A macOS password policy sets the rules that govern the usage of login passwords on Macs.
You can implement a password policy for Macs using the Password configuration profile feature in Miradore. The Password configuration profile is available in all free and paid plans of Miradore. It enables you to enforce the use of login passwords for all local accounts on a Mac. Additionally, you can make users change their passwords at the next login and set requirements for the passwords.
Before you start
- You need to have either Administrator or Editor role on your Miradore site.
- The Password configuration profile is compatible with Mac OS X Lion (version 10.7) and newer macOS versions.
- The Password configuration profile affects only local user accounts. Neither Active Directory domain accounts nor Open Directory user accounts are affected by the profile.
How to enforce the use of a login password for Mac users
- Go to Management > Configuration profiles and create a new configuration profile (click Add > macOS > Password).
- Configure the password requirements and settings. See the table below for more details.
Setting Description Allow simple value Specifies if users are allowed to use repeating, ascending, or descending character series (e.g. “1234” or “DCBA”) as their login password. When unchecked, the use of simple passwords is prevented. Require alphanumeric value Specifies if the users’ login passwords must contain at least one letter. When unchecked, users can use a series of numbers as their password (e.g. “4961974”). Minimum length Specifies the minimum number of password characters. Passwords with fewer characters are denied. Minimum number of complex characters Specifies the number of non-alphanumeric characters required in the users’ login passwords. Non-alphanumeric characters comprise all the characters except alphabets and numbers (e.g. “#!=&;”). Change password at next login Specifies if users are forced to change their password at the next login. Notice that this setting is compatible with macOS 10.13 and higher devices. Expiration age Specifies the maximum password age before it must be changed to a new one. History restriction Specifies the minimum number of new unique passwords before an earlier password can be reused. The reuse of earlier passwords is quite common and a security risk. Therefore, it is recommended to prevent users from doing so. Maximum number of failed attempts Specifies the maximum number that the users can fail while attempting to enter their password. If a user exceeds the defined limit, his/her user account will be locked. Require password after sleep or screen saver Specifies how long a device can be in sleep or the screen saver on before the user is required to unlock the device using the login password. Screen saver start time Specifies how quickly the screen saver kicks in after user inactivity.
- Deploy the configuration profile to your managed Macs either using the configuration profile deployment wizard or with the business policies.
- At the next login, the device users must enter a password that meets the specified requirements.
Can I reset or change a forgotten Mac password with Miradore?
You cannot use Miradore to reset a local Mac user’s forgotten password remotely. Please refer to Apple documentation which explains how to reset a Mac login password using either Apple ID or a recovery key.
Can I deploy multiple Password configuration profiles to the same device?
If you deploy multiple Password configuration profiles to a Mac, the strictest password requirements will be applied to the device.