Comprehensive Rules for designing, deploying, and validating strong password policies on macOS via MDM configuration profiles.
Stop manually configuring password policies across your fleet. These Cursor Rules transform macOS password management from a reactive scramble into a proactive, MDM-powered security system that enforces compliance automatically.
Your security team demands 12-character passwords with complexity requirements. Your users resist change. Your MDM console shows inconsistent policy enforcement across devices. Meanwhile, you're manually checking password compliance and hoping users follow guidelines.
The real pain points:
Transform your macOS password management into an automated, audit-ready security system. These rules generate enterprise-grade MDM configuration profiles that enforce consistent password policies across your entire fleet—no manual intervention required.
Key capabilities:
Eliminate Policy Drift
<!-- Before: Manual pwpolicy commands -->
sudo pwpolicy -setglobalpolicy "minChars=8"
# Inconsistent across devices, easily bypassed
<!-- After: MDM-enforced configuration -->
<key>minLength</key><integer>12</integer>
<key>requireComplexCharacters</key><integer>3</integer>
<key>maxFailedAttempts</key><integer>10</integer>
Automated Compliance Validation
Zero-Touch Recovery Planning
Challenge: Deploy consistent password policies across 500+ Macs in multiple locations.
#!/usr/bin/env bash
set -euo pipefail
# Generate enterprise-grade password policy
# Requirements: 12 chars, 3 complexity types, 90-day rotation
The rules generate a complete .mobileconfig with proper PayloadUUIDs, versioning, and compliance mapping. Deploy once through your MDM, enforce everywhere.
Challenge: Map current password policies to CIS benchmarks for audit.
<!-- Auto-generated compliance mapping -->
<!-- CIS macOS 2.4.1: Minimum password length -->
<key>minLength</key><integer>12</integer>
<!-- CIS macOS 2.4.2: Password complexity -->
<key>requireComplexCharacters</key><integer>3</integer>
The rules automatically document which CIS controls each configuration addresses, turning audit prep from weeks into hours.
Challenge: Prevent configuration conflicts between department-specific policies.
Before: Random policy wins, unpredictable enforcement After: Explicit precedence rules and conflict detection
<!-- Department-specific payload identifiers -->
<key>PayloadIdentifier</key><string>com.acme.password.engineering.v2</string>
<key>PayloadVersion</key><integer>2</integer>
# Install required tools
brew install uuidgen
# Clone your MDM configuration repository
git clone your-mdm-configs-repo
cd mdm-configs/password-policies
Add the rules to your .cursorrules file in your MDM configuration project. The rules understand your enterprise requirements and generate compliant profiles automatically.
# Create a new password policy profile
cursor-chat "Create a password policy for engineering teams requiring 14-character passwords with 4 complexity types"
The rules generate a complete configuration profile with:
# Test profile before deployment
./validate-password-policy.sh engineering-password-policy.mobileconfig
# Deploy through your MDM console
# Jamf Pro: Computer Configuration Profiles
# Intune: Device Configuration → macOS → Custom
# Weekly compliance check
./audit-password-compliance.sh > weekly-report.json
# Automatic drift detection and alerting
Time Savings: Reduce password policy deployment from days to minutes
Security Improvements: Eliminate the most common password-related vulnerabilities
Audit Readiness: Transform compliance from reactive to proactive
Developer Productivity: Focus on features, not security configuration
Your macOS fleet transforms from a password policy liability into a security asset. Users get clear, consistent requirements. Admins get automated enforcement. Auditors get complete documentation.
Start securing your fleet properly—implement these rules and deploy enterprise-grade password policies in the next 30 minutes.
You are an expert in macOS 13+ security, Apple MDM (Jamf Pro, Microsoft Intune, Kandji), Configuration Profiles (.mobileconfig XML), Bash, and pwpolicy.
Key Principles
- Enforce defense-in-depth: combine strong local-password requirements, 2-factor auth, and account-lockout.
- Make policies immutable through MDM; the strictest profile always wins.
- Prefer central, version-controlled .mobileconfig files over ad-hoc scripting.
- Keep payloads minimal, explicit, and idempotent—one payload type per profile whenever feasible.
- Name every PayloadIdentifier with reverse-DNS + version (e.g., com.acme.password.v3).
- Increment PayloadVersion on every change; re-push profile to refresh clients.
- Separate enforcement (MDM) from secrets storage (e.g., iCloud Keychain, 1Password).
Apple Configuration Profiles (XML)
- Root keys must include PayloadUUID (uuidgen), PayloadIdentifier, PayloadDisplayName, PayloadType (Configuration), PayloadVersion.
- Password payload uses PayloadType com.apple.mobiledevice.passwordpolicy.
- Required keys & recommended values:
• minLength: 12
• maxFailedAttempts: 10 (account lockout)
• maxInactivity: 900 # 15 minutes in seconds
• maxPINAgeInDays: 90
• pinHistory: 10 # remember last 10
• requireComplexCharacters: 3 # upper, lower, numeric, special
• allowSimple: false # disallow sequential/simple
- Always wrap integers in <integer>, booleans in <true/> or <false/>, strings in <string>.
- Keep all keys in PascalCase exactly as Apple docs specify—case sensitive.
- Example minimal payload:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDisplayName</key><string>Acme Password Policy</string>
<key>PayloadIdentifier</key><string>com.acme.password.v3</string>
<key>PayloadUUID</key><string>59C7722A-31C6-4E73-B847-1F9619D8FE6B</string>
<key>PayloadType</key><string>Configuration</string>
<key>PayloadVersion</key><integer>3</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key><string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadVersion</key><integer>1</integer>
<key>PayloadIdentifier</key><string>com.acme.password.v3.policy</string>
<key>PayloadUUID</key><string>1E73A444-58F7-4B58-9B9F-7E3B5EE8B6B2</string>
<key>PayloadEnabled</key><true/>
<key>minLength</key><integer>12</integer>
<key>requireComplexCharacters</key><integer>3</integer>
<key>maxFailedAttempts</key><integer>10</integer>
<key>maxPINAgeInDays</key><integer>90</integer>
<key>pinHistory</key><integer>10</integer>
<key>maxInactivity</key><integer>900</integer>
</dict>
</array>
</dict>
</plist>
```
Bash / pwpolicy Helper Scripts
- Always wrap in `#!/usr/bin/env bash` and use `set -euo pipefail`.
- Query current policy: `pwpolicy -getglobalpolicy`.
- Set temporary overrides for testing only—never in production: `pwpolicy -setglobalpolicy "minChars=12 requiresAlpha=1 requiresNumeric=1 requiresSymbol=1"`.
- Validate change success: check exit code, then read-back policy and diff.
Error Handling and Validation
- Configure `maxFailedAttempts` ≥ 5 and ≤ 10; after exhaustion, MDM triggers account lockout.
- Validate profile install success via MDM inventory status and `/usr/bin/profiles -P -v` on client.
- Use early-fail scripts: if profile missing, emit `stderr` and exit 1.
- Maintain an out-of-band recovery flow (FileVault-enabled admin account, escrowed key) because MDM cannot remotely reset local account passwords.
Apple MDM (Jamf/Intune) Rules
- Scope password profile to all standard and admin users; exclude service accounts.
- In Jamf: Smart Group criteria `Password Age is greater than 89` triggers force-change.
- In Intune: Device Compliance ➜ macOS ➜ System Security ➜ configure same keys; set Actions for noncompliance to lock device after 24 hours.
- Deploy separate profile for `com.apple.loginwindow` to set `IdleTime` 900 and `DisableAutoLogin` true.
- Avoid overlapping password payloads; if unavoidable, document precedence and last write-time.
Testing
- Lab test on at least two macOS versions (current ‑1, current).
- Automated check: after profile push, script attempts to set weak password—expect failure code 78007.
- Regression test when upgrading macOS major versions; confirm keys still honored.
Performance
- Keep payload size small (< 25 KB) to speed up MDM delivery.
- Batch profile pushes during low-traffic windows to reduce APNs congestion.
Security
- Combine password policy with FileVault full-disk encryption; escrow keys to MDM.
- Enable 2FA (Apple ID or IdP) for all admin access.
- Store profile source files in a private Git repo; protect with signed commits.
Compliance & Auditing
- Export `profiles -P` output weekly to SIEM for drift detection.
- Retain versioned .mobileconfig files for at least one audit cycle.
- Map each policy key to CIS benchmarks: e.g., CIS macOS 2.4.1 = minLength, complex chars.
Common Pitfalls & How to Avoid Them
- Multiple password profiles ➜ consolidate or ensure identical settings; conflicts cause random failures.
- Forgetting to increment PayloadVersion ➜ profile not reinstalled; always bump during change.
- Using dictionary‐style keys (e.g., `minChars`) in MDM UI that silently map to different XML keys—verify the generated XML.