I'm logging in on my main macbook pro screen and getting asked for a new password. None of my corporate apps are asking for a new password, and my MacBook forced me to change to a new and very different password format when I did the latest update.
Why is Apple making everything more difficult to use?
How can I just get back to my old password and decide if I want apple to force a password change?
MacBook Pro 13″, macOS 12.6
@Barney-15E is correct. Apple will never force you to change your password in this manner.
You mentioned Corporate Apps and therefore your Mac may be managed by your IT department. If you go to System Settings -> Privacy & Security -> Profiles it should be blank. But if you have any profiles listed, then your Mac is being managed by your employer.
It is common practice to force user passwords to expire and to be changed every 30-60-90 days. Depending on how your IT department has things configured, it's likely you have a local account on the Mac which may or may not be sync'd with a Windows Active Directory / AzureAD / JumpCloud / LDAP account. You may also have cloud based corporate logins using your email address as your username.
@Barney-15E is correct. Apple will never force you to change your password in this manner.
You mentioned Corporate Apps and therefore your Mac may be managed by your IT department. If you go to System Settings -> Privacy & Security -> Profiles it should be blank. But if you have any profiles listed, then your Mac is being managed by your employer.
It is common practice to force user passwords to expire and to be changed every 30-60-90 days. Depending on how your IT department has things configured, it's likely you have a local account on the Mac which may or may not be sync'd with a Windows Active Directory / AzureAD / JumpCloud / LDAP account. You may also have cloud based corporate logins using your email address as your username.
From what you've described, it is very clear that a Microsoft Intune policy is forcing the local account password to be changed. An Intune admin must have recently turned on a local account password policy and that policy was applied to the devices enrolled in Intune. This doesn't just happen and Apple has nothing to do with it. In most corporate environments a dedicated security team would mandate these changes and the engineers / admins apply them to meet corporate information security and compliance requirements. It is unlikely to be a mistake.
However, it sounds like the company wasn't open in clearly communicating the change to the employees. Perhaps the change would be seamless for Windows user while being jarring for macOS users. If the IT department is primarily supporting Microsoft Windows it wouldn't be anything new in the industry for them to overlook the Mac end user experience.
You should be able to see the configuration profiles your employers Microsoft Intune applied to the Mac.
Go to System Settings -> Privacy & Security -> Profiles: By default, this screen would be EMPTY for a retail non-supervised Mac. If you see entries, It will say "This Mac is supervised and managed by <Comany Name>" at the top. That means it is enrolled with an MDM server such as Intune, etc. Double-click each entry in the list and scroll down on each pop-up window and read the settings that are being enforced. It is possible that IT security hides this information from the user. But since a user cannot normally change or remove these profiles most companies do not hide it from view.
Intune enforced a local password policy with expiration (30-60-90 days) and password complexity requirements on the Mac but apparently didn't implement the Apple Kerberos SSO extension profiles which would help smooth things out by ensuring the local account password is changed to match the corporate password. That local password policy is different than the policy being applied on the corporate accounts themselves. Also any corporate logins to cloud services such as Azure / 365 typically acquire an authentication token which eventually expires (time-to-expiration is configurable) so things will just connect until that token expires. Then you have to sign-on to acquire a new token and usually an MFA app like Microsoft Authenticator.
I would recommend that you find out who manages the Intune MDM server and request that they consider implementing a solution to integrate with kerberos and/or Azure AD (maybe a SAML identity provider like Okta / Ping) and allow for sync'ing the local account password with the Active DIrectory / Azure AD account. It will be a far smoother end user experience. There are many ways to accomplish the password sync. It is a very complex topic so have some patience, if it's primarily a Microsoft IT shop, they are unlikely to have much experience with managing Macs.
Check System Settings -> Privacy & Security -> Profiles
It should say ‘No profiles installed’ which is the default for unmanaged retail consumer Macs. Profiles are used by schools and companies to enforce settings and it is extremely common to expire the Mac user password and enforce using a quality strong password.
If you see profiles listed then it is applying a password policy. Some hackers and scammers may try to get you to enroll with their rogue MDM (Mobile Device Management) server.
I know this because it’s part of my day job.
Another possibility is that you changed your Mac password in the past and the prompts you see are related to the keychain being out of sync. When you login to macOS, it will use the password to unlock the login keychain. If it is the keychain you’ll see a whole bunch of these login prompts one after the other.
To fix a keychain, enter with your previous password at the popup password prompt. That will unlock the login keychain. Then macOS will silently update the password used to lock the keychain so it matches your login password.
If you cant remember the password you can reset the keychain. This renames the login keychain file and creates a new one. There may be some data loss but you can add the renamed keychain to the Keychain Access App and keep trying passwords until you unlock it. There is no way to reset the password on a keychain for security reasons. Not even Apple can help.
If you need to update your keychain password on Mac - Apple Support
We experience this on the company Macs, with forced password expiration.
Our experience is that changing the password at the login prompt DOES NOT change the FileVault password, so things are out of sync! 😱
The ONLY safe way to change your password is via System Settings-> Users & Groups
Anything else is just asking for trouble.
That sounds more like your Apple ID password more than the macOS user login password and that might be due to it being a known compromised password or it is not strong enough to evade brute force attacks. I know a decade ago, Apple increased the requirements for the Apple ID password and strongly recommended turning on 2-Factor Authentication where you get a code on your other devices (or same device). This was a direct result of all those celebrities getting hacked by paparazzi and the tabloid papers.
The screenshot will be valuable to identify precisely what you are seeing. If it's the real initial login screen after powering on, you can't take a screenshot but you can use your phone to take a picture of the screen. Drag the photo out of the Photos app to desktop so you can attach it in reply.
If it's something popping up while you are logged in, it may be the Apple ID or perhaps the Keychain.
Here is a good way to create strong passwords: (courtesy of the Xkcd Comic)
This is almost certainly an Apple issue.
We've had several Macbook Pros require password resets for no obvious reason shortly after installing updates from Apple. Most are on OS 14, but it's happened on OS 13 as well. In several of these cases, it's refused to accept new passwords attempted because they 'don't meet the server's policy' (paraphrased because I don't have the exact error at hand.) When a system has thrown this error, it hasn't accepted any password attempted until powered all the way off, then restarted; even that doesn't consistently fix the issue, it's just been a consistent minimum requirement.
However, I am the primary administrator for our MDM that the Macbooks are attached to, and the only policy with Password settings is set as a Compliance policy, with the Action set to to warn of non-compliance (not enforce), with the settings:
As I recall, the only one of these not the default value is the "Maximum minutes of inactivity..." setting. And, obviously, the passwords aren't expiring by this policy (these are all 2019 or newer Macbook Pros) even if it was Enforced.
Apple isn’t doing it. If it is managed by a business, their MDM solution is driving it. Could just be a misconfiguration in their Policy.
There is no default password requirement or change frequency established in macOS. The only way to enable any sort of password control is through an MDM profile.
I have a hard time believing this is not an Apple thing.
I'm trying to figure this out for a user at my organization. We've started incorporating Apple devices into our Microsoft environment and everything is managed via Intune and a hybrid AD.
I was helping a user install a printer today and the local admin account on the Mac (that is in no way associated with the AD or Intune) invalidated its password. I found this out after eventually logging out of the user account and logging into the local admin account where it asked me to change the password in a similar way to when FileVault was enabled. Once I changed the local admin password, when we tried to log back into the user account, it forced her to change her password as well, but none of the Microsoft services that manage the device have asked her to change her password.
Is there any other service that could cause this? Is there something in the way Intune interacts with MacOS that could cause this?
I have somewhat simmilar issue. I get asked to change password after password policy gets applied and in the meantime filevault policy gets applied too. When I enter new password screen shakes like password would be wrong but thats for new password. Whatever I type I cannot change password and I cannot sign in with old pasword either.
Why this is happening and how to prevent it?
My M1 iMac is a personal computer... not for company use. I'm not even associated with a company because I am 100% retired. I get this alert message a few times a day to change my password. I want to find out how to disable that alert because I don't want to change my password.
23david23 wrote:
My M1 iMac is a personal computer... not for company use. I'm not even associated with a company because I am 100% retired. I get this alert message a few times a day to change my password. I want to find out how to disable that alert because I don't want to change my password.
Can you post a screenshot of the request?
In 30+ years of using a Mac I have never seen a password reset request.
Next time it happens I will try to remember to take a screenshot. I get the message on my iPhone, too.
Is it suggesting you change your AppleID password?
Or, is it suggesting a password you use was found in a data breach?
Eldarion2727 wrote:
• This is almost certainly an Apple issue.
All of my Macs have passwords on all accounts and have never been required to change the password.
Next time it happens I will try to remember to take a screenshot. I get the message on my iPhone, too.
why is my macbook forcing a password reset at login?
