tag:blogger.com,1999:blog-1361728184873317046.post9101941806355573460..comments2023-03-04T04:13:12.436-08:00Comments on Rusty is a geek.: Playing with pwpolicyRusty Myershttp://www.blogger.com/profile/06012914840758427861noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-1361728184873317046.post-51244645072208458342015-08-15T08:29:42.565-07:002015-08-15T08:29:42.565-07:00Thanks for the tip all. I got this working on Yose...Thanks for the tip all. I got this working on Yosemite 10.10.4. Also got locked account to unlock after the declared lockout time has expired. Should be self explanatory, but the config is:<br /><br />Password history depth: 5<br />Password expiration: 121 days<br />Password max auth attempts before lockout: 5<br />Password lockout time: 5 minutes<br />Password complexity: 8 chars minimum, one upper case char, one lower case char, one special symbol (non alpha/numeric)<br /><br /><br /><br /> policyCategoryAuthentication<br /> <br /> <br /> policyContent<br /> (policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))<br /> policyIdentifier<br /> Authentication Lockout<br /> policyParameters<br /> <br /> autoEnableInSeconds<br /> 300<br /> policyAttributeMaximumFailedAuthentications<br /> 5<br /> <br /> <br /> <br /><br /><br /><br /> policyCategoryPasswordChange<br /> <br /> <br /> policyContent<br /> policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)<br /> policyIdentifier<br /> Change every 121 days<br /> policyParameters<br /> <br /> policyAttributeExpiresEveryNDays<br /> 121<br /> <br /> <br /> <br /><br /><br /><br /> policyCategoryPasswordContent<br /> <br /> <br /> policyContent<br /> policyAttributePassword matches '.{8,}+'<br /> policyIdentifier<br /> com.apple.policy.legacy.minChars<br /> policyParameters<br /> <br /> minimumLength<br /> 8<br /> <br /> <br /><br /> <br /> policyContent<br /> policyAttributePassword matches '(.*[0-9].*){1,}+'<br /> policyIdentifier<br /> com.apple.policy.legacy.requiresNumeric<br /> policyParameters<br /> <br /> minimumNumericCharacters<br /> 1<br /> <br /> <br /><br /> <br /> policyContent<br /> policyAttributePassword matches '(.*[a-z].*){1,}+'<br /> policyIdentifier<br /> com.apple.policy.legacy.requiresAlpha<br /> policyParameters<br /> <br /> minimumAlphaCharactersLowerCase<br /> 1<br /> <br /> <br /><br /> <br /> policyContent<br /> policyAttributePassword matches '(.*[A-Z].*){1,}+'<br /> policyIdentifier<br /> com.apple.policy.legacy.requiresAlphaUpperCase<br /> policyParameters<br /> <br /> minimumAlphaCharacters<br /> 1<br /> <br /> <br /><br /> <br /> policyContent<br /> policyAttributePassword matches '(.*[^a-zA-Z0-9].*){1,}+'<br /> policyIdentifier<br /> com.apple.policy.legacy.requiresSymbol<br /> policyParameters<br /> <br /> minimumSymbols<br /> 1<br /> <br /> <br /><br /> <br /> policyContent<br /> none policyAttributePasswordHashes in policyAttributePasswordHistory<br /> policyIdentifier<br /> Password History<br /> policyParameters<br /> <br /> policyAttributePasswordHistoryDepth<br /> 5<br /> <br /> <br /><br /> <br /><br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1361728184873317046.post-34428433218418388852015-02-09T12:39:34.415-08:002015-02-09T12:39:34.415-08:00There's an error in the first keyset. To be fa...There's an error in the first keyset. To be fair, the man page has the same error. The first key category should be <br /><br />policyCategoryAuthentication<br /><br />not<br /><br />policyCategoryPasswordAuthentication<br /><br />This drove me crazy for about 2 days until I discovered it. I'm not sure who wrote the new man page for pwpolicy, but it is godawful.<br /><br />I have also found that you can't simply reenable account once a parameter for locking it such as failed attempts has been met. You have to clear the policies and reapply them. While this is relatively simple, I would prefer a way to simply reset the failed attempts. Hopefully Apple will provide a bit more guidance at some point. Chad Blochhttps://www.blogger.com/profile/03404840942986217949noreply@blogger.comtag:blogger.com,1999:blog-1361728184873317046.post-50146505297585145642015-01-07T06:28:05.889-08:002015-01-07T06:28:05.889-08:00bhagaban mohanty,
I'd suggest creating a pass...bhagaban mohanty,<br /><br />I'd suggest creating a password policy using a tool like Profile Manager or iPhone Configuration Utility. <br /><br />To answer your question, it may require an array inside of a single dictionary, instead of two dictionaries. Rusty Myershttps://www.blogger.com/profile/06012914840758427861noreply@blogger.comtag:blogger.com,1999:blog-1361728184873317046.post-21360104318819757122015-01-07T03:07:26.712-08:002015-01-07T03:07:26.712-08:00Rusty,
When I am using an array policyCatagoryPa...Rusty,<br /><br /><br />When I am using an array policyCatagoryPasswordContent containing the two dictionaries , one for alphabatic and other for alphanumeric, the policy is honouring to only one that is first dictionary and second is not coming into picture. Is apple designed this way or do I missing something. Below is the code snippet for pwpolicy for setaccountpolicies.<br /><br /> policyCategoryPasswordContent<br /> <br /> <br /> policyContent<br /> policyAttributePassword matches '.{3,8}+'<br /> policyIdentifier<br /> com.apple.policy.legacy.minChars<br /> policyParameters<br /> <br /> minimumLength<br /> 3<br /> <br /> <br /> <br /> policyContent<br /> policyAttributePassword matches "[A-Z]+"+<br /> policyIdentifier<br /> com.apple.policy.legacy.requiresAlpha<br /> <br /> <br /> policyContent<br /> policyAttributePassword matches "[0-9]+"<br /> policyIdentifier<br /> com.apple.policy.legacy.requiresNumeric<br /> <br /> <br /><br /><br />Here only first dictionary is honoring for password change.Anonymoushttps://www.blogger.com/profile/13448908488378018468noreply@blogger.comtag:blogger.com,1999:blog-1361728184873317046.post-73215301015507443022014-12-10T16:58:31.533-08:002014-12-10T16:58:31.533-08:00Paul,
I believe using Profiles was the answer to ...Paul,<br /><br />I believe using Profiles was the answer to accomplishing the task of password policy. Using Profile Manager or iPhone Configuration Utility, you can generate a profile for the Mac to enforce the policy.<br />I was not able to find additional information on pwpolicy.<br /><br />RustyRusty Myershttps://www.blogger.com/profile/06012914840758427861noreply@blogger.comtag:blogger.com,1999:blog-1361728184873317046.post-39686830679205618842014-12-10T15:52:37.104-08:002014-12-10T15:52:37.104-08:00Did you ever find get anywhere with this or find a...Did you ever find get anywhere with this or find any more information?<br /><br />Thanks,<br />Paulpknzhttps://www.blogger.com/profile/02437948775036140731noreply@blogger.com