If I have a macOS devices enrolled in MDM, with a DDM policy defined to deliver passcode settings to the device I can run:
sudo pwpolicy -getaccountpolicies
to see the configuration on the device.
I can subsequently run:
sudo pwpolicy -clearaccountpolicies
Then all passcode policies applied in my declarations are cleared from the device allowing the user to set and use any password they want with no bearing on the delivered passcode settings.
I have left my macOS devices for days on and off network and the pwpolicy data never returns.
The passcode settings do not restore on the device until I do one of the following:
- manually re-push all declarations from MDM
- log off and log back on
- reboot the computer
It was my understanding that DDM was meant to assess device state and self heal on its own without requiring an MDM service to re-push any commands.
Based on this finding this seems broken or I may misunderstand how DDM is supposed to work.
macOS version: 26.4.1