pdf icon
Category Filter
x

Passcode

You can define the parameters for creating a passcode and configure the passcode settings on Android devices here.

The MDM password expires after the Maximum passcode age set by the administrator. After expiry, the user is enforced to change the password. The user should unlock the device using the expired password in order to change it, while other device functionalities are restricted. During the final few days until expiry, the user will be reminded to change the password.

Only devices running Android 5.0 or above can be provisioned as Profile Owner or Device Owner.

FEATURE DESCRIPTION KNOX-ENABLED SAMSUNG NON-SAMSUNG
CORE ANDROID PROFILE OWNER DEVICE OWNER
APPLY PASSCODE
(Specify if you want the passcode to be applied to the whole device or only to the work profile container)
Device Passcode will be applied to the whole device. success success success success
Work profile (Applicable for devices running 7.0 or later versions) Passcode will be applied only to the work profile container (created as the device is provisioned as Profile Owner). failured failured success failured
CONFIGURE
Passcode requirements You can select the conditions that need to be met when the users configure a passcode on devices. success success success success
Default passcode You can enter the common passcode that must be enforced on the devices. The user cannot modify the passcode set. success failured failured success
Password removal In the case of digital signage, organizations must set up the device without a passcode. Using this option, any existing passcode on the device can be removed and users can be prevented from manually configuring a passcode on these devices. Not applicable for devices running Android 11.0 or above
Note: Password set by the user can not be removed from Samsung devices running Android 9.0 or above, enrolled via invite method
success failured failured success
PASSCODE COMPLEXITY
(Applicable only for devices running Android 12.0 and above)
Low A Pattern or PIN should be configured with repeating or ordered sequence (Example: 4444, 1234, 4321, 2468). success success success success
Medium The passcode should contain a PIN with no repeating or ordered sequences (Example: 4444, 1234, 4321, 2468), alphabetic, or alphanumeric password with a length of at least 4 elements. success success success success
High The passcode should contain a PIN with no repeating or ordered sequences (Example: 4444, 1234, 4321, 2468) and a length of at least 8 elements or alphabetic or alphanumeric passwords with a length of at least 6 elements. success success success success
FOR ANDROID 11.0 AND BELOW
Passcode should contain (Applicable when Passcode Requirements is selected) You can define the minimum passcode type required or allowed to create a passcode. The increasing order of security in the passcode type is Simple value-> Numbers-> Alphabet-> Alphanumeric-> Complex Value. On choosing a minimum required passcode type for example, as 'Numbers', then the passcode that is set on the device can contain numbers, alphabets, alphanumeric characters or complex values.
'Simple Value (Pattern)' enables you to set patterns, pin or passwords for the device. Not applicable for devices running Android 11.0 or above
On choosing 'Numbers', you can set either a pin or password for the device. The password can contain numbers, alphabets, alphanumeric or complex values.
'Alphabet' allows you to set only passwords for the device. The password can contain alphabets, alphanumeric or complex values.
'Alphanumeric' passcode allows you to set a password that contains both numbers and alphabets. Special characters can also be included.
'Complex Value' type of passcode enables you to set a password that contains alphabets, numbers and at least one special character.
success success success success
Minimum passcode length
(Cannot be configured if Minimum passcode requirement is pattern)
You can define a minimum length for the passcode here. Applicable only for devices running Android 11.0 and below. success success success success
OTHER SETTINGS
Maximum number of failed attempts (Applicable when Passcode Requirements is selected) Maximum number of failed attempts allowed can be specified. When the number of attempts exceeds, the device will be reset, completely wiping all the data in the device. success success success success
Maximum idle time allowed before auto-lock (Applicable when Passcode Requirements is selected) Maximum allowed idle time before the device auto-locks itself. The user can select a value less than the one specified by the admin. For example: If the admin selects 2 mins, the user can set the idle time less than 2 mins. success success success success
Strong Authentication timeout (Applicable only for devices running Android 8.0 and above) After the Strong Authentication timeout period set by the admin, biometrics (such as fingerprint, face unlock) are turned off automatically. Users will be forced to unlock the device using strong authentication passcode (such as PIN or password). success success success success
Number of passcodes to be maintained in the history (Supported from Android 4.0 and applicable when Passcode Requirements is selected) Total number of previous passcodes to be maintained, so that it cannot be reused. success success success success
Maximum passcode age (Supported from Android 4.0 and applicable when Passcode Requirements is selected) User will be notified to reset the Passcode based on the days specified here success success success success
Force passcode policy after (Applicable when Passcode Requirements is selected) Specify the time after which the device user needs to set a passcode on the device complying with the passcode policy configured in MDM. In Samsung devices, users are prompted immediately to set a passcode irrespective of the time set here in the case there is no passcode set on the device. If a passcode is set but doesn't comply with the policy, then the user is prompted based on the policy settings. success failured Applicable for devices running 7.0 or later versions Applicable for devices running 6.0 or later versions
Set same passcode for device and work profile (Applicable when Work profile is selected) Allow/Restrict user to set the same passcode for both Device and Work profile. failured failured Applicable for devices running 9.0 or later versions failured
Smart Lock (Applicable when Passcode Requirements is selected) Allow or restrict users from setting up Smart Lock on their devices, with which they can bypass the password prompt on the lock screen by configuring trust agents such as On-Body detection, Trusted places/devices/voice. Applicable for devices running 5.0 or later versions failured success success
Temporary Passcode (Applicable when Passcode Requirements is selected) A temporary passcode can be set on the device to protect the device from unauthorized access when a new corporate device is handed to the users. Admins can configure a passcode that will be set on the device until the device is unlocked. Once the device is unlocked, the user will be prompted to set a new passcode on the device based on the requirements configured. If a passcode already exists on the device, the temporary passcode will not be applied. success failured failured success
Unlock device using fingerprint (Samsung-only feature - Supported from Android 5.0) If this is allowed on a device, the user will be able to use fingerprint to unlock the device.
The backup password set during fingerprint registration on a device should be a simple value, number, alphabet, alphanumeric or complex according to what you choose as the Minimum Passcode Requirement.
success failured failured failured
Maximum repetition of characters
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Samsung-only feature - Supported from 4.0)
Specify how many times, can a number or an alphabet be repeated in the password (Example: If you say 2 times, you cannot use the same alphabet or number more than twice in the password). success failured failured failured
Maximum numeric Sequence
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Samsung-only feature - Supported from 4.0)
Specify how many sequential numbers can be used in the password (Example: If you say 3, you can use up to 3 sequential numbers like 123, 456, etc..). success failured failured failured
Minimum uppercase length
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Supported from Android 4.0)
You can define the minimum number of upper case letters required to create a passcode success success success success
Minimum lowercase letter length
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Supported from Android 4.0)
You can define the minimum number of lower case letters required to create a passcode success success success success
Minimum letter length
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Supported from Android 4.0)
You can define the minimum number of letters required to create a passcode success success success success
Minimum non-alphabetic characters
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Supported from Android 4.0)
You can define the minimum number of Non-Alphabetic Characters
required to create a passcode
success success success success
Minimum numeric length
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Supported from Android 4.0)
You can define the minimum number of numeric values required to create a passcode success success success success
Minimum symbol length
(Can be configured only if Minimum passcode requirement is 'Complex Value') (Supported from Android 4.0)
You can define the minimum number of symbols required to create a passcode success success success success
BIOMETRIC PASSCODES
Use Fingerprint as passcode Allow/Restrict usage of fingerprints as device passcode success success success success
Use iris scanning as passcode Allow/Restrict usage of iris scanning as device passcode success failured failured success
Use face scanning as passcode Allow/Restrict usage of face scanning as device passcode success failured failured success
  • After distributing this policy, the passcode must be set by the user on the device. Only after this will the device details view under Inventory be updated.
  • If the user doesn't configure the passcode before the duration specified in Profile Settings, then all the apps except ME MDM app, Launcher and Settings get disabled as explained here.
  • If the device already has a passcode set on the device and it complies with the passcode policy configured in MDM, the device user will not be prompted to create a new passcode, in accordance with the MDM passcode policy.
  • With Android 12.0, you can configure the passcode complexity levels to low, medium and high. If you still want to define granular passcode requirements, instead of these predefined complexity levels, then configure custom passcode settings. However, Google will deprecate these granular settings soon and it is not recommended for devices running Android 12.0 and above.
  • If the passcode policy isn't applied on the device, verify other policies are controlling the passcode configuration. For example, you may have configured a passcode policy using Exchange. Further, verify if there any other device administrators on the device, which might be controlling the passcode policy. You can view the list of device administrators by navigating to Settings -> Security -> Other Security Settings -> Device Administrators.
  • In the case of Samsung, if the device does not factory reset automatically when the user has exceeded the maximum number of passcode attempts, it might be due to:
    • a factory reset restriction applied on the device from MDM. Navigate to Device Mgmt->Profiles->Android->Restrictions->Security on the MDM server and ensure that Restore Factory Settings is set to Allow.
    • an API which restricts device factory reset. Although, MDM initiates a factory reset, it fails as the API restriction set by a device administrator, cannot be overridden by another device administrator (MDM).
Jump To