Password Syncing with Jamf Connect

Important:

Google Cloud Identity does not currently support password syncing with Jamf Connect, and the menu bar app cannot be used.

Jamf Connect can sync a user's local and network passwords. When Jamf Connect is configured with your cloud identity provider (IdP)'s minimum authentication settings, Jamf Connect will do the following by default:

  • Continuous Password Verification

    The user's network and local passwords are checked every 15 minutes to verify that they are in sync.

  • Sync Passwords

    Prompt a user to change their local password if it does not match the network password.

  • Manage Network Password Changes

    Facilitate a network password change when a password expires. Jamf Connect completes this change by opening a web view to your cloud IdP's password change URL. If Kerberos is used, the password change is completed directly in the Jamf Connect UI.

  • Password Expiration WarningsJamf Connect can display the number of days before a password expires in the menu bar. It can also notify the end user with a notification when a password is out of sync if notifications are allowed.

Keep the following in mind when using Jamf Connect to sync passwords:

  • Jamf Connect cannot display notifications unless the user allows them in System Preferences > Notifications. Mac administrators can also enable notifications for Jamf Connect with a notifications profile. If you use Jamf Pro, you can enable notifications remotely by navigating to Jamf Pro > Settings > Computer Management > Security and configuring the Automatically install a Jamf Notifications profile settings. 

  • If a network account password is changed without Jamf Connect (e.g., your organization's IdP web page for password changes), the previously used network password will remain the local password until Jamf Connect checks in (by default every 15 minutes) and prompts the user to update their password.

  • Users must know their old passwords in order to sync passwords. If a user updates their password without Jamf Connect and cannot remember their old password (previously used network password), log in as an administrator and see Change or reset the password of a macOS user account from Apple's Support website.

  • Jamf Connect will automatically use a password policy detected from your cloud IdP or Active Directory, if detected. If you configure the Password Policy (PolicyRequirements) setting in Jamf Connect or passcode restrictions with your MDM solution, you should make sure that the configured policy matches your organization's IdP password policy or is less restrictive to avoid password change errors.
    Warning:

    To ensure users are not locked out of their computer due to conflicting password policies, do not enforce the Change at Next Authentication (macOS 10.13 or later) (changeAtNextAuth) setting available in the Passcode payload via an MDM solution. Instead, allow your IdP's password policy to expire user passwords and use Jamf Connect to manage password changes.

To perform password syncing at the login window and during account creation, you must configure additional Jamf Connect settings. For more information about password syncing at the login window, see Initial Local Password Creation.