Create a password policy for your managed Apple devices to ensure data protection, compliance, and consistent security standards on all devices that have access to company resources.
Aim
In this how-to, we'll show you how to create a password policy for managed iOS/iPadOS/macOS devices.
Implementation
- To set up the policy, select Administration→ Policies in the administration portal.
- Click the plus sign to create a new policy.
- Then select either iOS/iPadOS or macOS as the platform. (For more information, see our help article on creating MDM policies.
- Keep the Supervised Devices Enrollment Method (arrow in illus.).
Now you can define the criteria according to which a device passcode may be created by users (see illus.). As soon as you set a check mark in the Force passcode checkbox, the selection of a minimum passcode length, a maximum passcode age, a maximum number of failed attempts and a passcode history is mandatory.
Note! If you activate Force passcode in the policy, the Allow modifying passcode policy must also be set so that the user can change the passcode on the device.
If you enforce the use of a passcode, you can also configure the following settings:
- Require alphanumeric value: Check the box if you want users to use strings consisting of letters and numbers for their passwords.
- Allow simple value: Select this checkbox if users are allowed to use a simple value for their password. Simple value allowed. A simple passcode contains repeating characters or consecutive characters, such as 123 or CBA.
- Minimum number of complex characters: Set the minimum number of complex characters that a passcode must contain. A complex character is a character that is not a number or letter, such as &, %, $, and #.
- Minimum password length: Set the minimum total length of the password.
- Automatic lock time (min): Set the maximum number of minutes the device can be idle without the user unlocking it. When this limit is reached, the system locks the device and requires the passcode to be entered to unlock it. The user can edit this setting, but the value cannot exceed the maximum value set here.
- Maximum grace period for device lock: Set the maximum amount of time in minutes that the phone can be unlocked without entering a passcode.
- Passcode validity (1-730 days, or none): Specify how long the password can remain unchanged before it must be renewed. After this number of days has elapsed, the system forces the user to change the passcode.
- Maximum number of failed logins: Set the number of failed passcode attempts that the system allows the user before it erases or locks the device. After six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt.
- Passcode history (1-50, or none): Specify how often a new password/passcode must be changed before an old one can be used again.
Then assign the new passcode policy to your users/groups/devices. We show you how to do this in our help article Assign/unassign, edit and duplicate policies.