Product Documentation

Passcode Device Policies

Jun 23, 2015

You create a passcode policy in XenMobile based on your organization's standards. You can require passcodes on users' devices and can set various formatting and passcode rules. You can create policies for iOS, Android, Android for Work, Samsung KNOX, Windows Phone 8.1, and Windows 8.1 tablet. Each platform requires a different set of values, which are described in this article.

  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears. Click Add to add a new policy.

     

    Select device policies

     

  2. On the Add New Policy page, click Passcode.

     

    Select passcode

     

  3. In the Policy Information pane, enter the following information:
    1. Policy Name: Type a descriptive name for the policy.
    2. Description: Type an optional description of the policy.
    3. Click Next.
  4. Under Platforms, select the platforms for which you want to configure this policy.
    Note: When the Policy Platforms page appears, all platforms are selected and you see the iOS platform configuration panel first.
    • If you selected iOS, configure these settings:

      Passcode required: Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.

      Passcode requirements

      Minimum length: In the list, click the minimum passcode length. The default is 6.

      Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is ON.

      Required characters: Select whether to require passcodes to have at least one letter. The default is OFF.

      Minimum number of symbols: In the list, click the number of symbols the passcode must contain.

      Passcode security

      Device lock grace period (minutes of inactivity): In the list, click the length of time before users must enter a passcode to unlock a locked device. The default is None.

      Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None.

      Passcode expiration in days (1-730): Enter the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.

      Previous passwords saved (0-50): Enter the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.

      Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is locked. The default is Not defined.

      Policy Settings

       

      Policy removal settings

       

      1. Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in days).
      2. If you click Select date, click the calendar to select the specific date for removal.
      3. In the Allow user to remove policy list, click Always, Password required, or Never.
      4. If you click Password required, next to Removal password, type the necessary password.
    • If you selected Android, configure these settings:

      Note: The default setting for Android is OFF. The page expands to let you configure settings for passcode requirements, passcode security, encryption, and Samsung SAFE.

      Passcode requirements

      Minimum length: In the list, click the minimum passcode length. The default is 6.

      Biometric recognition: Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default is OFF.

      Required characters: In the list, click No Restriction, Both numbers and letters, Numbers only, or Letters only to configure how passcodes are composed. The default is No restriction.

      Advanced rules: Select whether to apply advanced passcode rules. This option is available for Android 3.0 and later. The default is OFF.

      When Advanced rules is set to ON, from each of the following lists, click the minimum number of each character type that a passcode must contain:
      • Symbols: The minimum number of symbols.
      • Letters: The minimum number of letters.
      • Lowercase letters: The minimum number of lowercase letters.
      • Uppercase letters: The minimum number of uppercase letters.
      • Numbers or symbols: The minimum number of numbers or symbols.
      • Numbers: The minimum number of numbers.



      Passcode security

      Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None

      Passcode expiration in days (1-730): Enter the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.

      Previous passwords saved (0-50): Enter the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.

      Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is locked. The default is Not defined.

      Encryption

      Enable encryption: Select whether to enable encryption. This option is available for Android 3.0 and later. The option is available regardless of the Passcode required setting.

      Use same passcode across all users: Select whether to use the same passcode for all users. This option applies only to Samsung SAFE devices and is available regardless of the Passcode required setting. The default is OFF.

      Enter the required passcode in the field that appears when you enable this option.

    • If you selected Samsung KNOX, configure these settings:

      Passcode requirements

      Minimum length: In the list, click the minimum passcode length.

      Allow users to make password visible: Select whether to let users make the password visible.

    • Forbidden strings: You create forbidden strings to prevent users from using insecure strings that are easy to guess like "password", "pwd", "welcome", "123456", "111111", and so on. Do the one of the following:
      • To add a forbidden string
        1. Click Add.
        2. Type the forbidden string.
        3. Click Save to save the string or Cancel to cancel adding the string.
        4. Repeat steps i. through iii. for each forbidden string you want to add.
      • To edit a forbidden string
        1. Previous passwords saved (0-50): Enter the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means user can reuse passwords.
        1. Hover over the string you want to edit.
        2. Click the pen icon to the right of the listing.
        3. Make changes to the string.
        4. Click Save to save the string or Cancel to cancel changing the string.


      Minimum number of

      Changed characters: Enter the number of characters users must change from their previous passcode. The default is 0.

      Symbols: Enter the minimum number of required symbols in a passcode. The default is 0.

      Maximum number of

      Number of times a character can occur: Enter the maximum number of times a character can occur in a passcode. The default is 0.

      Alphabetic sequence length: Enter the maximum length of an alphabetic sequence in a passcode. The default is 0.

      Numeric sequence length: Enter the maximum length of a numeric sequence in a passcode. The default is 0.

      Passcode security

      Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is None.
      Note: Even though this field's label says "minutes of inactivity" XenMobile actually enforces the lock after the specified number of seconds.

      Passcode expiration in days (1-730): Enter the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.

      Previous passwords saved (0-50): Enter the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means user can reuse passwords.

      Maximum failed sign-on attempts: In the list, click the number of times a user can fail to sign in successfully after which the device is locked. The default is Not defined.

    • If you selected Windows Phone 8.1, configure these settings:

      Passcode required: Select this option to not require a passcode for Windows Phone 8.1 devices. The default setting is ON, which requires a passcode. The page collapses and the following options disappear. If you do not turn off the passcode requirement, continue configuring the following settings.

      Allow simple passcodes: Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default is OFF.

      Passcode requirements

      Minimum length: In the list, click the minimum passcode length. The default is 6.

      Characters required: In the list, click Numeric or alphanumeric, Letters only, or Numbers only to configure how passcodes are composed. The default is Letters only.

      Minimum number of symbols: In the list, click the number of symbols the passcode must contain. The default is 1.

      Passcode security

      Lock device after (minutes of inactivity): In the list, click the length of time a device can be inactive before it is locked. The default is 0.

      Passcode expiration in 0-730 days: Enter the number of days after which the passcode expires. Valid values are 1–730. The default is 0, which means the passcode never expires.

      Previous passwords saved (0-50): Enter the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is 0, which means users can reuse passwords.

      Maximum failed sign-on attempts before wipe (0-999): In the list, click the number of times a user can fail to sign in successfully after which corporate data is wiped from the device. The default is 0.

    • If you selected Windows 8.1 Tablet, configure these settings:

      Disallow convenience logon: Select whether to allow users to access their devices with picture passwords or biometric logons. The default is OFF.

      Miniumum passcode length: In the list, click the minimum passcode length. The default is 6.

      Maximum passcode attempts before wipe: In the list, click the number of times a user can fail to sign in successfully after which the device is wiped. The default is 4.

      Passcode expiration in days (0-999): Enter the number of days after which the passcode expires. Valid values are 1–999. The default is 0, which means the passcode never expires.

      Passcode history: (1-24): Enter the number of used passcodes to save. Users are unable to use any passcode found in this list. Valid values are 1–24. You must enter a number between 1 and 24 in this field.

      Maximum inactivity before device lock in minutes (1-1200): Enter the length of time in minutes that a device can be inactive before it is locked. Valid values are 1–1200. You must enter a number between 1 and 1200 in this field.

  5. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.

     

    Deployment rules

     

    1. In the lists, click options to determine when the policy should be deployed.
      1. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
      2. Click New Rule to define the conditions.
      3. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
      4. Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
    2. Click the Advanced tab to combine the rules with Boolean options.

       

      Advanced deployment rules with base rules

       

      The conditions you chose on the Base tab appear.
    3. You can use more advanced Boolean logic to combine, edit, or add rules.
      1. Click AND, OR, or NOT.
      2. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

        At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

      3. Click New Rule again if you want to add more conditions.

        In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

        Advanced deployment rules complete

         

  6. Click Next. The Passcode Policy assignment page appears.
  7. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.

     

    Policy assignment page

     

  8. Expand Deployment Schedule and then configure the following settings:
    1. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
    2. Next to Deployment schedule, click Now or Later. The default option is Now.
    3. If you click Later, click the calendar icon and then select the date and time for deployment.
    4. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    5. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.
      Note: This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
    Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

     

    Deployment schedule

     

  9. Click Save.