Passcode device policy

You create a passcode policy in Endpoint Management based on your organization’s standards. You can require passcodes on users’ devices and can set various formatting and passcode rules. You can create policies for iOS, macOS, Android, Samsung Knox, Android Enterprise, Windows Phone, and Windows desktop/tablet. Each platform requires a different set of values, which are described in this article.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Image of Device Policies configuration screen

  • Passcode required: Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is On.
    • Required characters: Select whether to require passcodes to have at least one letter. The default is Off.
    • Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 0.
  • Passcode security
    • Device lock grace period (minutes of inactivity): In the list, click the length of time before users must enter a passcode to unlock a locked device. The default is None.
    • Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is fully wiped. The default is Not defined.
  • Policy Settings
    • Next to Remove policy, click either Select date or Duration until removal (in hours).
    • If you click Select date, click the calendar to select the specific date for removal.
    • In the Allow user to remove policy list, click Always, Password required, or Never.
    • If you click Password required, next to Removal password, type the necessary password.

macOS settings

Image of Device Policies configuration screen

  • Passcode required: Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.
  • If you do not enable Passcode required, next to Delay after failed sign-on attempts, in minutes, type the number of minutes to delay before allowing users to reenter their passcodes.
  • If you enable Passcode required, configure the following settings:
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is On.
    • Required characters: Select whether to require passcodes to have at least one letter. The default is Off.
    • Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 0.
  • Passcode security
    • Device lock grace period (minutes of inactivity): In the list, click the length of time before users must enter a passcode to unlock a locked device. The default is None.
    • Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is locked. The default is Not defined.
    • Delay after failed sign-on attempts, in minutes: Type the number of minutes to delay before allowing a user to reenter a passcode.
  • Policy Settings
    • Next to Remove policy, click either Select date or Duration until removal (in hours).
    • If you click Select date, click the calendar to select the specific date for removal.
    • In the Allow user to remove policy list, click Always, Password required, or Never.
    • If you click Password required, next to Removal password, type the necessary password.
    • Next to Profile scope, click either User or System. The default is User. This option is available only on macOS 10.7 and later.

Android settings

Image of Device Policies configuration screen

Note:

The default setting for Android is Off.

  • Passcode required: Select this option to require a passcode and to display the configuration options for an Android passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, encryption, and Samsung SAFE.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Biometric recognition: Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default is Off.
    • Required characters: In the list, click No Restriction, Both numbers and letters, Numbers only, or Letters only to configure how passcodes are composed. The default is No restriction.
    • Advanced rules: Select whether to apply advanced passcode rules. The default is Off.
    • When you enable Advanced rules, from each of the following lists, click the minimum number of each character type that a passcode must contain:
      • Symbols: The minimum number of symbols.
      • Letters: The minimum number of letters.
      • Lowercase letters: The minimum number of lowercase letters.
      • Uppercase letters: The minimum number of uppercase letters.
      • Numbers or symbols: The minimum number of numbers or symbols.
      • Numbers: The minimum number of numbers.
  • Passcode security
    • Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is wiped. The default is Not defined.
  • Encryption
    • Enable encryption: Select whether to enable encryption. The option is available regardless of the Passcode required setting.

      To encrypt their devices, users must start with a charged battery and keep the device plugged in for the hour or more that encryption takes. If they interrupt the encryption process, they may lose some or all of the data on their devices. After a device is encrypted, the process cannot be reversed except by doing a factory reset, which erases all the data on the device.

  • Samsung SAFE

    Note:

    As a workaround for disabling face or Iris recognition on Samsung SAFE devices: Create a Restrictions device policy for Samsung SAFE. In the Restrictions policy, turn on Disable Applications and add com.samsung.android.bio.face.service or com.samsung.android.server.iris to the table. Then, deploy the Restrictions policy.

    • Use same passcode across all users: Select whether to use the same passcode for all users. The default is Off. This setting applies only to Samsung SAFE devices and is available regardless of the Passcode required setting.
    • When you enable Use same passcode across all users, type the passcode to be used by all users in the Passcode field.
    • When you enable Passcode required, configure the following Samsung SAFE settings:
      • Changed characters: Type the number of characters users must change from their previous passcode. The default is 0.
      • Number of times a character can occur: Type the maximum number of times a character can occur in a passcode. The default is 0.
      • Alphabetic sequence length: Type the maximum length of an alphabetic sequence in a passcode. The default is 0.
      • Numeric sequence length: Type the maximum length of a numeric sequence in a passcode. The default is 0.
      • Allow users to make password visible: Select whether users can make their passcodes visible. The default is On.
      • Configure biometric authentication. Select whether to enable biometric authentication. The default is Off. If you set it to On, you can set these options:
        • Allow fingerprint. Select to allow users to authenticate using a fingerprint.
        • Allow iris. Select to allow users to authenticate using an iris.
      • Forbidden strings: You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny, click Add and then do the following:
        • Forbidden strings: Type the string users may not use.
        • Click Save to add the string or click Cancel to cancel adding the string.

Samsung Knox settings

Image of Device Policies configuration screen

  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Allow users to make password visible: Select whether to let users make the password visible.
    • Forbidden strings: You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny, click Add and then do the following:
      • Forbidden strings: Type the string users may not use.
      • Click Save to add the string or click Cancel to cancel adding the string.
  • Minimum number of
    • Changed characters: Type the number of characters users must change from their previous passcode. The default is 0.
    • Symbols: Type the minimum number of required symbols in a passcode. The default is 0.
  • Maximum number of
    • Number of times a character can occur: Type the maximum number of times a character can occur in a passcode. The default is 0.
    • Alphabetic sequence length: Type the maximum length of an alphabetic sequence in a passcode. The default is 0.
    • Numeric sequence length: Type the maximum length of a numeric sequence in a passcode. The default is 0.
  • Passcode security
    • Lock device after (minutes of inactivity): In the list, click the number of seconds a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.
    • If the number of failed sign on attempts is exceeded, the device is locked: In the list, click the number of times a user can fail to sign on successfully after which the device is locked. The default is Not defined.
    • If the number of failed sign on attempts is exceeded, the device is wiped: In the list, click the number of times a user can fail to sign on successfully, after which the Knox container (along with the Knox data) is wiped from the device. Users need to reinitialize the Knox container after the wiping occurs. The default is Not defined.

Android Enterprise settings

Image of Device Policies configuration screen

For Android Enterprise devices, you can require a passcode for the device or a security challenge for the Android Enterprise work profile or both.

For devices running Android 8.0 or later and Samsung Knox 3.0 and later, configure settings for Samsung Knox on the Android Enterprise page. For devices running earlier versions of Android or Samsung Knox, use the Samsung Knox page.

Note:

When devices running Samsung Knox 3.0 are enrolled in work profile mode, device passcode settings for Knox 3.0 and later do not apply to the device passcode, even if you configure them.

  • Device Passcode Required: Requires a passcode on the device. When this setting is On, configure the settings under Passcode requirements for device passcode and Passcode security for device passcode. Default is Off.
  • Passcode requirements for device passcode:
    • Minimum length: Specifies the minimum passcode length. The default is 6.
    • Allow users to make password visible: For devices running Samsung Knox 3.0 and later that have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled in work profile mode. Allows users to make the password visible. Default is Off.
    • Biometric recognition: Enables biometric recognition. If this setting is On, the Required characters field is hidden. The default is Off. This feature isn’t currently supported.
    • Required characters: Specifies the types of characters required for passcodes. In the list, choose No Restriction, Both numbers and letters, Numbers only, or Letters only. Use No restrictions only for devices running Android 7.0. Android 7.1 and later don’t honor the No restrictions setting. The default is Both numbers and letters.
    • Forbidden strings: For devices running Samsung Knox 3.0 and later that have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled in work profile mode. Specifies strings users can’t use as passcodes. You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny: click Add; type the string you don’t want users to use; click Save to add the string or click Cancel to cancel adding the string.
    • Advanced rules: Applies advanced rules for the types of characters that can occur in passcodes. When this setting is On, configure the settings under Minimum number of and Maximum number of. This setting is not available for Android devices earlier than Android 5.0. The default is Off.
    • Minimum number of:
      • Symbols: Specifies the minimum number of symbols. Default is 0.
      • Letters: Specifies the minimum number of letters. Default is 0.
      • Lowercase letters: Specifies the minimum number of lowercase letters. Default is 0.
      • Uppercase letters: Specifies the minimum number of uppercase letters. Default is 0.
      • Numbers or symbols: Specifies the minimum number of numbers or symbols. Default is 0.
      • Numbers: Specifies the minimum number of numbers. Default is 0.
      • Changed characters: For devices running Samsung Knox 3.0 and later that have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled in work profile mode. Specifies the number of characters users must change from their previous passcode. The default is 0.
    • Maximum number of: For devices running Samsung Knox 3.0 and later that have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled in work profile mode.
      • Number of times a character can occur: Specifies the maximum number of times a character can occur in a passcode. The default is 0, which means there is no maximum limit.
      • Alphabetic sequence length: Specifies the maximum length of an alphabetic sequence in a passcode. The default is 0, which means there is no maximum limit.
      • Numeric sequence length: Specifies the maximum length of a numeric sequence in a passcode. The default is 0, which means there is no maximum limit.
  • Passcode security for device passcode:
    • Wipe the device after (failed sign-on attempts): Specifies the number of times a user can fail to sign on after which the device is fully wiped. Default is Not defined.
    • Lock device after (minutes of inactivity) (0-999): Specifies the number of minutes a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Specifies the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Specifies the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. Default is 0, which means users can reuse passwords.
    • Lock the device after (failed sign-on attempts) For devices running Samsung Knox 3.0 and later that have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled in work profile mode. Specifies the number of times a user can fail to sign on, after which the device is locked. Default is Not defined.
  • Work profile security challenge: Require users to complete a security challenge for access to apps running in an Android Enterprise work profile. For devices running Android 7.0 and later. When this setting is On, configure the settings under Passcode requirements for work profile security challenge and Passcode security for work profile security challenge. Default is Off.
  • Passcode requirements for work profile security challenge:
    • Minimum length: Specifies the minimum passcode length. Default is 6.
    • Allow users to make password visible: For devices running Knox 3.0 and later that have a valid Knox license key configured. Allows users to make the password visible. Default is Off.
    • Biometric recognition: Enables biometric recognition. If this setting is On, the Required characters field is hidden. The default is Off. This feature isn’t currently supported.
    • Required characters: Specifies the types of characters required for passcodes. In the list, choose No Restriction, Both numbers and letters, Numbers only, or Letters only. Use No restrictions only for devices running Android 7.0. Android 7.1 and later don’t honor the No restrictions setting. The default is Both numbers and letters.
    • Forbidden strings: For device running Knox 3.0 and later that have a valid Knox license key configured. Specifies strings users can’t use as passcodes. You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny: click Add; type the string you don’t want users to use; click Save to add the string or click Cancel to cancel adding the string.
    • Advanced rules: Applies advanced rules for the types of characters that can occur in passcodes. When this setting is On, configure the settings under Minimum number of and Maximum number of. This setting is not available for Android devices earlier than Android 5.0. The default is Off.
    • Minimum number of:
      • Symbols: Specifies the minimum number of symbols. Default is 0.
      • Letters: Specifies the minimum number of letters. Default is 0.
      • Lowercase letters: Specifies the minimum number of lowercase letters. Default is 0.
      • Uppercase letters: Specifies the minimum number of uppercase letters. Default is 0.
      • Numbers or symbols: Specifies the minimum number of numbers or symbols. Default is 0.
      • Numbers: Specifies the minimum number of numbers. Default is 0.
      • Changed characters: For devices running Knox 3.0 and later that have a valid Knox license key configured. Specifies the number of characters users must change from their previous passcode. The default is 0.
    • Maximum number of: For devices running Knox 3.0 and later that have a valid Knox license key configured.
      • Number of times a character can occur: Specifies the maximum number of times a character can occur in a passcode. The default is 0, which means there is no maximum limit.
      • Alphabetic sequence length: Specifies the maximum length of an alphabetic sequence in a passcode. The default is 0, which means there is no maximum limit.
      • Numeric sequence length: Specifies the maximum length of a numeric sequence in a passcode. The default is 0, which means there is no maximum limit.
  • Passcode security for work profile security challenge
    • Wipe the container after (failed sign-on attempts): Specifies the number of times a user can fail to sign on, after which the work profile and its data is wiped from the device. Users need to reinitialize the work profile after the wiping occurs. Default is Not defined.
    • Lock container after (minutes of inactivity): Specifies the number of minutes a device can be inactive before the work profile is locked. The default is None.
    • Passcode expiration in days (1-730): Specifies the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Specifies the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.
    • Lock the container after (failed sign-on attempts): For devices running Knox 3.0 and later that have a valid Knox license key configured. Specifies the number of times a user can fail to sign on, after which the device is locked. Default is Not defined.

Windows Phone settings

Image of Device Policies configuration screen

  • Passcode required: Select this option to not require a passcode for Windows Phone devices. The default setting is On, which requires a passcode. The page collapses and the following options disappear when you disable this setting.
  • Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is OFF.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Characters required: In the list, click Numeric or alphanumeric, Letters only, or Numbers only to configure how passcodes are composed. The default is Letters only.
    • Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 1.
  • Passcode security
    • Lock device after (minutes of inactivity): Type the number of minutes a device can be inactive before it is locked. The default is 0.
    • Passcode expiration in 0-730 days: Type the number of days after which the passcode expires. Valid values are 0–730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts before wipe (0-999): Type the number of times a user can fail to sign on successfully after which corporate data is wiped from the device. The default is 0.

Windows Desktop/Tablet settings

Image of Device Policies configuration screen

  • Passcode security
    • Lock device after (minutes of inactivity)(0-999): Type the number of minutes a device can be inactive before it is locked. The default is 0.
    • Passcode expiration in 0-730 days: Type the number of days after which the passcode expires. Valid values are 0-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-24): Type the number of used passcodes to save. Users are unable to use any passcode found in this list. Valid values are 1-24. You must enter a number between 1 and 24 in this field. The default is 0.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.