Password Policy Settings

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  • Domaincom.jamf.connect
  • DictionaryPasswordPolicies
  • Description

    Used to configure network password checks, expiration notifications, and password policies

Setting

Description

Password Expiration Countdown Start Date

ExpirationCountdownStartDay

Specifies an integer that represents the number of days remaining before the password expiration countdown is displayed in the menu bar next to the app icon. This setting is set to 14 days by default and is disabled when set to 0.

Note:To use this setting, Self Service+ must be integrated with a Kerberos realm. For more information, see Kerberos Integration.
<key>ExpirationCountdownStartDay</key>
<integer>14</integer>

Password Expiration Manual Override

ExpirationManualOverrideDays

(Okta Classic Engine only) Specifies an integer that represents the number of days that a user's Okta password is valid for in your organization. For example, if a user must change their Okta password every 90 days, set this value to 90.

This allows you to display the amount of days remaining before a user's password expires in the menu bar for Self Service+ for Okta accounts that are not managed by Active Directory.

To display this value next to the menu bar app icon in addition to in the menu bar, make sure to also configure the Password Expiration Countdown Start Date setting.

Note:If your Okta accounts are mastered by Active Directory, this setting cannot be used. Continue to integrate Jamf Connect with a Kerberos realm and use the Password Expiration Countdown Start Date setting to display the password expiration date in Self Service+.

Password Expiration Notification Start Date

ExpirationNotificationStartDay

Specifies an integer that represents the number of days remaining before the user begins receiving notifications about an upcoming password expiration. This setting is set to 7 days by default and is disabled when set to 0.

Note:To use this setting, Self Service+ must be integrated with a Kerberos realm. For more information, see Kerberos Integration.
<key>ExpirationNotificationStartDay</key>
<integer>7</integer>

Network Check-in Frequency

NetworkCheck

Specifies the check-in frequency that Self Service+ uses to confirm that users' network password matches their local password. This setting is set to 60 minutes by default and is disabled when set to 0. Self Service+ can only check the network password if the network is accessible.

If a user's passwords are out of sync upon network check-in, the user receives a macOS notification every 60 minutes prompting them to sync their passwords. 

<key>NetworkCheck</key>
<integer>60</integer>

Perform Network Checks on Network Changes

CheckOnNetworkChange

Determines whether Jamf Connect performs a network check when a computer's network status changes. This setting is enabled (set to true) by default. If disabled (set to false), Self Service+ will not perform a network check when a computer's network status changes.
<key>CheckOnNetworkChange</key>
<true/>

Sync Passwords Message

SyncPasswordsMessage

Specifies a message displayed to users when Self Service+ detects that their local and network passwords are out of sync.

<key>SyncPasswordsMessage</key>
<string>Your local and network passwords do not match. Enter your current local password to sync it with your network password</string>

Password Sync Block List

PasswordSyncBlockList

Specifies a list of local macOS accounts that you do not want to go through password syncing (typically admin accounts).

You can specify one or more local accounts as an array of strings using their local macOS account names (i.e., short names). 

<key>PasswordSyncBlockList</key>
<array>
<string>account_one</string>
<string>account_two</string>
<string>account_three</string>
<string>account_four</string>
</array>

Password Change Workflow

PasswordChangeWorkflow
Specifies whether users change their password using the Kerberos workflow directly in Self Service+, if available, or via your identity provider via a web view.
  • WebUsers change passwords via a web view that opens your IdP's change password screen.
  • KerberosUsers change passwords directly in Self Service+
In environments that use Kerberos with Self Service+, Kerberos is the default setting. 
<key>PasswordChangeWorkflow</key>
<string>Kerberos</string>

Password Policy Requirements

PolicyRequirements

Defines the password complexity policy for users changing their passwords. Self Service+ will only enforce this setting if a different password policy from Active Directory or a cloud IdP is not detected.

<key>PolicyRequirements</key>
<dict>

<key>minLength</key>
<integer>8</integer>
<key>minLowerCase</key>
<integer>1</integer>

<key>minMatches</key>

<integer>3</integer>

<key>minNumber</key>
<integer>1</integer>

<key>minSymbol</key>
<integer>1</integer>
<key>minUpperCase</key>
<integer>1</integer>
<key>excludeUsername</key>
<true/>

</dict>
Note: Use the minMatches preference to specify the number of ways a user's password must match the password criteria. For example, if the minMatches value is 3, users' passwords must include at least three of the password criteria (such as an uppercase letter, a special character/symbol, and an integer/number).
Mandatory Policy Requirement

MandatoryPolicyRequirement

Specifies a mandatory password policy for users changing their passwords to be enforced even when other password policies are met. This requirement can use a single key that is currently configured in your Password Policy Requirements setting.

<key>MandatoryPolicyRequirement</key>
<string>minLength</string>

Password Policy Message

PolicyMessage

A message that explains your configured password policy. This message only displays when a user tries to set a password that does not meet your password policy requirements.

<key>PolicyMessage</key>
<string>This password does not meet your organization's minimum password complexity requirements.</string>