usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Multiple issues with pwpolicy_ on Sequoia (Using Jamf Connect with EntraID as the OIDC Provider) #57

New Issue
Closed
opened 2026-01-19 18:29:04 +00:00 by michael · 8 comments
michael commented 2026-01-19 18:29:04 +00:00
Owner
Copy Link

Originally created by @wewenttothemoon on GitHub.

Hello, I am reaching out because we are implementing CIS_LVL2 for Sequoia in our organization, and I am running across an issue with:

pwpolicy_account_lockout_enforce failed (Result: , Expected: "{'string': 'yes'}")
pwpolicy_account_lockout_timeout_enforce failed (Result: , Expected: "{'string': 'yes'}")
pwpolicy_alpha_numeric_enforce failed (Result: 0, Expected: "{'integer': 1}")
pwpolicy_custom_regex_enforce failed (Result: false, Expected: "{'string': 'true'}")
pwpolicy_history_enforce failed (Result: , Expected: "{'string': 'yes'}")
pwpolicy_max_lifetime_enforce failed (Result: , Expected: "{'integer': 365}")
pwpolicy_minimum_length_enforce failed (Result: false, Expected: "{'string': 'true'}")
pwpolicy_special_character_enforce failed (Result: , Expected: "{'string': 'true'}")

As you can see above, it fails to return any values. When I originally looked at /usr/bin/policy -getaccountpolicies this was the output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[http://www.apple.com/DTDs/PropertyList-1.0.dtd">](http://www.apple.com/DTDs/PropertyList-1.0.dtd%22%3E)
<plist version="1.0">
<dict>
<key>policyCategoryPasswordContent</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '^$|.{4,}+'</string>
<key>policyContentDescription</key>
<dict>
<key>ar</key>
<string>أدخل كلمة سر لا تقل عن أربعة أحرف أو رموز، أو اترك حقل كلمة السر فارغًا.</string>
<key>ca</key>
<string>Introdueix una contrasenya que tingui quatre caràcters o més, o deixa el camp de la contrasenya en blanc.</string>
<key>cs</key>
<string>Zadejte heslo o minimální délce čtyři znaky nebo nechte pole hesla prázdné.</string>
<key>da</key>
<string>Skriv en adgangskode på mindst fire tegn, eller lad adgangskodefeltet være tomt.</string>
<key>de</key>
<string>Gib ein Passwort ein, das aus mindestens vier Zeichen besteht, oder lass das Passwortfeld leer.</string>
<key>el</key>
<string>Εισαγάγετε ένα συνθηματικό που να αποτελείται από τέσσερις ή περισσότερους χαρακτήρες, ή αφήστε το πεδίο του συνθηματικού κενό.</string>
<key>en</key>
<string>Enter a password that is four characters or more or leave the password field blank.</string>
<key>en_AU</key>
<string>Enter a password that is four characters or more or leave the password field blank.</string>
<key>en_GB</key>
<string>Enter a password that is four characters or more or leave the password field blank.</string>
<key>es</key>
<string>Introduce una contraseña que tenga cuatro caracteres como mínimo o deja el campo de la contraseña en blanco.</string>
<key>es_419</key>
<string>Ingresa una contraseña de cuatro o más caracteres, o deja el campo de contraseña en blanco.</string>
<key>fi</key>
<string>Kirjoita salasana, jossa on vähintään neljä merkkiä, tai jätä salasanakenttä tyhjäksi.</string>
<key>fr</key>
<string>Saisissez un mot de passe comportant au moins quatre caractères ou laissez le champ vide.</string>
<key>fr_CA</key>
<string>Saisissez un mot de passe comportant au moins quatre caractères ou laissez le champ vide.</string>
<key>he</key>
<string>יש להזין סיסמה בת ארבעה תווים לפחות או להשאיר את שדה הסיסמה ריק.</string>
<key>hi</key>
<string>चार वर्ण या उससे बड़ा पासवर्ड दर्ज करें या पासवर्ड फ़ील्ड ख़ाली छोड़ दें।</string>
<key>hr</key>
<string>Unesite lozinku koja sadrži minimalno četiri znaka ili polje lozinke ostavite prazno.</string>
<key>hu</key>
<string>Adjon meg egy legalább négy karakterből álló jelszót, vagy hagyja üresen a jelszómezőt.</string>
<key>id</key>
<string>Masukkan kata sandi yang terdiri dari empat karakter atau lebih atau kosongkan bidang kata sandi.</string>
<key>it</key>
<string>Inserisci una password di quattro o più caratteri o lascia vuoto il campo password.</string>
<key>ja</key>
<string>4文字以上のパスワードを入力するか、パスワードフィールドを空のままにしてください。</string>
<key>ko</key>
<string>4자 이상의 암호를 입력하거나 암호 필드를 비워두십시오.</string>
<key>ms</key>
<string>Masukkan kata laluan sepanjang empat aksara atau lebih atau biarkan medan kata laluan kosong.</string>
<key>nl</key>
<string>Voer een wachtwoord van vier of meer tekens in of laat het wachtwoordveld leeg.</string>
<key>no</key>
<string>Angi et passord på minst fire tegn, eller la passordfeltet stå tomt.</string>
<key>pl</key>
<string>Podaj hasło składające się z co najmniej czterech znaków lub zostaw puste pole.</string>
<key>pt_BR</key>
<string>Digite uma senha com ao menos quatro caracteres ou deixe o campo de senha em branco.</string>
<key>pt_PT</key>
<string>Digite uma palavra‑passe com pelo menos quatro caracteres, ou deixe o campo da palavra‑passe em branco.</string>
<key>ro</key>
<string>Introduceți o parolă de minimum patru caractere sau lăsați gol câmpul pentru parolă.</string>
<key>ru</key>
<string>Введите пароль, состоящий из четырех или более символов, либо оставьте поле пароля пустым.</string>
<key>sk</key>
<string>Zadajte heslo obsahujúce najmenej štyri znaky alebo nechajte pole pre heslo prázdne.</string>
<key>sl</key>
<string>Vnesite geslo, ki vsebuje štiri znake ali več, ali pa pustite polje za geslo prazno.</string>
<key>sv</key>
<string>Ange ett lösenord som är minst fyra tecken långt eller låt lösenordsfältet vara tomt.</string>
<key>th</key>
<string>ป้อนรหัสผ่านที่มีอักขระอย่างน้อยสี่ตัวหรือเว้นช่องรหัสผ่านไว้</string>
<key>tr</key>
<string>En az dört karakter uzunluğunda bir parola girin veya parola alanını boş bırakın.</string>
<key>uk</key>
<string>Введіть пароль зі щонайменше чотирьох символів або залиште поле пароля пустим.</string>
<key>vi</key>
<string>Nhập mật khẩu dài 4 ký tự trở lên hoặc để trống trường mật khẩu.</string>
<key>zh_CN</key>
<string>输入不少于4个字符的密码,或将密码栏留空。</string>
<key>zh_HK</key>
<string>輸入一個四位或更多字元的密碼,或留空密碼欄位。</string>
<key>zh_TW</key>
<string>輸入4個字元或更長的密碼,或將密碼欄位留空。</string>
</dict>
<key>policyIdentifier</key>
<string>com.apple.defaultpasswordpolicy</string>
</dict>
</array>
</dict>
</plist>

After I read another bug post, I ran the sudo pwpolicy -clearaccountpolicies command, which results in a blank plist, no key/values.

I then reapplied the config profile with the com.apple.mobiledevice.passwordpolicy.plist which is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>customRegex</key>
	<dict>
		<key>passwordContentDescription</key>
		<dict>
			<key>default</key>
			<string>Password must match custom regex.</string>
		</dict>
		<key>passwordContentRegex</key>
		<string>^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$</string>
	</dict>
	<key>maxFailedAttempts</key>
	<integer>10</integer>
	<key>maxPINAgeInDays</key>
	<integer>180</integer>
	<key>minComplexChars</key>
	<integer>1</integer>
	<key>minLength</key>
	<integer>8</integer>
	<key>minutesUntilFailedLoginReset</key>
	<integer>30</integer>
	<key>pinHistory</key>
	<integer>15</integer>
	<key>requireAlphanumeric</key>
	<true/>
</dict>
</plist>

However, it seems even after reapplying the config profile, the -getaccountpolicies command still returns a blank .plist with no key/values. (Also rebooted the system several times). I then created a brand-new Config Profile and deployed it to my test device, with the same result (after again running -clearaccountpolicies). I can see the new config profile under Device Management, but it seems to not be populating the pwpolicy -getaccountpolicies.

I was wondering if it was possible that this is occurring because we are using Jamf Connect (Jamf Pro) with EntraID as the OIDC provider?

The com.apple.mobiledevice.passwordpolicy.plist was generated using Jamf Compliance Editor with our org ODV's.

Device is Apple M3 Pro on Sequoia 15.4.1

Image

Originally created by @wewenttothemoon on GitHub. Hello, I am reaching out because we are implementing CIS_LVL2 for Sequoia in our organization, and I am running across an issue with: pwpolicy_account_lockout_enforce failed (Result: , Expected: "{'string': 'yes'}") pwpolicy_account_lockout_timeout_enforce failed (Result: , Expected: "{'string': 'yes'}") pwpolicy_alpha_numeric_enforce failed (Result: 0, Expected: "{'integer': 1}") pwpolicy_custom_regex_enforce failed (Result: false, Expected: "{'string': 'true'}") pwpolicy_history_enforce failed (Result: , Expected: "{'string': 'yes'}") pwpolicy_max_lifetime_enforce failed (Result: , Expected: "{'integer': 365}") pwpolicy_minimum_length_enforce failed (Result: false, Expected: "{'string': 'true'}") pwpolicy_special_character_enforce failed (Result: , Expected: "{'string': 'true'}") As you can see above, it fails to return any values. When I originally looked at /usr/bin/policy -getaccountpolicies this was the output: ``` <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[http://www.apple.com/DTDs/PropertyList-1.0.dtd">](http://www.apple.com/DTDs/PropertyList-1.0.dtd%22%3E) <plist version="1.0"> <dict> <key>policyCategoryPasswordContent</key> <array> <dict> <key>policyContent</key> <string>policyAttributePassword matches '^$|.{4,}+'</string> <key>policyContentDescription</key> <dict> <key>ar</key> <string>أدخل كلمة سر لا تقل عن أربعة أحرف أو رموز، أو اترك حقل كلمة السر فارغًا.</string> <key>ca</key> <string>Introdueix una contrasenya que tingui quatre caràcters o més, o deixa el camp de la contrasenya en blanc.</string> <key>cs</key> <string>Zadejte heslo o minimální délce čtyři znaky nebo nechte pole hesla prázdné.</string> <key>da</key> <string>Skriv en adgangskode på mindst fire tegn, eller lad adgangskodefeltet være tomt.</string> <key>de</key> <string>Gib ein Passwort ein, das aus mindestens vier Zeichen besteht, oder lass das Passwortfeld leer.</string> <key>el</key> <string>Εισαγάγετε ένα συνθηματικό που να αποτελείται από τέσσερις ή περισσότερους χαρακτήρες, ή αφήστε το πεδίο του συνθηματικού κενό.</string> <key>en</key> <string>Enter a password that is four characters or more or leave the password field blank.</string> <key>en_AU</key> <string>Enter a password that is four characters or more or leave the password field blank.</string> <key>en_GB</key> <string>Enter a password that is four characters or more or leave the password field blank.</string> <key>es</key> <string>Introduce una contraseña que tenga cuatro caracteres como mínimo o deja el campo de la contraseña en blanco.</string> <key>es_419</key> <string>Ingresa una contraseña de cuatro o más caracteres, o deja el campo de contraseña en blanco.</string> <key>fi</key> <string>Kirjoita salasana, jossa on vähintään neljä merkkiä, tai jätä salasanakenttä tyhjäksi.</string> <key>fr</key> <string>Saisissez un mot de passe comportant au moins quatre caractères ou laissez le champ vide.</string> <key>fr_CA</key> <string>Saisissez un mot de passe comportant au moins quatre caractères ou laissez le champ vide.</string> <key>he</key> <string>יש להזין סיסמה בת ארבעה תווים לפחות או להשאיר את שדה הסיסמה ריק.</string> <key>hi</key> <string>चार वर्ण या उससे बड़ा पासवर्ड दर्ज करें या पासवर्ड फ़ील्ड ख़ाली छोड़ दें।</string> <key>hr</key> <string>Unesite lozinku koja sadrži minimalno četiri znaka ili polje lozinke ostavite prazno.</string> <key>hu</key> <string>Adjon meg egy legalább négy karakterből álló jelszót, vagy hagyja üresen a jelszómezőt.</string> <key>id</key> <string>Masukkan kata sandi yang terdiri dari empat karakter atau lebih atau kosongkan bidang kata sandi.</string> <key>it</key> <string>Inserisci una password di quattro o più caratteri o lascia vuoto il campo password.</string> <key>ja</key> <string>4文字以上のパスワードを入力するか、パスワードフィールドを空のままにしてください。</string> <key>ko</key> <string>4자 이상의 암호를 입력하거나 암호 필드를 비워두십시오.</string> <key>ms</key> <string>Masukkan kata laluan sepanjang empat aksara atau lebih atau biarkan medan kata laluan kosong.</string> <key>nl</key> <string>Voer een wachtwoord van vier of meer tekens in of laat het wachtwoordveld leeg.</string> <key>no</key> <string>Angi et passord på minst fire tegn, eller la passordfeltet stå tomt.</string> <key>pl</key> <string>Podaj hasło składające się z co najmniej czterech znaków lub zostaw puste pole.</string> <key>pt_BR</key> <string>Digite uma senha com ao menos quatro caracteres ou deixe o campo de senha em branco.</string> <key>pt_PT</key> <string>Digite uma palavra‑passe com pelo menos quatro caracteres, ou deixe o campo da palavra‑passe em branco.</string> <key>ro</key> <string>Introduceți o parolă de minimum patru caractere sau lăsați gol câmpul pentru parolă.</string> <key>ru</key> <string>Введите пароль, состоящий из четырех или более символов, либо оставьте поле пароля пустым.</string> <key>sk</key> <string>Zadajte heslo obsahujúce najmenej štyri znaky alebo nechajte pole pre heslo prázdne.</string> <key>sl</key> <string>Vnesite geslo, ki vsebuje štiri znake ali več, ali pa pustite polje za geslo prazno.</string> <key>sv</key> <string>Ange ett lösenord som är minst fyra tecken långt eller låt lösenordsfältet vara tomt.</string> <key>th</key> <string>ป้อนรหัสผ่านที่มีอักขระอย่างน้อยสี่ตัวหรือเว้นช่องรหัสผ่านไว้</string> <key>tr</key> <string>En az dört karakter uzunluğunda bir parola girin veya parola alanını boş bırakın.</string> <key>uk</key> <string>Введіть пароль зі щонайменше чотирьох символів або залиште поле пароля пустим.</string> <key>vi</key> <string>Nhập mật khẩu dài 4 ký tự trở lên hoặc để trống trường mật khẩu.</string> <key>zh_CN</key> <string>输入不少于4个字符的密码,或将密码栏留空。</string> <key>zh_HK</key> <string>輸入一個四位或更多字元的密碼,或留空密碼欄位。</string> <key>zh_TW</key> <string>輸入4個字元或更長的密碼,或將密碼欄位留空。</string> </dict> <key>policyIdentifier</key> <string>com.apple.defaultpasswordpolicy</string> </dict> </array> </dict> </plist> ``` After I read another bug post, I ran the sudo pwpolicy -clearaccountpolicies command, which results in a blank plist, no key/values. I then reapplied the config profile with the com.apple.mobiledevice.passwordpolicy.plist which is: ``` <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>customRegex</key> <dict> <key>passwordContentDescription</key> <dict> <key>default</key> <string>Password must match custom regex.</string> </dict> <key>passwordContentRegex</key> <string>^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$</string> </dict> <key>maxFailedAttempts</key> <integer>10</integer> <key>maxPINAgeInDays</key> <integer>180</integer> <key>minComplexChars</key> <integer>1</integer> <key>minLength</key> <integer>8</integer> <key>minutesUntilFailedLoginReset</key> <integer>30</integer> <key>pinHistory</key> <integer>15</integer> <key>requireAlphanumeric</key> <true/> </dict> </plist> ``` However, it seems even after reapplying the config profile, the -getaccountpolicies command still returns a blank .plist with no key/values. (Also rebooted the system several times). I then created a brand-new Config Profile and deployed it to my test device, with the same result (after again running -clearaccountpolicies). I can see the new config profile under Device Management, but it seems to not be populating the pwpolicy -getaccountpolicies. I was wondering if it was possible that this is occurring because we are using Jamf Connect (Jamf Pro) with EntraID as the OIDC provider? The com.apple.mobiledevice.passwordpolicy.plist was generated using Jamf Compliance Editor with our org ODV's. Device is Apple M3 Pro on Sequoia 15.4.1 ![Image](https://github.com/user-attachments/assets/dba406a5-a817-4e46-a970-a5384f14d15c)
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Sure is. But when you upload a plist and not mobileconfig file to jamf it pushes it to machines as mcx payload....which causes you the issues.

@robertgendler commented on GitHub: Sure is. But when you upload a plist and not mobileconfig file to jamf it pushes it to machines as mcx payload....which causes you the issues.
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@wewenttothemoon commented on GitHub:

@robertgendler Thank you for quick feedback!

Understood, the password policy from EntraID is coming from AD via Entra Sync with no writeback enabled, so I was trying to match the same values we use as our ADDefaultDomainPasswordPolicy.

I've raised an issue in https://github.com/Jamf-Concepts/jamf-compliance-editor as suggested!

This is absolutely a dumb question, but how would I go about working with the project directly to generate the correct config profile?

@wewenttothemoon commented on GitHub: @robertgendler Thank you for quick feedback! Understood, the password policy from EntraID is coming from AD via Entra Sync with no writeback enabled, so I was trying to match the same values we use as our ADDefaultDomainPasswordPolicy. I've raised an issue in https://github.com/Jamf-Concepts/jamf-compliance-editor as suggested! This is absolutely a dumb question, but how would I go about working with the project directly to generate the correct config profile?
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@wewenttothemoon commented on GitHub:

@robertgendler I was reviewing the documentation for cis_lvl2 and correct me if I am wrong but isn't this the same as the .plist I used above?

Image

@wewenttothemoon commented on GitHub: @robertgendler I was reviewing the documentation for cis_lvl2 and correct me if I am wrong but isn't this the same as the .plist I used above? ![Image](https://github.com/user-attachments/assets/3397b6cd-75d0-499e-90a2-0b4fb67b7dd8)
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

No question is dumb. But check out the wiki https://github.com/usnistgov/macos_security/wiki/Getting-Started

Then you can get to https://github.com/usnistgov/macos_security/wiki/Generate-Configuration-Profiles

@robertgendler commented on GitHub: No question is dumb. But check out the wiki https://github.com/usnistgov/macos_security/wiki/Getting-Started Then you can get to https://github.com/usnistgov/macos_security/wiki/Generate-Configuration-Profiles
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

If you're using some sort of password policy from EntraID...lean into that and don't set your local pwpolicy.

2nd it looks as though Jamf Compliance Editor set this with an mcx preference. That's not compatible with com.apple.mobiledevice.passwordpolicy. You may want to file an issue with them https://github.com/Jamf-Concepts/jamf-compliance-editor as working with the project directly and not through an application, it works as it should.

@robertgendler commented on GitHub: If you're using some sort of password policy from EntraID...lean into that and don't set your local pwpolicy. 2nd it looks as though Jamf Compliance Editor set this with an mcx preference. That's not compatible with com.apple.mobiledevice.passwordpolicy. You may want to file an issue with them https://github.com/Jamf-Concepts/jamf-compliance-editor as working with the project directly and not through an application, it works as it should.
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@wewenttothemoon commented on GitHub:

@robertgendler Ahhh I see what you mean! Yup, I just uploaded the mobileconfig file it generated to Jamf Pro and it maps it to passcode:

Image

It did complain about it not being compatible with the regex:

Image

But like you said I will try to regenerate this .mobileconfig after following https://github.com/usnistgov/macos_security/wiki/Generate-Configuration-Profiles

And it seems to work now!

Image

Image

The failures are expected as I haven't set the ODV variables in the script yet.

Thank you so much @robertgendler !

@wewenttothemoon commented on GitHub: @robertgendler Ahhh I see what you mean! Yup, I just uploaded the mobileconfig file it generated to Jamf Pro and it maps it to passcode: ![Image](https://github.com/user-attachments/assets/9fee4323-404d-47cc-8ae6-c8a62837fa6d) It did complain about it not being compatible with the regex: ![Image](https://github.com/user-attachments/assets/bcded11b-5312-4ecd-8eb5-f723e68820ba) But like you said I will try to regenerate this .mobileconfig after following https://github.com/usnistgov/macos_security/wiki/Generate-Configuration-Profiles And it seems to work now! ![Image](https://github.com/user-attachments/assets/fd53555a-3627-4e36-83dd-75898b238ba4) ![Image](https://github.com/user-attachments/assets/365e9f83-8fa8-4388-9c93-339dd9b7866d) The failures are expected as I haven't set the ODV variables in the script yet. Thank you so much @robertgendler !
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@wewenttothemoon commented on GitHub:

@robertgendler Noted, I will keep that in mind! Crap... now I have to double check anything else I've deployed as an MCX preference... Again, many thanks for your time and invaluable guidance!

@wewenttothemoon commented on GitHub: @robertgendler Noted, I will keep that in mind! Crap... now I have to double check anything else I've deployed as an MCX preference... Again, many thanks for your time and invaluable guidance!
michael commented 2026-01-19 18:29:05 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Ya Jamf doesn't recognize all configuration keys.

You may want to sign the profile with a certificate. Then jamf won't complain. But you also can't edit or view it or do anything beyond scoping it then.

@robertgendler commented on GitHub: Ya Jamf doesn't recognize all configuration keys. You may want to sign the profile with a certificate. Then jamf won't complain. But you also can't edit or view it or do anything beyond scoping it then.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#57
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?