search JAMF Nation and the only thing I came up with was https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=368 which has zero explanation on where to stick it -- however it does indicate a potential command line option.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2013 06:25 AM
In Configuration Profiles is a Passcode section. I don't use it, but it looks like normal password policy stuff your looking for.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2013 07:54 AM
Check what dpertschi said. There used to be the command line util pwpolicy, but that was killed off in Lion. If you only need to change the policy for specific, existing local users, you could use Workgroup Manager to edit the local directory. Obviously this would change files stored on the system somewhere, so you could try to figure out the changes using a utility like fseventer and then script to replicate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2013 08:59 AM
I think pwpolicy still works, at least it seems to on my machines.
whereis pwpolicyI have a template script you can use to set local password policy within Casper by a bunch of the pwpolicy commands. Feel free to use if helpful:
https://github.com/clifhirtle/casper/blob/master/scripts/passwordPolicy.sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2013 10:09 AM
Clif,
I was a bit vague in my earlier comments--sorry. I haven't touched this since last year, when I was trying to prevent down a local user from changing their password in 10.7 (.4 I believe). My finding was that while the binary was there, it had no effect. I brought it up on the MacEnterprise mailing list and one other person said they were seeing the same. I haven't tried it since then, but from your script it appears like it is now apparently working again, so that's great!
Thanks,
Eric
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2013 10:22 AM
OK, another follow-up. Did some more testing and it looks like global policies work and some user policies as well. However, the canModifyPasswordforSelf policy still is not honored, as I had found before. Bummer.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2013 08:52 AM
We are investigating, local password too, My 1st plan was to use Profiles, however there are issues with X.8 and the password settings. Apple recommend pw, and there are usability issues with that. : )
We are waiting for X.9, I heard somewhere that, X.9 is going to match the iOS with Profiles support : )
C
