Suppressing undesired local account password policy notifications on macOS Sonoma
As part of the release of macOS Sonoma 14.0.0, there is a bug which may be triggered if you have deployed a configuration profile which sets password rules for local accounts. An example profile is shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadDisplayName</key> | |
| <string>Passcode</string> | |
| <key>PayloadIdentifier</key> | |
| <string>com.apple.mobiledevice.passwordpolicy.3BCA8E01-3CB9-4D6B-8338-518C51B80AAF</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.mobiledevice.passwordpolicy</string> | |
| <key>PayloadUUID</key> | |
| <string>F0B7EB5D-5DF1-4DDC-8A80-01CA458E6157</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>allowSimple</key> | |
| <false/> | |
| <key>forcePIN</key> | |
| <true/> | |
| <key>maxFailedAttempts</key> | |
| <integer>10</integer> | |
| <key>minLength</key> | |
| <integer>15</integer> | |
| <key>minutesUntilFailedLoginReset</key> | |
| <integer>15</integer> | |
| <key>requireAlphanumeric</key> | |
| <true/> | |
| </dict> | |
| </array> | |
| <key>PayloadDescription</key> | |
| <string>Sets password rules for local accounts on this Mac.</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Local Account Password Rules</string> | |
| <key>PayloadIdentifier</key> | |
| <string>com.company.9EF1E03A-5DEB-4D1F-9E14-D76AFF153C35</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadUUID</key> | |
| <string>40829036-5EAF-42C9-9678-D27F0C28654B</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| </dict> | |
| </plist> |
In those cases, you may see one or the other following notifications when you log into macOS Sonoma for the first time.
These notifications don’t actually indicate a problem and clicking on them does nothing but make the messages disappear. However, for shops which are using profiles which set local account password rules, these messages will almost certainly cause tickets asking “What is this and what does it mean?” from your user community.
I have filed feedback with Apple regarding this issue. For those wishing to reference it, it is Feedback # FB12845634.
For the initial release of Sonoma, the best solution identified so far is to suppress the notifications for local password management, to make sure that these notifications don’t appear until Apple releases an update to macOS Sonoma which addresses this problem. To assist with this, I have an example profile available from the link below:
https://github.com/rtrouton/profiles/tree/main/DisableAppleLocalUserAccountPasswordNotifications
Note: The example profile linked above will suppress all local account password policy notifications. If you are using local account password policy notifications for other purposes, this solution may not work for you.
The component in macOS which generates the local account password notifications also exists on macOS Ventura, so you should be able to deploy a profile like the one linked above to macOS Ventura. This should ensure that Macs upgrading to macOS Sonoma also have these notifications suppressed from the start on macOS Sonoma 14.0.0.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
I have a quick question I am running MacOS 14.2 and I am looking to set a password policy for a non admin user. I need to follow compliance on my Mac in order to be allowed on the corporate network with BYOD.
I’ve researched pwpolicy and I think I am failing because I cannot get this to apply all policies I need to ensure. With depreciated switches I got one thing to work same works for the new way with the .xml layout .plist file.
I’ve also looked down on the MDM and I don’t want to set it for all users on my Mac but only for the particular one.
What I need to accomplish.
90 days password expiration
minumum 8 chars password upper case letter,. number and special character
5 minutes log screensaver
5 minutes locking screen like on Windows
Do you have any ideas how to achieve this?