Jamf Nation Community

Got the same response yesterday from Apple

Opened a bug report a couple weeks ago and included this Apple forum thread that many of us posted to.

Using Touch ID and "allow to unlock your mac" with the new Machines seems to trigger the same event...

https://www.jamf.com/jamf-nation/discussions/22372/new-mbp-with-touch-id-ad-lockouts

Beta 6 has been released. I will test as soon as it shows up as an available update.

Problem seems to persist in Beta 6 as well. Unfortunate.

Beta 6 locked during the upgrade, locks tickling iCloud. Screen Locks still slowly increment unsuccessful login attempts. No change in behavior. Sent a note off to Applecare.

Apple suggested to me that it would be fixed in 10.12.3, but no guarantee. My guess would be late Jan.

I had a call with Apple on Friday, and they all but confirmed that 10.12.3 fixes it.

Hmmm...see first line item on the 10.12.2 Combo Update...

• Improves setup and reliability of Auto Unlock
• Allows addition of a Chinese Trackpad Handwriting button to the Touch Bar Control Strip
• Adds support for taking screenshots of the Touch Bar using the Grab app or Cmd-Shift-6 shortcut
• Fixes an issue that caused the Touch Bar emoji picker to appear on the display
• Resolves graphics issues on MacBook Pro (October 2016) computers
• Fixes an issue where System Integrity Protection was disabled on some MacBook Pro (October 2016) computers
• Improves setup and opt-out experience for iCloud Desktop and Documents
• Fixes an issue with the delivery of Optimized Storage alerts
• Improves audio quality when using Siri and FaceTime with Bluetooth headphones
• Improves the stability of Photos when creating and ordering books
• Fixes an issue where incoming Mail messages did not appear when using a Microsoft Exchange account
• Fixes an issue that prevented installation of Safari Extensions downloaded outside the Safari Extensions Gallery
• Adds support for new installations of Windows 8 and Windows 7 using Boot Camp on supported Macs

Yup, they've made improvements alright. I got my AD account locked right after 10.12.2 update. This is the first time this kind of lockout has happened to my Mac after an OS update.

The fix isn't in 10.12.2. I've been told January and most likely 10.12.3.

Speaking of 10.12.3, the first beta is out now. I'll see if I can test it today for the lockout issue.

@Njofrekk Yup, same here! I had the problem when Sierra first came out and then it mysteriously stopped. I really don't know why it had stopped but just after this update, it came back again. I restarted and it seems to have stopped again for now. Apple really needs to get this figured out...it's maddening to deal with.

macOS 10.12.3 Beta 1 (16D12b) did not lock my test account during the upgrade and I have been rebooting and fiddling with iCloud for 10 minutes with no lockout. There is hope! Also this beta dropped fast after 10.12.2 so maybe it's fast tracked for quick release.

Apple recommended I try this build shortly after it dropped, and now I can also confirm based on my testing that the issue seems to be resolved in 10.12.3 beta build 16D12b. No failed password attempts thrown at login, iCloud Preference Pane sign in, or display lock and unlock. After so many previous beta builds from 10.12.1 through 10.12.2 not making any difference I have to say that I was shocked to see my badPwdCount finally stay at 0.

Nice job Apple; hopefully this stays fixed through production release (fingers crossed emoji).

I can also report the beta seems to have solved my related issue with local password policies. I too was very happy to see failedLoginCount: 0 when I rebooted after the update! Will continue to test, but looking good.

I too can confirm that 10.12.3 beta seems to have fixed the account lockout issues.

10.12.3 seems to fix the issue in my shop too!

10.12.3b1 appears to have fixed this in our environment as well! w00t w00t!

I just want to pile on with the confirmations. I installed 12.3 Beta 1 yesterday afternoon and ever since I have failedLoginCount has displayed zero. I dump it every minute to a log file. Looks good.

Hopefully we won't have to wait too long for tis update to go live.

Does any know where I can get 10.12.3 beta? Two of my users are having the same issues. Thanks.

You need to have a registered developer account or be in the AppleSeed program.

@sjit I would not apply beta builds to general population users... for IT eyes only!

Pretty sure sure Apple's NDA prohibits non participants from installing the Beta. However Apple Enterprise have blessed applying a Beta build on an effected user, for troubleshooting purposes. The caveat was to clone effected computer so it isn't a production/business use computer.

So it looks like even after I signed out of icloud services, one of my users still keep on getting locked out. I do noticed imessage is still signed on even after I signed out of icloud. Should I sign out of that as well? Other than this, I really get figure out what is triggering the lock out.

Also ran 10.12.3 beta. It is working. No bad password counts. Can't wait for the update. :-)

When is this update coming out?

@jalcorn most of us with open cases have been told we will probably see the update in January, but even with that I've been told that's not a guarantee. I imagine (this is pure speculation based on past experiences, not inside knowledge, so I could be entirely wrong) that we'll see at least 1 or 2 more beta builds before a GM public release of 10.12.3.

While we wait for a public 10.12.3 release, has anyone found an effective workaround for this problem? I've tried the "Do not require Kerberos preauthentication" setting on AD accounts without luck.

Thanks to everyone who has contributed to this thread, to help work through a frustrating issue!

Honestly I just created an "Un-bind" item in Self Service and am having users unbind until the issue is resolved. No AD connectivity, no lock outs. There is an existing "AD Re-Bind" option so they can hop back on at the drop of a hat if needed for any purpose.

How did you create the "un-bind"?

#!/bin/sh

dsconfigad -force -remove -u notarealuser -p notarealpassword

We created a fine-grained password policy for users in an AD security group that raises the lockout limit to 15.

A little light at the end of the tunnel?

As of 01/13/2017 - 10.12.3 will be available to users "in the coming weeks" - Consumer Reports

This update will also address the 2016 macbook pro battery issues.

Hold your breath a little longer !

@hkabik could you provide your script on "AD Re-Bind" that you have in self service?

thank you in advance!

You could use the built in bind function of the JSS for the policy but I do use a script (altered to remove private info, if you're unfamiliar the first half of the script is providing the username and password of the bind account with encrypted strings):

#!/bin/sh

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
USERNAME=$(DecryptString $4 'numberstring' 'numberstring') 

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
PASS=$(DecryptString $5 'numberstring' 'numberstring') 

dsconfigad -f -add DOMAIN.COMPANY.local -username $USERNAME -password $PASS -computer $(scutil --get ComputerName) -mobile enable -mobileconfirm disable -useuncpath disable -protocol smb -groups "domain admins,enterprise admins,DOMAINCOMPANY IT Workstation Admins" -alldomains disable

dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"

@dgreening

Any link to the combo update?

I just confirmed that the AD account lockouts caused by putting the computer to sleep and waking up have stopped after installing 10.12.3. YAY!