Enabling Security policies is not enforcing a password change automatically for the operators that do not align with new policies in some of our environments. That said, if we try to update password for operator rule form it does seem to detect and enforce policy changes.
While, there is a different instance in which enabling policies forced all operators automatically to update their password on subsequent login whoever did not align with new policies.
Can you help to elaborate the configuration difference between the two instances when it worked /not worked which you observed. Was this behaviour observed in same application and with same configurations .
I hope you are enabling password policies in the AuthService which you use along with configuring it in System Security policy.
These are 2 different applications and the policies enabled are for a direct access to Pega Designer studio on both apps in a similar way. I did not see a need for enabling anything on AuthSrvc since its a direct access to designer studio and we infact any AuthSrvc for direct access. We do have SAML enabled SSO service but i am not worries about policies for those users since its not tied to them.
What kind of scenario or use case you enable password policies in AuthSrvc rule along with System Security policy?
Direct access to Designer studio also happens via OOTB authentication service , Platform authentication , you can see security policies tab , i have attached the screenshot for reference. Check if you have policies defined there also.
On second thought i feel , it must be present by default since its OOTB basic credentials Auth Service.