Jamf Nation Community

And it looks like there will be no fix for this anytime soon either. Just so you know.

I take that back, Apple may actually be working on the issue and you may have hope of it getting better.

YoungJ - sorry, is this a custom plist that JAMF provided, or one from a working machine?

The plist file is from a normal working machine.

I'm having this issue as well, and I only have one configuration profile enforced. Should I remove it and see if the problem goes away?

Hi all - I disabled my configuration profiles (I only had one that I switched to a script via Policy instead) and Change Password came back properly. I know that's not a good fix for everyone, but if you don't have many then it might work.

Thanks YoungJ! Worked like a charm. The below solution fixed the issue, and profiles are working great:

The work around below seems to work: (from JAMF Support)

The following plist file will be used to upload to the configuration profile:
plist file: /var/db/SystemPolicy-prefs.plist

Do the Following:

1. Make a copy of the plist above and move this to your desktop
2. Open terminal and run the following command: a. plutil -convert xml1 /path/to/plist_file.plist
3. Log into the JSS web application
4. Click the Computers tab
5. Click Configuration Profiles
6. Click New
7. Fill out the general payload and name the configuration profile
8. Scroll down and click on the Custom Settings payload
9. Click Configure
10. For the preference domain please enter the following: a. SystemPolicy-prefs.plist
11. Click Upload
12. Navigate to your desktop and choose the SystemPolicy-prefs.plist and upload that file
13. Click scope and scope this profile to the proper end users
14. Click Save

I tried this without any luck. Here are the contents of my plist:

<plist version="1.0">
<dict>
    <key>enabled</key>
    <string>no</string>
</dict>
</plist>

Any tips? I even tried change it to "yes" but no luck.

Was there ever an update to dgray's post as I tried it an getting the same result which is no change.

Still broken after v9.31

This is going to be a huge problem going into the next school year.

The issue seems to be with the "Security & Privacy" Configuration Profile in the JSS. If you are pushing out that profile to your systems then the "Change Password..." button will be disabled. This will happen regardless of whether you have the "Allow user to change password" checkbox selected or not. That checkbox seems to be broken.

@pereljon THANKS! I removed "Security & Privacy"setting from one of our Configuration Profile, and I can now change the password.

After further research I see that the /var/db/SystemPolicy-prefs.plist file controls Gate Keeper. I understand that there are two options "yes/no" for enabled inside the plist. When I change the Gate Keeper setting in Sys Prefs to OFF the enabled value becomes "no". Then if I turn Gate Keeper back on the value becomes "yes" whether I select the option for Mac App Store only or Mac App Store and registered developers. Does any know how to specify which of the two Gate Keeper options to push out via this plist?

Also, is there any work-around for assembling the rest of the Security and Privacy settings into a profile?

Thanks in advance.

Having the same issue here. I tried following the instructions but the Change Password did NOT un-grey out. Anything else to try?

Just remove the "Security & Privacy" setting from your Configuration Profiles

or make a profile that has the security and privacy settings on an up to date profile manager and install the profile locally. I have not tested uploading security and privacy into a 9.31, but, the blacklist restrictions now work when uploading to the JSS profiles so maybe this one does too.

I was able to get what I want by building a plist file and pushing it out through the Custom Settings options in the Config Profile. The only setting I cared about was greying out the "Turn off FileVault" button in Security & Privacy.

Folks

@oneloveamaru what plist file did you use?

What I am doing is add the user to the exclusion list of the configuration profiles, it works like a charm.

[~ Chriskmpruitt] It's a plist that I created. Take the code from below and put it in a plist and name it com.apple.MCX.plist or whatever you want really BUT when you upload and it asks for the name of preference domain, put in "com.apple.MCX" without the quotes and do not append .plist to the end.

It will stop people from being able to disable FileVault from the System Preferences and from the terminal.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>dontAllowFDEDisable</key> <true/>
</dict>
</plist>

Is there a way to scope a policy to local users (no LDAP)? I want to restrict the ability to change passwords, and user long names, for a local student account, but make it so admin users can still have full access.

Just remove the "Security & Privacy" setting from your Configuration Profiles

Go -> Utilities -> Keychain Access

Keychain Access -> Preferences

"Reset My Default Keychains"

Reset the Login and you are good to go. Be careful though coz you'll lose currently stored keys. And have to login again on other connected devices as well.