Enforcing Password Compliance for Computers

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

You can enforce passwords on computers to enhance security and protect sensitive information. This measure can significantly reduce the risk of unauthorized access.

By requiring a password, you can help ensure that only authorized users can access corporate emails, documents, and other resources stored on the device, thus safeguarding against data breaches and maintaining compliance with privacy regulations.

Jamf recommends following the password guidelines set forth by the National Institute of Standards and Technology (NIST).

Use the Passcode payload to configure password compliance for local user accounts.

Note:

The password recommendations provided below apply only if you are not using Jamf Connect to sync passwords with your cloud identity provider or if your computers are using a directory service such as Microsoft Active Directory.

  1. On the Configuration Profiles page, do one of the following:

    • Click New to create a new configuration profile.

    • Select an existing configuration profile and click Edit .

  2. Click the Passcode payload.
  3. Jamf recommends the following password settings for computers:
    • Require PasscodeInclude
    • Minimum Passcode Length

      Select a length between 12-16 characters in length.

    • Maximum Passcode AgeNIST does not recommend enforcing periodic password changes.
    • Passcode HistoryNIST does not recommend enforcing periodic password changes.
    • Change at Next Authentication (macOS 10.13 or later)

      Use this setting to force an end user to update their password the next time they log in to the computer if their password does not already meet passcode requirements. Otherwise, the new password requirements will take effect the next time the end user changes their password. Jamf recommends that you apply this setting at the computer level so your requirements will apply to all end users (standard and admin), and deploy it using a dedicated configuration profile. Authentications may fail until the password is reset.

  4. Click the Scope tab and configure the scope of the configuration profile.
  5. Click Save .