Passcode device policy

You create a passcode policy in XenMobile based on your organization’s standards. You can require passcodes on users’ devices and can set various formatting and passcode rules. You can create policies for iOS, macOS, Android, Samsung KNOX, Android for Work, Windows Phone, and Windows desktop/tablet. Each platform requires a different set of values, which are described in this article.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Image of Device Policies configuration screen

  • Passcode required: Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is On.
    • Required characters: Select whether to require passcodes to have at least one letter. The default is Off.
    • Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 0.
  • Passcode security
    • Device lock grace period (minutes of inactivity): In the list, click the length of time before users must enter a passcode to unlock a locked device. The default is None.
    • Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is fully wiped. The default is Not defined.
  • Policy Settings
    • Next to Remove policy, click either Select date or Duration until removal (in hours).
    • If you click Select date, click the calendar to select the specific date for removal.
    • In the Allow user to remove policy list, click Always, Password required, or Never.
    • If you click Password required, next to Removal password, type the necessary password.

macOS settings

Image of Device Policies configuration screen

  • Passcode required: Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.
  • If you do not enable Passcode required, next to Delay after failed sign-on attempts, in minutes, type the number of minutes to delay before allowing users to reenter their passcodes.
  • If you enable Passcode required, configure the following settings:
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is On.
    • Required characters: Select whether to require passcodes to have at least one letter. The default is Off.
    • Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 0.
  • Passcode security
    • Device lock grace period (minutes of inactivity): In the list, click the length of time before users must enter a passcode to unlock a locked device. The default is None.
    • Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is locked. The default is Not defined.
    • Delay after failed sign-on attempts, in minutes: Type the number of minutes to delay before allowing a user to reenter a passcode.
  • Policy Settings
    • Next to Remove policy, click either Select date or Duration until removal (in hours).
    • If you click Select date, click the calendar to select the specific date for removal.
    • In the Allow user to remove policy list, click Always, Password required, or Never.
    • If you click Password required, next to Removal password, type the necessary password.
    • Next to Profile scope, click either User or System. The default is User. This option is available only on macOS 10.7 and later.

Android settings

Image of Device Policies configuration screen

Note:

The default setting for Android is Off.

  • Passcode required: Select this option to require a passcode and to display the configuration options for an Android passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, encryption, and Samsung SAFE.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Biometric recognition: Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default is Off.
    • Required characters: In the list, click No Restriction, Both numbers and letters, Numbers only, or Letters only to configure how passcodes are composed. The default is No restriction.
    • Advanced rules: Select whether to apply advanced passcode rules. This option is available for Android 3.0 and later. The default is Off.
    • When you enable Advanced rules, from each of the following lists, click the minimum number of each character type that a passcode must contain:
      • Symbols: The minimum number of symbols.
      • Letters: The minimum number of letters.
      • Lowercase letters: The minimum number of lowercase letters.
      • Uppercase letters: The minimum number of uppercase letters.
      • Numbers or symbols: The minimum number of numbers or symbols.
      • Numbers: The minimum number of numbers.
  • Passcode security
    • Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is wiped. The default is Not defined.
  • Encryption
    • Enable encryption: Select whether to enable encryption. This option is available for Android 3.0 and later. The option is available regardless of the Passcode required setting.

      To encrypt their devices, users must start with a charged battery and keep the device plugged in for the hour or more that encryption takes. If they interrupt the encryption process, they may lose some or all of the data on their devices. After a device is encrypted, the process cannot be reversed except by doing a factory reset, which erases all the data on the device.

  • Samsung SAFE

    Note:

    As a workaround for disabling face or Iris recognition on Samsung SAFE devices: Create a Restrictions device policy for Samsung SAFE. In the Restrictions policy, turn on Disable Applications and add com.samsung.android.bio.face.service or com.samsung.android.server.iris to the table. Then, deploy the Restrictions policy.

    • Use same passcode across all users: Select whether to use the same passcode for all users. The default is Off. This setting applies only to Samsung SAFE devices and is available regardless of the Passcode required setting.
    • When you enable Use same passcode across all users, type the passcode to be used by all users in the Passcode field.
    • When you enable Passcode required, configure the following Samsung SAFE settings:
      • Changed characters: Type the number of characters users must change from their previous passcode. The default is 0.
      • Number of times a character can occur: Type the maximum number of times a character can occur in a passcode. The default is 0.
      • Alphabetic sequence length: Type the maximum length of an alphabetic sequence in a passcode. The default is 0.
      • Numeric sequence length: Type the maximum length of a numeric sequence in a passcode. The default is 0.
      • Allow users to make password visible: Select whether users can make their passcodes visible. The default is On.
      • Configure biometric authentication. Select whether to enable biometric authentication. The default is Off. If you set it to On, you can set these options:
        • Allow fingerprint. Select to allow users to authenicate using a fingerprint.
        • Allow iris. Select to allow users to authenicate using an iris.
      • Forbidden strings: You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny, click Add and then do the following:
        • Forbidden strings: Type the string users may not use.
        • Click Save to add the string or click Cancel to cancel adding the string.

Samsung KNOX settings

Image of Device Policies configuration screen

  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Allow users to make password visible: Select whether to let users make the password visible.
    • Forbidden strings: You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny, click Add and then do the following:
      • Forbidden strings: Type the string users may not use.
      • Click Save to add the string or click Cancel to cancel adding the string.
  • Minimum number of
    • Changed characters: Type the number of characters users must change from their previous passcode. The default is 0.
    • Symbols: Type the minimum number of required symbols in a passcode. The default is 0.
  • Maximum number of
    • Number of times a character can occur: Type the maximum number of times a character can occur in a passcode. The default is 0.
    • Alphabetic sequence length: Type the maximum length of an alphabetic sequence in a passcode. The default is 0.
    • Numeric sequence length: Type the maximum length of a numeric sequence in a passcode. The default is 0.
  • Passcode security
    • Lock device after (minutes of inactivity): In the list, click the number of seconds a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is 0, which means users can reuse passwords.
    • If the number of failed sign on attempts is exceeded, the device is locked: In the list, click the number of times a user can fail to sign on successfully after which the device is locked. The default is Not defined.
    • If the number of failed sign on attempts is exceeded, the device is wiped: In the list, click the number of times a user can fail to sign on successfully, after which the KNOX container (along with the KNOX data) is wiped from the device. Users need to reinitialize the KNOX container after the wiping occurs.The default is Not defined.

Android for Work settings

Image of Device Policies configuration screen

  • Device Passcode Required: Enable this setting to require a passcode and to display the configuration options for an Android for Work Passcode device policy. The page expands to let you configure settings for passcode requirements and passcode security. The default is Off.
  • Work Challenge Required: Enable this setting to require users to complete a security challenge for access to apps running in an Android for Work work profile. The page expands to let you configure settings for passcode requirements and passcode security. This option is not available for Android devices earlier than Android 7.0. The default is Off.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Biometric recognition: Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default is Off. Note that this feature is not currently supported.
    • Required characters: In the list, click No Restriction, Both numbers and letters, Numbers only, or Letters only to configure how passcodes are composed.
      • For Device Passcode: The default is No restriction.
      • For Work Challenge: Use No restrictions only for devices running Android 7.0. The No restrictions setting is not honored by Android 7.1 and later. The default is Both numbers and letters.
    • Advanced rules: Select whether to apply advanced passcode rules. This option is not available for Android devices earlier than Android 5.0. The default is Off.
    • When you enable Advanced rules, from each of the following lists, click the minimum number of each character type that a passcode must contain:
      • Symbols: The minimum number of symbols.
      • Letters: The minimum number of letters.
      • Lowercase letters: The minimum number of lowercase letters.
      • Uppercase letters: The minimum number of uppercase letters.
      • Numbers or symbols: The minimum number of numbers or symbols.
      • Numbers: The minimum number of numbers.
  • Passcode security
    • Lock device after (minutes of inactivity): In the list, click the number of minutes a device can be inactive before it is locked. The default is None
    • Passcode expiration in days (1-730): Type the number of days after which the passcode expires. Valid values are 1-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign on successfully, after which the KNOX container (along with the KNOX data) is wiped from the device. Users need to reinitialize the KNOX container after the wiping occurs.The default is Not defined.

Windows Phone settings

Image of Device Policies configuration screen

  • Passcode required: Select this option to not require a passcode for Windows Phone devices. The default setting is On, which requires a passcode. The page collapses and the following options disappear when you disable this setting.
  • Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is OFF.
  • Passcode requirements
    • Minimum length: In the list, click the minimum passcode length. The default is 6.
    • Characters required: In the list, click Numeric or alphanumeric, Letters only, or Numbers only to configure how passcodes are composed. The default is Letters only.
    • Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 1.
  • Passcode security
    • Lock device after (minutes of inactivity): Type the number of minutes a device can be inactive before it is locked. The default is 0.
    • Passcode expiration in 0-730 days: Type the number of days after which the passcode expires. Valid values are 0-730. The default is 0, which means the passcode never expires.
    • Previous passwords saved (0-50): Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is 0, which means users can reuse passwords.
    • Maximum failed sign-on attempts before wipe (0-999): Type the number of times a user can fail to sign on successfully after which corporate data is wiped from the device. The default is 0.

Windows Desktop/Tablet settings

Image of Device Policies configuration screen

  • Disallow convenience logon: Select whether to allow users to access their devices with picture passwords or biometric logons. The default is Off.
  • Minimum passcode length: In the list, click the minimum passcode length. The default is 6.
  • Maximum passcode attempts before wipe: In the list, click the number of times a user can fail to sign in successfully after which corporate data is wiped from the device. The default is 4.
  • Passcode expiration in days (0-730): Type the number of days after which the passcode expires. Valid values are 0-730. The default is 0, which means the passcode never expires.
  • Passcode history: (1-24): Type the number of used passcodes to save. Users are unable to use any passcode found in this list. Valid values are 1-24. You must enter a number between 1 and 24 in this field. The default is 0.
  • Maximum inactivity before device lock in minutes (1-999): Type the length of time in minutes that a device can be inactive before it is locked. Valid values are 1-999. You must enter a number between 1 and 999 in this field. The default is 0.