Password Policy¶
On iOS, the key names generally reflect the expected functionality.
On macOS, these settings will affect the password policy of a directory node.
Additionally, some settings are applied via plist com.apple.screensaver. Most keys are translated into policy
settings, see Password Policy for more information.
Contents
Summary¶
| PayloadType: | com.apple.mobiledevice.passwordpolicy |
|---|---|
| Supervised Only: | |
| N/A | |
| macOS: | N/A |
| macOS Deprecated: | |
| N/A | |
| iOS: | N/A |
| iOS Deprecated: | N/A |
| Highlander: | N/A |
Keys¶
manualFetchingWhenRoaming¶
Manual Fetching When Roaming
Deprecated. Use allowGlobalBackgroundFetchWhenRoaming in the Restrictions payload instead.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| boolean | N/A | N/A | N/A | N/A | N/A | N/A |
allowSimple¶
Allow Simple Value
Permit the use of repeating, ascending, and descending character sequences
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| boolean | True | N/A | N/A | N/A | N/A | N/A |
Note
A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to “1”.
forcePIN¶
Require Passcode on Device
Enforce the use of a passcode before using the device
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| boolean | True | N/A | N/A | N/A | N/A | N/A |
Note
Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality.
maxFailedAttempts¶
Maximum Number of Failed Attempts
Number of passcode entry attempts allowed before all data on device will be erased
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
Note
Allowed range [1...10]. Specifies the number of allowed failed attempts to enter the passcode at the device’s lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked.
maxInactivity¶
Auto-Lock
The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | N/A | N/A | N/A | N/A | N/A | N/A |
Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered.
In macOS, this translates to the key idleTime in /Library/Managed Preferences/com.apple.screensaver.plist, which
is the number of seconds until the screen is locked.
- macOS
- 10.9+, possibly earlier
maxPINAgeInDays¶
Maximum Passcode Age
The number of days for which the passcode can remain unchanged
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | N/A | N/A | N/A | N/A | N/A | N/A |
Default Infinity. Specifies the number of days for which the passcode can remain unchanged. After this number of days, the user is forced to change the passcode before the device is unlocked.
- macOS
- 10.9+
- macOS 10.9
- This translates into the pwpolicy global policy field maxMinutesUntilChangePassword
- macOS 10.10+
- This translates into an account policy containing the key policyAttributeExpiresEveryNDays equal to the maxInactivity value.
Note
Profile Manager lists the maximum PIN age for macOS to be 730 days.
minComplexChars¶
Minimum Number of Complex Characters
Smallest number of non-alphanumeric characters allowed
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
Specifies the minimum number of complex characters that a passcode must contain.
A “complex” character is a character other than a number or a letter, such as &%$#.
- macOS
- 10.10+
- macOS 10.10+
- This translates into an account policy that contains the rule
policyAttributePassword matches '(.*[^a-zA-Z0-9].*){3,}'. The number 3 in the regex signifies the configured number of complex characters.
Note
This implies the setting allowSimple = FALSE if minComplexChars is > 0
Note
Profile Manager lists the maximum as being 4
minLength¶
Minimum Passcode Length
Smallest allowable number of characters in passcode
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | 0 | N/A | N/A | N/A | N/A | N/A |
Specifies the minimum overall length of the passcode. This parameter is independent of the also optional minComplexChars argument.
- macOS
- 10.10+
- macOS 10.10+
- This translates into an account policy that contains the rule
policyAttributePassword matches '.{4,}'. The number 4 in the regex signifies the number of characters required.
Note
Profile Manager lists the maximum as being 16
requireAlphanumeric¶
Require Alphabetic Value
Require passcodes to contain at least one letter
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| boolean | False | N/A | N/A | N/A | N/A | N/A |
Specifies whether the user must enter alphabetic characters (“abcd”), or if numbers are sufficient.
- macOS
- 10.10+
- macOS 10.10+
- This translates into an account policy that contains the rule
policyAttributePassword matches '^(?=.*[0-9])(?=.*[a-zA-Z]).+'.
pinHistory¶
Passcode History
Number of unique passcodes required between passcode reuse
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | N/A | N/A | N/A | N/A | N/A | N/A |
When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50.
- macOS
- 10.9+
maxGracePeriod¶
Grace Period for Device Lock
The maximum grace period, in minutes, to unlock the phone without entering a passcode
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| integer | -1 | N/A | N/A | N/A | N/A | N/A |
The maximum grace period, in minutes, to unlock the phone without entering a passcode. Default is 0, that is no grace period, which requires a passcode immediately.
In macOS, this translates to the key askForPasswordDelay which is the number of seconds as an integer until you will need to unlock the account.
- macOS
- 10.9+, Possibly earlier
allowFingerprintModification¶
Allow modification of Touch ID
Optional. Supervised only. Not supported on macOS. Allows the user to modify Touch ID. Default NO.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| boolean | False | N/A | N/A | N/A | N/A | N/A |
changeAtNextAuth¶
Change at next authentication
Optional. On macOS, setting this to true will cause a password reset to occur the next time the user tries to authenticate. If this key is set in a device profile, the setting takes effect for all users, and admin authentications may fail until the admin user password is also reset.
| Type | Default | Required | Regex | iOS | macOS | Supervised |
|---|---|---|---|---|---|---|
| boolean | False | N/A | N/A | N/A | 10.13.0 | N/A |