Password Policy¶
pwpolicy(8)
The password policy may be modified by using the pwpolicy command line tool, or by installing a profile containing the Password Policy payload.
Password policies seem to be stored as directory records. Attempting to access password policies on an Active Directory node results in:
Error: Operation is not supported by the directory node.
macOS 10.9¶
Executing /usr/bin/pwpolicy -getglobalpolicy
will show some of the values applied by the payload.
macOS 10.10+¶
Executing /usr/bin/pwpolicy -n /Local/Default -getaccountpolicies
will show password policies for the local directory.
Policies that have been created by profiles have a special value for policyIdentifier.
The identifier is generated from the PayloadUUID that created the policy, for example:
- The PayloadUUID might be
777A5E39-C99E-42D9-895E-0F818F0E644B
. - The Payload sets maxPINAgeInDays.
- The resulting identifier is
ProfilePayload:777A5E39-C99E-42D9-895E-0F818F0E644B:maxPINAgeInDays
.