It is not uncommon for Mac users to login with local user accounts, even in a directory environment.  The question becomes, how do we enforce password policies on those local accounts?  There are many schools of thought on this but here is how I did it recently with the combination of a configuration payload and a simple script.


1. Create a Configuration Profile with a Passcode payload.

2. Configure the settings you desire.

3. Scope appropriately


While this configures the settings, there is no option in the payload to enforce it.  It will only enforce if a user decides to change his/her password or a new user is created.  So you can add a simple script with the pwpolicy command.  


Create a policy with a Script payload and a Restart Options payload.  In the Restart Options payload, set the "User Logged In Action" to Restart and a delay of your choice.  In your script, include the following:


pwpolicy -u $3 -setpolicy "newPasswordRequired=1"



-A few notes:

Apple has officially deprecated the -setpolicy option but it still works perfectly in High Sierra (10.13.3 as of this writing).

The $3 in this script is a parameter specific to Jamf Pro.  Because -setpolicy needs to know what user requires a new password, the $3 pulls username information from the computer.  See the following Jamf Nation article for more:


At the next login, the user will be prompted to create and verify a new password with the parmeters of your passcode configuration profile.