- Jamf Nation Community
- Products
- Jamf Pro
- PWpolicy Commands Deprecated in Yosemite
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
PWpolicy Commands Deprecated in Yosemite
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-12-2015 10:10 AM
Hi All,
I'm hoping to save a few of your foreheads and keyboards by letting you know some of the most common and useful commands in the pwpolicy command line utility have been deprecated.
If you look at the man page for pwpolicy in 10.9, the first six commands, which are also the most commonly used, look like this:
-getglobalpolicy Get global policies -setglobalpolicy Set global policies -getpolicy Get policies for a user --get-effective-policy Gets the combination of global and user policies that apply to the user. -setpolicy Set policies for a user -setpolicyglobal Set a user account to use global policies
The man page in 10.10, however, looks like this:
-getglobalpolicy Get global policies. DEPRECATED. -setglobalpolicy Set global policies. DEPRECATED. -getpolicy Get policies for a user. DEPRECATED. --get-effective-policy Gets the combination of global and user policies that apply to the user. DEPRECATED. -setpolicy Set policies for a user. DEPRECATED.
The command "-setpolicyglobal" isn't even listed in the new man page.
I discovered this when we had a 10.10 machine that had had a configuration profile applied, which included a password expiration policy. The configuration profile was subsequently removed, but the password policy was still active - of which we were unaware until later, when the user unexpectedly started getting a pending password expiration notice upon login.
Using the instructions in an article on Krypted.com (http://krypted.com/mac-security/programatically-setting-password-policies/) (Hi Charles!) I tried to manipulate the pwpolicy options to get the prompt to disappear - to no avail. Long story short, once I brought up the man page for pwpolicy in 10.10, rather than 10.9, I immediately saw the issue.
Armed with this new info, I was able to use the -clearaccountpolicies command via pwpolicy to remove the password expiration, both globally and user-specific.
None of the deprecated commands returned errors, BTW. They all appeared to work in the Terminal. In fact, when I ran --get-effective-policies, data was returned and there was no indication that I was working with outdated commands.
Hope this helps.
-PEM
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-12-2015 10:55 AM
Nice Find. Thank you for posting this!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-26-2015 11:13 AM
I just stumbled against this so I was glad to find this. When I did the -clearaccountpolicies it only worked for that user not all the users. I ended up running it on each effected user.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-01-2015 02:47 PM
I stumbled over this looking for a functional example using the new xml file format for pwpolicy. Unfortunately the example in the man file only includes a minimum character policy, and the documentation is insufficient to understand how you actually create a complex policy. The indication is you use something called NSPredicate to construct the policy string, and all the other keys are just fluff for reference. I can't find anything about how this type of expression works to actually use this. Anyone familiar with this and able to share an example policy? I'm looking to do all the normal things for a password requirement (and still can't comprehend how this has never been put in the UI) like minimum length, re-use history, letters, numbers, symbols, etc. In the past, the syntax was simple, but as stated they deprecated all of that.
sudo pwpolicy -setglobalpolicy "usingHistory=5 minChars=8 requiresAlpha=1 requiresNumeric=1 requiresSymbol=1 maxMinutesUntilChangePassword=525949 maxFailedLoginAttempts=30"
Back under 10.6 you could also specify that it can't match name and must use mixed case as well, but they removed those options long ago in 10.7 for some reason. It's like they don't care about security and want to make it harder.... Anyway, looking for anyone who can translate these rules into the new format.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-02-2015 07:42 AM
I don’t know about this particular case, but I know that Munki uses NSPredicates for its conditional items/statements. You may find some help there — since it’s at least in a sys admin context — or in NSPredicate developer documentation.
I have an example of a slightly complex NSPredicate that compares version numbers. Look at the “string” item after the “condition” key in the example property list. (There’s also an equivalent example using Smart Groups, for comparison between JSS and NSPredicate.)
Update: I haven’t used pwpolicy in a long time, because in testing on workstations back in the Leopard (?) timeframe, I found that it only applied to local “staff” (non-admin) user accounts. I can’t say that I’ve followed up with any significant testing since then to see if it changed. (I suspect I filed a feature request to have it apply to admin users and network/mobile accounts.)
Update: Here’s what I saw many years ago. It’s quite possible things have changed since then, of course.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2015 09:49 AM
Despite the documentation saying these commands are deprecated, they all seem to work in El Cap, 10.11.1.
