Users can't change password - greyed out

sbrage
New Contributor

I'm sure someone's seen this before, I'm still a noob when it comes to administrating Casper. Right now we've got configuration profiles pushed out for our security settings (display message on lock screen, lock after X minutes, etc.) In the profiles, the option to allow users to reset their password IS checked - meaning users should be able to change their password. But in System Preferences>Users & Groups, the Change Password button is greyed out. Doesn't matter if you authenticate as admin user or not. Anyone seen this?

1 ACCEPTED SOLUTION

youngj
New Contributor II

The work around below seems to work: (from JAMF Support)

The following plist file will be used to upload to the configuration profile:
plist file: /var/db/SystemPolicy-prefs.plist

Do the Following:

  1. Make a copy of the plist above and move this to your desktop
  2. Open terminal and run the following command: a. plutil -convert xml1 /path/to/plist_file.plist
  3. Log into the JSS web application
  4. Click the Computers tab
  5. Click Configuration Profiles
  6. Click New
  7. Fill out the general payload and name the configuration profile
  8. Scroll down and click on the Custom Settings payload
  9. Click Configure
  10. For the preference domain please enter the following: a. SystemPolicy-prefs.plist
  11. Click Upload
  12. Navigate to your desktop and choose the SystemPolicy-prefs.plist and upload that file
  13. Click scope and scope this profile to the proper end users
  14. Click Save

View solution in original post

26 REPLIES 26

nessts
Valued Contributor II

that is an Apple bug, i have reported it, they dont seem to care much. JAMF has a bug submitted to Apple as well and have this as a known problem. You cannot use the security profile and have the users be able to change their password. Even if you generate the profiles from profile manager it is broken.

nessts
Valued Contributor II

And it looks like there will be no fix for this anytime soon either. Just so you know.

nessts
Valued Contributor II

I take that back, Apple may actually be working on the issue and you may have hope of it getting better.

youngj
New Contributor II

The work around below seems to work: (from JAMF Support)

The following plist file will be used to upload to the configuration profile:
plist file: /var/db/SystemPolicy-prefs.plist

Do the Following:

  1. Make a copy of the plist above and move this to your desktop
  2. Open terminal and run the following command: a. plutil -convert xml1 /path/to/plist_file.plist
  3. Log into the JSS web application
  4. Click the Computers tab
  5. Click Configuration Profiles
  6. Click New
  7. Fill out the general payload and name the configuration profile
  8. Scroll down and click on the Custom Settings payload
  9. Click Configure
  10. For the preference domain please enter the following: a. SystemPolicy-prefs.plist
  11. Click Upload
  12. Navigate to your desktop and choose the SystemPolicy-prefs.plist and upload that file
  13. Click scope and scope this profile to the proper end users
  14. Click Save

sbrage
New Contributor

YoungJ - sorry, is this a custom plist that JAMF provided, or one from a working machine?

youngj
New Contributor II

The plist file is from a normal working machine.

jkuo
Contributor

I'm having this issue as well, and I only have one configuration profile enforced. Should I remove it and see if the problem goes away?

jkuo
Contributor

Hi all - I disabled my configuration profiles (I only had one that I switched to a script via Policy instead) and Change Password came back properly. I know that's not a good fix for everyone, but if you don't have many then it might work.

sbrage
New Contributor

Thanks YoungJ! Worked like a charm. The below solution fixed the issue, and profiles are working great:

The work around below seems to work: (from JAMF Support)

The following plist file will be used to upload to the configuration profile:
plist file: /var/db/SystemPolicy-prefs.plist

Do the Following:

  1. Make a copy of the plist above and move this to your desktop
  2. Open terminal and run the following command: a. plutil -convert xml1 /path/to/plist_file.plist
  3. Log into the JSS web application
  4. Click the Computers tab
  5. Click Configuration Profiles
  6. Click New
  7. Fill out the general payload and name the configuration profile
  8. Scroll down and click on the Custom Settings payload
  9. Click Configure
  10. For the preference domain please enter the following: a. SystemPolicy-prefs.plist
  11. Click Upload
  12. Navigate to your desktop and choose the SystemPolicy-prefs.plist and upload that file
  13. Click scope and scope this profile to the proper end users
  14. Click Save

dgray
New Contributor

I tried this without any luck. Here are the contents of my plist:

<plist version="1.0">
<dict>
    <key>enabled</key>
    <string>no</string>
</dict>
</plist>

Any tips? I even tried change it to "yes" but no luck.

msmith999
New Contributor

Was there ever an update to dgray's post as I tried it an getting the same result which is no change.

TreeMan
New Contributor

Still broken after v9.31

This is going to be a huge problem going into the next school year.

pereljon
New Contributor III

The issue seems to be with the "Security & Privacy" Configuration Profile in the JSS. If you are pushing out that profile to your systems then the "Change Password..." button will be disabled. This will happen regardless of whether you have the "Allow user to change password" checkbox selected or not. That checkbox seems to be broken.

dilok
New Contributor III

@pereljon THANKS! I removed "Security & Privacy"setting from one of our Configuration Profile, and I can now change the password.

itadminTSC
New Contributor

After further research I see that the /var/db/SystemPolicy-prefs.plist file controls Gate Keeper. I understand that there are two options "yes/no" for enabled inside the plist. When I change the Gate Keeper setting in Sys Prefs to OFF the enabled value becomes "no". Then if I turn Gate Keeper back on the value becomes "yes" whether I select the option for Mac App Store only or Mac App Store and registered developers. Does any know how to specify which of the two Gate Keeper options to push out via this plist?

Also, is there any work-around for assembling the rest of the Security and Privacy settings into a profile?

Thanks in advance.

matt_jamison
Contributor

Having the same issue here. I tried following the instructions but the Change Password did NOT un-grey out. Anything else to try?

pereljon
New Contributor III

Just remove the "Security & Privacy" setting from your Configuration Profiles

nessts
Valued Contributor II

or make a profile that has the security and privacy settings on an up to date profile manager and install the profile locally. I have not tested uploading security and privacy into a 9.31, but, the blacklist restrictions now work when uploading to the JSS profiles so maybe this one does too.

matt_jamison
Contributor

I was able to get what I want by building a plist file and pushing it out through the Custom Settings options in the Config Profile. The only setting I cared about was greying out the "Turn off FileVault" button in Security & Privacy.

TreviñoL
Contributor

Folks

Chriskmpruitt
Contributor

@oneloveamaru what plist file did you use?

thuluyang
New Contributor III

What I am doing is add the user to the exclusion list of the configuration profiles, it works like a charm.

matt_jamison
Contributor

[~ Chriskmpruitt] It's a plist that I created. Take the code from below and put it in a plist and name it com.apple.MCX.plist or whatever you want really BUT when you upload and it asks for the name of preference domain, put in "com.apple.MCX" without the quotes and do not append .plist to the end.

It will stop people from being able to disable FileVault from the System Preferences and from the terminal.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>dontAllowFDEDisable</key> <true/>
</dict>
</plist>

tep
Contributor II

Is there a way to scope a policy to local users (no LDAP)? I want to restrict the ability to change passwords, and user long names, for a local student account, but make it so admin users can still have full access.

JSOTO
New Contributor II

Just remove the "Security & Privacy" setting from your Configuration Profiles

yashbhat
New Contributor

Go -> Utilities -> Keychain Access

Keychain Access -> Preferences

"Reset My Default Keychains"

Reset the Login and you are good to go. Be careful though coz you'll lose currently stored keys. And have to login again on other connected devices as well.