os_unlock_active_user_session_disable and pwpolicy_custom_regex_enforce

Configuration Profiles deployed by MDM will always go in to /Library/Managed Preferences. Beyond running the command to validate the setting provided by NIST which you suggest is failing, have you validated if you can confirm the behavior? Settings configured with a Configuration Profile are not always validatable with terminal commands.

Your first question is involving 7.32. Disable Login to Other User’s Active and Locked Sessions, but Im not able to figure out what benchmark your second question is related to. Which benchmark are you trying to meet with this custom regex?

Thank you for your response :)

The second question refers to this control:

ID: pwpolicy_custom_regex_enforce

CIS Benchmark: 5.2.6 (level 2)

If you haven't explored them yet, the MacOS Security Compliance Project and the JAMF Compliance Editor might be beneficial. These do a lot of the hard work for you in terms of creating config profiles, compliance remediation script, EAs and more.

JAMF Compliance editor has a nice GUI if you prefer that over the terminal-based compliance project. They both reference the same baselines, but JAMF Compliance editor is JAMF specific. I did a lot of these things previous the hard manual way before these tools were available. They've been a game changer. Hopefully they will also be helpful to you.  

Establishing Compliance Baselines (jamf.com)

https://github.com/usnistgov/macos_security 

Yes, I have used the Compliance Editor for defining CIS Lvl. 2 rules and can see in Jamf Protect, that all of our devices are compliant. But if I implement any other rules, say NIST or CIS v8, they are not shown in Jamf Protect.

I am wondering if there is a way of configuring which framework Jamf Protect takes into consideration.It is also only showing a subset of CIS controls (apparently for performance reasons). I imagine I am not the only one who wants to use a framework other than CIS Lvl. 1 or 2.

Following on from my response in your other thread. 
JAMF Protect only has the CIS1, CIS2 and JAMF provided baselines. Those are non-editable/customisable.

If you want to use another framework you would need to work out, what do you need immediate visibility over for remediation and what can the EAs in JAMF Pro do for areas that doesn't need immediate remediation. The CIS Benchmarks may cover some of those area for you. 

My work complies with NIST and we had to write custom analytics to address any NIST controls that we needed real time visibility and/or remediation over. The rest we rely on the EAs to determine compliance as our inventory cycle runs often enough to address the other things.  

Other thing we are looking at for future is log forwarding for other areas that are not necessarily for a NIST control. But things we do need to keep an eye on. 

I'm sure others will pipe up as well. But this has been my experience with Protect and Pro over the past few years.  

Is there a reason you are not just using a Configuration Profile from Jamf Pro (or other MDM) to enforce the password policy on macOS?

I am. But the regex option seems to not have any effect if defined as an upload for a plist. The GUI doesn't offer the option at all.

So, this is what I am still struggling with: os_unlock_active_user_session_disable

The guidance document contains a command, which I am executing as a script through a policy via Jamf, and it contains a check command. When I execute the check command locally, or execute the compliance checking script locally, the rule passes.

But Jamf Protect shows the rule as failing.

Does anyone have any ideas about that?