OSX Password Policy (passes CIS-CAT scan)

pwpolicy.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>policyCategoryAuthentication</key>
	<array>
		<dict>
			<key>policyContent</key>
			<string>(policyAttributeFailedAuthentications &lt; policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime &gt; (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string>
			<key>policyIdentifier</key>
			<string>Authentication Lockout</string>
			<key>policyParameters</key>
			<dict>
				<key>autoEnableInSeconds</key>
				<integer>300</integer>
				<key>policyAttributeMaximumFailedAuthentications</key>
				<integer>5</integer>
			</dict>
		</dict>
	</array>
	<key>policyCategoryPasswordChange</key>
	<array>
		<dict>
			<key>policyContent</key>
			<string>policyAttributeCurrentTime &gt; policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * 24 * 60 * 60</string>
			<key>policyIdentifier</key>
			<string>Change every 90 days</string>
			<key>policyParameters</key>
			<dict>
				<key>policyAttributeExpiresEveryNDays</key>
				<integer>90</integer>
			</dict>
		</dict>
	</array>
	<key>policyCategoryPasswordContent</key>
	<array>
		<dict>
			<key>policyContent</key>
			<string>policyAttributePassword matches '.{9,}+'</string>
			<key>policyIdentifier</key>
			<string>Password must be a minimum of 15 characters in length</string>
			<key>policyParameters</key>
			<dict>
				<key>minimumLength</key>
				<integer>15</integer>
			</dict>
		</dict>
		<dict>
			<key>policyContent</key>
			<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string>
			<key>policyIdentifier</key>
			<string>Password must have at least 1 number</string>
			<key>policyParameters</key>
			<dict>
				<key>minimumNumericCharacters</key>
				<integer>1</integer>
			</dict>
		</dict>
		<dict>
			<key>policyContent</key>
			<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string>
			<key>policyIdentifier</key>
			<string>Password must have at least 1 letter</string>
			<key>policyParameters</key>
			<dict>
				<key>minimumAlphaCharacters</key>
				<integer>1</integer>
			</dict>
		</dict>
		<dict>
			<key>policyContent</key>
			<string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string>
			<key>policyIdentifier</key>
			<string>Password must have both uppercase and lowercase letters</string>
			<key>policyParameters</key>
			<dict>
				<key>minimumAlphaCharactersUpperCase</key>
				<integer>1</integer>
				<key>minimumAlphaCharactersLowerCase</key>
				<integer>1</integer>
			</dict>
		</dict>
		<dict>
			<key>policyContent</key>
			<string>policyAttributePassword matches '(.*[^a-zA-Z0-9].*){1,}+'</string>
			<key>policyIdentifier</key>
			<string>Password must have at least 1 special character</string>
			<key>policyParameters</key>
			<dict>
				<key>minimumSymbols</key>
				<integer>1</integer>
			</dict>
		</dict>
		<dict>
			<key>policyContent</key>
			<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>
			<key>policyIdentifier</key>
			<string>Password must differ from past 15 passwords</string>
			<key>policyParameters</key>
			<dict>
				<key>policyAttributePasswordHistoryDepth</key>
				<integer>15</integer>
			</dict>
		</dict>
	</array>
</dict>
</plist>