Category Filter

Script to enforce Password on macOS devices

Enforcing password policies is an effective technique to ensure that your employees have secure passwords and update them regularly. Hexnode provides two methods to enforce password policies on macOS devices; configuring Passcode rules via policies and by deploying scripts.

If your company has decided that the MDM Passcode payload isn’t suitable or desirable, the Execute Custom Script action can help you. Use this action to manage password restrictions on the device without involving direct user interaction.

This document contains sample code snippets that can be used to configure password policies on macOS devices.

Scripting Language – Bash

File extension – .sh

Disclaimer:


The Sample Scripts provided below are adapted from third-party Open-Source sites.

Set Password using pwpolicy command

pwpolicy is a command line tool that can be used to manipulate password policies. Using pwpolicy, here are some settings we can configure:

  1. MAX_FAILED: Maximum wrong password attempts by user before device locks up.
  2. LOCKOUT: Amount of time the device will be locked after X wrong password attempts.
  3. PW_EXPIRE: Number of days the password is valid before it needs to be changed.
  4. MIN_LENGTH: Minimum length of password in characters.
  5. MIN_NUMERIC: Minimum number of numbers in the password.
  6. MIN_ALPHA_LOWER: Minimum number of lowercase alphabets in password.
  7. MIN_UPPER_ALPHA: Minimum number of uppercase alphabets in password.
  8. MIN_SPECIAL_CHAR: Minimum number of special characters in password.
  9. PW_HISTORY: Number of passwords to remember that cannot be repeated.
Warning:


Updates to password restrictions must be thoroughly evaluated in a test environment. Configuration mistakes may block password change and local user creation operations and lock out all local users, including administrators.

Notes:

  • It is recommended to manually validate the script execution on a system before executing the action in bulk.
  • Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.