Skip to main content

Hi All,



I'm hoping to save a few of your foreheads and keyboards by letting you know some of the most common and useful commands in the pwpolicy command line utility have been deprecated.



If you look at the man page for pwpolicy in 10.9, the first six commands, which are also the most commonly used, look like this:



-getglobalpolicy Get global policies
-setglobalpolicy Set global policies
-getpolicy Get policies for a user
--get-effective-policy Gets the combination of global and user
policies that apply to the user.
-setpolicy Set policies for a user
-setpolicyglobal Set a user account to use global policies


The man page in 10.10, however, looks like this:



-getglobalpolicy Get global policies. DEPRECATED.
-setglobalpolicy Set global policies. DEPRECATED.
-getpolicy Get policies for a user. DEPRECATED.
--get-effective-policy Gets the combination of global and user
policies that apply to the user. DEPRECATED.
-setpolicy Set policies for a user. DEPRECATED.


The command "-setpolicyglobal" isn't even listed in the new man page.



I discovered this when we had a 10.10 machine that had had a configuration profile applied, which included a password expiration policy. The configuration profile was subsequently removed, but the password policy was still active - of which we were unaware until later, when the user unexpectedly started getting a pending password expiration notice upon login.



Using the instructions in an article on Krypted.com (http://krypted.com/mac-security/programatically-setting-password-policies/) (Hi Charles!) I tried to manipulate the pwpolicy options to get the prompt to disappear - to no avail. Long story short, once I brought up the man page for pwpolicy in 10.10, rather than 10.9, I immediately saw the issue.



Armed with this new info, I was able to use the -clearaccountpolicies command via pwpolicy to remove the password expiration, both globally and user-specific.



None of the deprecated commands returned errors, BTW. They all appeared to work in the Terminal. In fact, when I ran --get-effective-policies, data was returned and there was no indication that I was working with outdated commands.



Hope this helps.



-PEM

Nice Find. Thank you for posting this!

I just stumbled against this so I was glad to find this. When I did the -clearaccountpolicies it only worked for that user not all the users. I ended up running it on each effected user.

I stumbled over this looking for a functional example using the new xml file format for pwpolicy. Unfortunately the example in the man file only includes a minimum character policy, and the documentation is insufficient to understand how you actually create a complex policy. The indication is you use something called NSPredicate to construct the policy string, and all the other keys are just fluff for reference. I can't find anything about how this type of expression works to actually use this. Anyone familiar with this and able to share an example policy? I'm looking to do all the normal things for a password requirement (and still can't comprehend how this has never been put in the UI) like minimum length, re-use history, letters, numbers, symbols, etc. In the past, the syntax was simple, but as stated they deprecated all of that.
sudo pwpolicy -setglobalpolicy "usingHistory=5 minChars=8 requiresAlpha=1 requiresNumeric=1 requiresSymbol=1 maxMinutesUntilChangePassword=525949 maxFailedLoginAttempts=30"
Back under 10.6 you could also specify that it can't match name and must use mixed case as well, but they removed those options long ago in 10.7 for some reason. It's like they don't care about security and want to make it harder.... Anyway, looking for anyone who can translate these rules into the new format.

I don’t know about this particular case, but I know that Munki uses NSPredicates for its conditional items/statements. You may find some help there — since it’s at least in a sys admin context — or in NSPredicate developer documentation.



I have an example of a slightly complex NSPredicate that compares version numbers. Look at the “string” item after the “condition” key in the example property list. (There’s also an equivalent example using Smart Groups, for comparison between JSS and NSPredicate.)



Update: I haven’t used pwpolicy in a long time, because in testing on workstations back in the Leopard (?) timeframe, I found that it only applied to local “staff” (non-admin) user accounts. I can’t say that I’ve followed up with any significant testing since then to see if it changed. (I suspect I filed a feature request to have it apply to admin users and network/mobile accounts.)



Update: Here’s what I saw many years ago. It’s quite possible things have changed since then, of course.

Despite the documentation saying these commands are deprecated, they all seem to work in El Cap, 10.11.1.

Reply


Terms & ConditionsCookie settings