Jamf Nation Community

MPL · ‎01-19-2023

Hello JAMF Nation,

We are looking to update our passcode requirements to increase the amount of characters needed in a password.

- We are thinking to use the "Change at Next Authentication" option in the JAMF Configuration profiles for password requirements (see below)

1. Is that the best option to require users to update their passwords to the new requirements? Or is there a better way?

2. Will the "Change at Next Authentication" run only once per machine?

3. Will this work for non-administrative accounts?

In addition, is it possible to view in JAMF password age/length for machines in our org? If not, is there a script that could be run to pull this info?

- Reason being that if we use the above method to update passwords on our machines, we have no clear indication that the user has actually updated their password and that it complies with the new password requirements since that is handled under a configuration profile and not a policy.

Thank you :D

AJPinto · ‎01-20-2023

What is the best option is entirely up to your organization
It will run as many times as it needs to, its more or less once per user and will not let them log in until they update their password
It will effect all accounts, admin and nonadmin alike

JAMF places password configurations in /Library/ManagedPreferences/com.apple.screensaver.plist

Defaults read will not pull the password policy from com.apple.screensaver.plist but it can be viewed with spotlight.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadUUID</key>
    <string>752190A8-EEB7-4F0E-BD99-17F27665644B</string>
    <key>allowSimple</key>
    <false/>
    <key>askForPassword</key>
    <true/>
    <key>askForPasswordDelay</key>
    <integer>0</integer>
    <key>idleTime</key>
    <integer>900</integer>
    <key>loginWindowIdleTime</key>
    <integer>900</integer>
    <key>loginWindowModulePath</key>
    <string>/System/Library/Screen Savers/Flurry.saver</string>
    <key>maxFailedAttempts</key>
    <integer>5</integer>
    <key>maxPINAgeInDays</key>
    <integer>180</integer>
    <key>minComplexChars</key>
    <integer>2</integer>
    <key>minLength</key>
    <integer>16</integer>
    <key>pinHistory</key>
    <integer>20</integer>
    <key>requireAlphanumeric</key>
    <true/>
</dict>
</plist>

You can see when a user changed their password last with the command below. Wrap it in to an extension attribute, use the $3 variable as the user name (assuming your user assignment and login ID's match), or use a loop to run for each user account. You can get fancy with Math if you want it more human readable. You can safely assume if a password was set AFTER the configuration profile installed, the password meets your requirements.

dscl . read /Users/<username> | grep --context=3 passwordLastSetTime

MPL · ‎01-20-2023

Hello AJPinto,

Thank you so much for your reply and guidance! That was extremely helpful!

So if we were to use this in an EA, could we have it automatically grab the logged in username so we wouldn't have to manually fill this out for each user?

dscl . read /Users/<username> | grep --context=3 passwordLastSetTime

Another question I have is, let's say we do enable the "Change at Next Login" option in the config profile. Are newly enrolled machines going to be prompted to also change their password? If so, I guess we can just create a smart group for machines enrolled before xx/xx.

Thanks again for your help!

Jamf Nation Community

Updating Password Requirements and reporting on Password Age/Length