Password Policy

Template

On iOS, the key names generally reflect the expected functionality.

On macOS, these settings will affect the password policy of a directory node. Additionally, some settings are applied via plist com.apple.screensaver. Most keys are translated into policy settings, see Password Policy for more information.

Summary

PayloadType:com.apple.mobiledevice.passwordpolicy
Supervised Only:
 N/A
macOS:N/A
macOS Deprecated:
 N/A
iOS:N/A
iOS Deprecated:N/A
Highlander:N/A

Keys

manualFetchingWhenRoaming

Manual Fetching When Roaming

Deprecated. Use allowGlobalBackgroundFetchWhenRoaming in the Restrictions payload instead.

Type Default Required Regex iOS macOS Supervised
boolean N/A N/A N/A N/A N/A N/A

allowSimple

Allow Simple Value

Permit the use of repeating, ascending, and descending character sequences

Type Default Required Regex iOS macOS Supervised
boolean True N/A N/A N/A N/A N/A

Note

A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to “1”.

forcePIN

Require Passcode on Device

Enforce the use of a passcode before using the device

Type Default Required Regex iOS macOS Supervised
boolean True N/A N/A N/A N/A N/A

Note

Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality.

maxFailedAttempts

Maximum Number of Failed Attempts

Number of passcode entry attempts allowed before all data on device will be erased

Type Default Required Regex iOS macOS Supervised
integer 0 N/A N/A N/A N/A N/A

Note

Allowed range [1...10]. Specifies the number of allowed failed attempts to enter the passcode at the device’s lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked.

maxInactivity

Auto-Lock

The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system

Type Default Required Regex iOS macOS Supervised
integer N/A N/A N/A N/A N/A N/A

Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered.

In macOS, this translates to the key idleTime in /Library/Managed Preferences/com.apple.screensaver.plist, which is the number of seconds until the screen is locked.

macOS
10.9+, possibly earlier

maxPINAgeInDays

Maximum Passcode Age

The number of days for which the passcode can remain unchanged

Type Default Required Regex iOS macOS Supervised
integer N/A N/A N/A N/A N/A N/A

Default Infinity. Specifies the number of days for which the passcode can remain unchanged. After this number of days, the user is forced to change the passcode before the device is unlocked.

macOS
10.9+
macOS 10.9
This translates into the pwpolicy global policy field maxMinutesUntilChangePassword
macOS 10.10+
This translates into an account policy containing the key policyAttributeExpiresEveryNDays equal to the maxInactivity value.

Note

Profile Manager lists the maximum PIN age for macOS to be 730 days.

minComplexChars

Minimum Number of Complex Characters

Smallest number of non-alphanumeric characters allowed

Type Default Required Regex iOS macOS Supervised
integer 0 N/A N/A N/A N/A N/A

Specifies the minimum number of complex characters that a passcode must contain. A “complex” character is a character other than a number or a letter, such as &%$#.

macOS
10.10+
macOS 10.10+
This translates into an account policy that contains the rule policyAttributePassword matches '(.*[^a-zA-Z0-9].*){3,}'. The number 3 in the regex signifies the configured number of complex characters.

Note

This implies the setting allowSimple = FALSE if minComplexChars is > 0

Note

Profile Manager lists the maximum as being 4

minLength

Minimum Passcode Length

Smallest allowable number of characters in passcode

Type Default Required Regex iOS macOS Supervised
integer 0 N/A N/A N/A N/A N/A

Specifies the minimum overall length of the passcode. This parameter is independent of the also optional minComplexChars argument.

macOS
10.10+
macOS 10.10+
This translates into an account policy that contains the rule policyAttributePassword matches '.{4,}'. The number 4 in the regex signifies the number of characters required.

Note

Profile Manager lists the maximum as being 16

requireAlphanumeric

Require Alphabetic Value

Require passcodes to contain at least one letter

Type Default Required Regex iOS macOS Supervised
boolean False N/A N/A N/A N/A N/A

Specifies whether the user must enter alphabetic characters (“abcd”), or if numbers are sufficient.

macOS
10.10+
macOS 10.10+
This translates into an account policy that contains the rule policyAttributePassword matches '^(?=.*[0-9])(?=.*[a-zA-Z]).+'.

pinHistory

Passcode History

Number of unique passcodes required between passcode reuse

Type Default Required Regex iOS macOS Supervised
integer N/A N/A N/A N/A N/A N/A

When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50.

macOS
10.9+

maxGracePeriod

Grace Period for Device Lock

The maximum grace period, in minutes, to unlock the phone without entering a passcode

Type Default Required Regex iOS macOS Supervised
integer -1 N/A N/A N/A N/A N/A

The maximum grace period, in minutes, to unlock the phone without entering a passcode. Default is 0, that is no grace period, which requires a passcode immediately.

In macOS, this translates to the key askForPasswordDelay which is the number of seconds as an integer until you will need to unlock the account.

macOS
10.9+, Possibly earlier

allowFingerprintModification

Allow modification of Touch ID

Optional. Supervised only. Not supported on macOS. Allows the user to modify Touch ID. Default NO.

Type Default Required Regex iOS macOS Supervised
boolean False N/A N/A N/A N/A N/A

changeAtNextAuth

Change at next authentication

Optional. On macOS, setting this to true will cause a password reset to occur the next time the user tries to authenticate. If this key is set in a device profile, the setting takes effect for all users, and admin authentications may fail until the admin user password is also reset.

Type Default Required Regex iOS macOS Supervised
boolean False N/A N/A N/A 10.13.0 N/A