Rule pwpolicy_account_inactivity_enforce can lock-out user account #526
Description
Summary
The password policy defined in the rule pwpolicy_account_inactivity_enforce can immediately lock out user account.
Steps to reproduce
Create a pwpolicy.xml file as described in the rule pwpolicy_account_inactivity_enforce. This will result in the file content (33 is the provided ODV):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist>
<dict>
<key>policyCategoryAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Inactive Account</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeInactiveDays</key>
<integer>33</integer>
</dict>
</dict>
</array>
</dict>
</plist>
Then run as root
/usr/bin/pwpolicy setaccountpolicies pwpolicy.xml
Operating System version
macOS Sonona Version 14.7.7 (23H723)
Intel or Apple Silicon
2,6 GHz 6-Core Intel Core i7
What is the current bug behavior?
User account is locked-out after policy application - user cannot log using their password anymore.
What is the expected correct behavior?
Password policy is correctly enforced, i.e. user account is locked out after ODV days of inactivity.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
See the attached screenshot.
Comment from @golbiga on this issue:
It looks like failedLoginTimestamp is not being created, so pwpolicy is possibly using creationTime , so in our testing just now creation date was 100 days so if we set to 101 days we can login, 99 locked out.
Possible fixes
User has to reset their password in the recovery mode.