iOS Passcode: How to configure using MDM?
The passcode, being the first line of security for devices, organizations would want to set passcodes adhering to their security standards, ensuring certain aspects like the minimum length and complexity requirements. You can define the parameters for creating a passcode by configuring the Passcode profile. Setting up Passcode profile for a device, automatically sets the passcode for Apple Watch when paired with the device. The Passcode profile is supported for macOS in addition to iOS devices.
iOS Passcode Requirements
|Configure||Passcode requirements: You can select the conditions that need to be met when the users configure a passcode on devices.
Note: If existing passcode meets the complexity requirements mentioned in the passcode profile, the user will not be prompted to change the passcode.
Password removal: In the case of digital signage, organizations must set up the device without a passcode. Using this option, any existing passcode, Touch ID and Face ID on the device can be removed and users can be prevented from manually configuring a passcode or a Touch ID or a Face ID on these devices. Applicable only for Supervised devices running iOS 9 or later versions. If this option is enabled, then the Face ID and Passcode option shown in the Settings app on the iOS device is removed.
|Passcode should contain||Choosing Simple Value, ensures a simple passcode is set on the device. This can include repeating, ascending and descending character sequences such as 1111/aaaa etc. If Alphanumeric value is chosen, it is mandatory that the passcode contains alphanumeric value.|
|Minimum passcode length||The minimum length for the passcode can be set here. This can range from 4 to 16.|
|Minimum number of special characters||The minimum number of special characters that the passcode should contain, can be set here. This can range from 1 to 4.|
|Maximum idle time allowed before auto-lock||Idle time refers to the time duration before the device screen locks automatically. You can specify a value between 1 to 15 minutes. If the specified duration is not supported by the OS running on the device, the closest duration which is supported by the OS is selected automatically. This configuration is overridden, if Auto-lock option is configured in Kiosk and both profiles are distributed to the same device.|
|Maximum time to unlock device without passcode||
The time limit for users to unlock devices without using their passcodes, can be set here. If this has been set to five minutes for instance, users can unlock the device without a passcode, within five minutes after the device gets locked.
|Maximum number of failed attempts||Maximum number attempts to unlock the device, before it gets locked by Apple. This can range from 3 to 9.|
|Restrict users from modifying the passcode (iOS 9 or later versions - Supervised devices only)||Enabling this restricts users from modifying the passcode. The restriction is applied after an hour of profile association or during the next sync, whichever happens first. Until then, users can modify the passcode. The restriction can be enforced immediately by navigating to the Inventory tab and clicking on Scan Devices ( Inventory-> Scan Devices). If this option is enabled, then the Face ID and Passcode option shown in the Settings app on the iOS device is removed.|
|Maximum passcode age||Maximum passcode age refers to the number of days after which the passcode expires and a new one has to be set. This can range from 1 to 730 days.|
|Maximum number of passcodes to be maintained in history||This can range from 1 to 50 passcodes.|