We've put in a feedback assistant request, but not sure if we will get feedback in that channel or not and also want to highlight for others.
When replacing a basic passcode profile on a macOS device with a passcode declaration, the user is required to change the password after logging out and back in. Explicitly including the "ChangeAtNextAuth" key set equal to false, set required a password change after logging out and back in. Once the declaration is active and the password has been changed, future updates to the passcode declaration do not require a password change unless the existing password is not compliant.
Steps to reproduce:
- Install a basic passcode profile on a macOS device
- Ensure the existing password matches the requirements specified in the profile
- Install a passcode declaration with the same settings as the passcode profile currently installed
- Remove the traditional passcode profile from the device
- After the passcode declaration is installed, check the local pwpolicy with the command
pwpolicy getaccountpoliciesand look for the keypolicyAttributePasswordRequiredTime - Log out of the macOS device
- Log back into the macOS device and you are presented with a change password prompt
Expected result: Simply replacing an existing passcode profile with the exact same settings in a passcode declaration should not require a password change if the existing password is compliant.
Actual results: After replacing the passcode profile with a passcode declaration, a password change was required even though the existing password was compliant.
Initial testing was done with a macOS VM running 15.5. Additional testing has now been done with a macOS VM running 26.4.1 and the same behavior was observed.