Traxes
commented
5 years ago Hi @sjfbo ,
sorry for the late response. Indeed they deprecated some of the commands in Sierra and now enforced it in Mojave for global settings. However, i managed to bypass it in a simple way.
you can still set the password policy for a single user like the following:
pwpolicy -u ernw -setpolicy "minChars=8 requiresAlpha=1 requiresNumeric=1 maxMinutesUntilChangePassword=259200 usingHistory=5 usingExpirationDate=1 passwordCannotBeName=1 requiresMixedCase=1 requiresSymbol=1"
Now you can get the plist file of the policy like the following:
pwpolicy getaccountpolicies -u ernw > pwpolicy.plist
you may need to delete some output lines from the command to form a valid XML file.
(I only had to delete the line Getting account policies for user <ernw>)
Now you have to be authenticated as the root user (sudo su) and then you can apply the configuration globally using the following command:
pwpolicy setaccountpolicies pwpolicy.plist
Now using the command pwpolicy getaccountpolicies will return the full changed password policy.
I hope this helps. I will close the issue when i made the Pull request to change this in the Hardening Guide :-).
Thanks for your Input!
sjfbo
CodingHorrors
Hello,
For two updates or so on Mojave I've encountered an issue regarding the part about the use of the
pwpolicycommand. For example the optionsetpolicyis now deprecated and even though I tried to bypass it by playing with other options in many ways to figure out how to kind of properly set up the same command as the one show in the guide:pwpolicy -u -setpolicy "minChars=8 requiresAlpha=1 requiresNumeric=1 maxMinutesUntilChangePassword=259200 usingHistory=5 usingExpirationDate=1 passwordCannotBeName=1 requiresMixedCase=1 requiresSymbol=1"It didn't work and the related file that the command writes in isn't updated as it was before. Did some of you figured out a way yet to enforce such a policy on recent Mojave updates?
Thank you!