Password Syncing with Jamf Connect

Jamf Connect can sync a user's local and network passwords. When Jamf Connect is configured with your cloud identity provider (IdP)'s minimum authentication settings, Jamf Connect will do the following by default:

  • Continuous Password Verification—The user's network and local passwords are checked every 15 minutes to verify that they are in sync.

  • Sync Passwords—Prompt a user to change their local password if it does not match the network password.

  • Manage Network Password Changes—Facilitate a network password change when a password expires. Jamf Connect completes this change by opening a web view to your cloud IdP's password change URL. If Kerberos is used, the password change is completely directly in the Jamf Connect UI.

  • Password Expiration Warnings—Display notifications in both the menu bar and via push notifications about upcoming password expirations.

Keep the following in mind when using Jamf Connect to sync passwords:

  • Jamf Connect will automatically use a password policy detected from your cloud IdP or Active Directory, if detected. If you configure the Password Policy (PolicyRequirements) setting in Jamf Connect, you should make sure that the configured policy matches your organization's password policy or is less restrictive to avoid password change errors.

  • If network account passwords are changed without Jamf Connect (such as a password change through the IdP web page, for example), the previously used network password will remain the local password. Users will be prompted to enter the local password (previously used network password), which may have been forgotten by the user, in order to sync passwords. If this occurs, log in as an administrator and see Change or reset the password of a macOS user account from Apple's Support website.

To perform password syncing at the login window and during account creation, you must configure additional Jamf Connect settings. For more information about password syncing at the login window, see Initial Local Password Creation.

Requirements

To sync passwords with Jamf Connect, you need to configure the IdPSettings dictionary with your cloud IdP's minimum required settings.

For more information, see Authentication Settings.

Important: Google Cloud Identity cannot be used to sync passwords.

Password Policy Settings

Domain: com.jamf.connect

Dictionary: PasswordPolicies

Description: Used to configure network password checks, expiration notifications, and password policies

Key

Description

Example

ExpirationCountdownStartDay

Password Expiration Countdown Start Date

An integer, in days remaining, before the password expiration countdown is displayed in the menu bar. By default, 14 days is used. This setting is disabled when set to 0.

<key>ExpirationCountdownStartDay</key>

<integer>14</integer>

ExpirationNotificationStartDay

Password Expiration Notification Start Date

An integer, in days remaining, before the user begins receiving notifications about an upcoming password expiration. By default, 7 days is used. This setting is disabled when set to 0.

 

<key>ExpirationNotificationStartDay</key>

<integer>7</integer>

NetworkCheck

Network Check-in Frequency

The check-in frequency that Jamf Connect will use to confirm the network password matches the local password. By default, 15 minutes is used. This setting is disabled when set to 0. Jamf Connect can only check the network password if the network is accessible.

 

<key>NetworkCheck</key>

<integer>15</integer>

SyncPasswordsMessage

Sync Passwords Message

A message displayed to users when Jamf Connect detects that their local and network passwords are out of sync.

<key>SyncPasswordsMessage</key>

<string>Your local and network passwords do not match. Enter your current local password to sync it with your network password</string>

PolicyRequirements

Password Policy Requirements

Defines the password complexity policy for changing the password. Jamf Connect will only enforce this setting if a different password policy from Active Directory or a cloud IdP is not detected.

<key>PolicyRequirements</key>
<dict>
<key>minLength</key>
<integer>8</integer>
<key>minLowerCase</key>
<integer>1</integer>
<key>minMatches</key>
<integer>3</integer>
<key>minNumber</key>
<integer>1</integer>
<key>minSymbol</key>
<integer>1</integer>
<key>minUpperCase</key>
<integer>1</integer>
</dict>

PolicyMessage

Password Policy Message

A message that explains your configured password policy. This message only displays when a users tries to set a password that does not meet your password policy requirements.

<key>PolicyMessage</key>

<string>This password does not meet your organization's minimum password complexity requirements.</string>

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.