Introduction
One recurring behaviour that I have encountered when attempting to enforce password requirements on MacOS devices via Intune is when any setting on that policy was changed, the user would be required to change their password.
Now this on its is already annoying enough, if a customer ever requested the amount of time before the screen locks be changed, all their staff would be required to change their passwords.
This came up so infrequently that I had left it alone for a while, but then a new hurdle presented itself: Platform SSO.
While testing PSSO, the sync kept breaking and I couldn’t reuse the previous password. I also modified the password policy multiple times while testing… that very quickly became a nightmare and I made it a mission to figure it out once and for all.
The Problem
The first thing I wanted to look at was the apple documentation, specifically the Passcode Payload page. Looking at the list of properties, there’s one that sounds suspiciously like what’s been happening:
“changeAtNextAuth”
“If true, the system causes a password reset to occur the next time the user tries to authenticate.”
Okay, I have a hunch that we’re on the right track!
Next step, let’s have a look at the profile the Mac has received:
Well, I think we’ve found our problem, the Intune DeviceFeatures template is applying the “changeAtNextAuth” property even when it’s not specified.
Before we move on, it’s important to note that the Intune Compliance policy enforces password requirements AND also applies the property to force a password reset too.
Solution Investigation:
Now that we’ve identified the cause of the forced password reset what are we going to do about it?
Remove the Password Requirements From the Compliance Policy
This is the easy part, we’re going to login to Intune and navigate to Devices -> MacOS -> Compliance and edit your compliance policy.
The only change we need to make here is to change “Require a password to unlock devices” to “Not Configured”.
Remove the Existing Password Policy
The next thing to do to try avoid password conflicts is to remove the existing password policy.
Login to Intune and navigate to Devices -> MacOS -> Configuration. Select the 3-dots on the right of the password policy and delete it.
Create the New Password Policy
The last thing we need to do is create the new password policy without using the Intune template.
Login to Intune and navigate to Devices -> MacOS -> Configuration. Now create a Settings Catalogue policy and replicate your settings from the template.
I’ve included a screenshot below and a copy of the JSON is available at my GitHub here.
Solution Testing:
Now that the policy has been received, let’s see what the Mac has actually recieved:
Now, almost purely to check something in the nerdier way, let’s check the preference file for the Password Policy.
Here’s the output of the command
defaults read /Library/Managed\ Preferences/com.apple.mobiledevice.passwordpolicy
There we go, changeAtNextAuth = 0 is exactly what I wanted to see.
I’m happy to say that since implementing this new password policy, I’ve not been able to reproduce the issues I was having before.
If this post helps you or you have any questions or feedback, please leave me a comment down below!
