Self Service+ (formerly the Jamf Connect menu bar app) can sync a user's local and network passwords. When Self Service+ is configured with your cloud identity provider (IdP)'s minimum authentication settings, it will do the following by default:
- Continuous Password Verification —
The user's network and local passwords are checked every 60 minutes to verify that they are in sync.
- Sync Passwords —
Prompt a user to change their local password if it does not match the network password.
If a user's password syncing fails because their new password doesn't meet the requirements enforced by macOS (via MDM passcode configuration, etc.), the user sees a list of the requirements their password must meet.
- Manage Network Password Changes —
Facilitate a network password change when a password expires. Self Service+ completes this change by opening a web view to your cloud IdP's password change URL. If Kerberos is used, the password change is completed directly in the Self Service+ UI.
- Password Expiration Warnings —Self Service+ can display the number of days before a password expires in the UI. It can also notify the end user with a notification when a password is out of sync if notifications are allowed.
For more information about default and recommended password change and reset URLs, see the Change Password URL (
ChangePasswordURL) and Reset Password URL (ResetPasswordURL) preferences in Menu Bar Authentication Settings.If you use platform SSO with Microsoft Entra ID, you must add a custom allowlist setting to your configuration profile prior to deployment to avoid password sync failures. The allowlist must include
com.jamf.managementandcom.jamf.selfserviceplus. For more information, see Deploying a Platform Single Sign-on Configuration Profile.
Self Service+ cannot display notifications unless the user allows them in . Mac administrators can also enable notifications for Self Service+ with a notifications profile. If you use Jamf Pro, you can enable notifications remotely by navigating to and configuring the Automatically install a Jamf Notifications profile settings.
If a network account password is changed without Self Service+ (e.g., your organization's IdP web page for password changes), the previously used network password will remain the local password until Self Service+ checks in (by default every 60 minutes) and prompts the user to update their password. The user will be notified every 60 minutes until they complete the network account password update.
Users must know their old passwords in order to sync passwords. If a user updates their password without Self Service+ and cannot remember their old password (previously used network password), log in as an administrator and see If you forgot your Mac login password from Apple's Support website.
You can disable password syncing for specific local accounts using the Password Sync Block List (
PasswordSyncBlockList) setting. It allows you to specify a list of local macOS accounts that you do not want to go through password syncing (typically admin accounts). For more information, see Password Policy Settings.- Self Service+ will automatically use a password policy detected from your cloud IdP or Active Directory, if detected. If you configure the Password Policy (
PolicyRequirements) setting in Self Service+ or passcode restrictions with your MDM solution, you should make sure that the configured policy matches your organization's IdP password policy or is less restrictive to avoid password change errors.Warning:To ensure users are not locked out of their computer due to conflicting password policies, do not enforce the Change at Next Authentication (macOS 10.13 or later) (
changeAtNextAuth) setting available in the Passcode payload via an MDM solution. Instead, allow your IdP's password policy to expire user passwords and use Self Service+ to manage password changes.
To perform password syncing at the login window and during account creation, you must configure additional Self Service+ settings. For more information about password syncing at the login window, see Initial Local Password Creation.