barscaret-downcaret-leftcaret-rightcaret-upcheckchevron-leftchevron-rightfile-pdfinfosign-in-altsignin text-widthtimesyoutube

macOS > Device Data & Configuration

MacOS password policy for local users

Updated on May 4th, 2021

A macOS password policy sets the rules that govern the usage of login passwords on Macs.

You can implement a password policy for Macs using the Password configuration profile feature in Miradore. The Password configuration profile is available in all free and paid plans of Miradore. It enables you to enforce the use of login passwords for all local accounts on a Mac. Additionally, you can make users change their passwords at the next login and set requirements for the passwords.

How to make Mac users to change their password with a password policy

Before you start

  • You need to have either Administrator or Editor role on your Miradore site.
  • The Password configuration profile is compatible with Mac OS X Lion (version 10.7) and newer macOS versions.
  • The Password configuration profile affects only local user accounts. Neither Active Directory domain accounts nor Open Directory user accounts are affected by the profile.

How to enforce the use of a login password for Mac users

  1. Go to Management > Configuration profiles and create a new configuration profile (click Add > macOS > Password).
  2. Configure the password requirements and settings. See the table below for more details.
    SettingDescription
    Allow simple valueSpecifies if users are allowed to use repeating, ascending, or descending character series (e.g. “1234” or “DCBA”) as their login password. When unchecked, the use of simple passwords is prevented.
    Require alphanumeric valueSpecifies if the users’ login passwords must contain at least one letter. When unchecked, users can use a series of numbers as their password (e.g. “4961974”).
    Minimum lengthSpecifies the minimum number of password characters. Passwords with fewer characters are denied.
    Minimum number of complex charactersSpecifies the number of non-alphanumeric characters required in the users’ login passwords. Non-alphanumeric characters comprise all the characters except alphabets and numbers (e.g. “#!=&;”).
    Change password at next loginSpecifies if users are forced to change their password at the next login. Notice that this setting is compatible with macOS 10.13 and higher devices.
    Expiration ageSpecifies the maximum password age before it must be changed to a new one.
    History restrictionSpecifies the minimum number of new unique passwords before an earlier password can be reused. The reuse of earlier passwords is quite common and a security risk. Therefore, it is recommended to prevent users from doing so.
    Maximum number of failed attemptsSpecifies the maximum number that the users can fail while attempting to enter their password. If a user exceeds the defined limit, his/her user account will be locked.
    Require password after sleep or screen saverSpecifies how long a device can be in sleep or the screen saver on before the user is required to unlock the device using the login password.
    Screen saver start timeSpecifies how quickly the screen saver kicks in after user inactivity.
  3. Deploy the configuration profile to your managed Macs either using the configuration profile deployment wizard or with the business policies.
  4. At the next login, the device users must enter a password that meets the specified requirements.

Can I reset or change a forgotten Mac password with Miradore?

You cannot use Miradore to reset a local Mac user’s forgotten password remotely. Please refer to Apple documentation which explains how to reset a Mac login password using either Apple ID or a recovery key.

Can I deploy multiple Password configuration profiles to the same device?

If you deploy multiple Password configuration profiles to a Mac, the strictest password requirements will be applied to the device.

 

  • This field is for validation purposes and should be left unchanged.

Previous Article:
«

Next Article:
»