Passcode MDM payload settings for Apple devices
You can specify whether a passcode is required to access and use an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution. Use the Passcode payload to set iPhone or iPad device policies if you aren’t using Microsoft Exchange passcode policies. When the configuration profile is installed, users are asked to enter a passcode that meets the policies you specify. Otherwise, the profile won’t be installed. When the Passcode payload is installed on an iPhone or iPad device, users have 60 minutes to enter a passcode. If users don’t do so within that time frame, the payload forces them to enter a passcode using the specified settings.
If you use device passcode policies and Exchange passcode policies, the two sets of policies are merged and the strictest settings are enforced. For information about supported Exchange ActiveSync policies, see Microsoft Exchange in the Deployment Reference for iPhone and iPad.
OS and channel | Supported enrollment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS macOS device macOS user | User Device Automated Device | Combined | Single |
Setting | Description | Required |
|---|---|---|
Allow simple value | Permits users to use sequential or repeated characters in their passcodes—for example, “3333” or “DEFG.” | No |
Require alphanumeric value | Requires that the passcode contain at least one letter or number. | No |
Minimum passcode length | Specifies the minimum number of characters a passcode can contain. | No |
Minimum number of complex characters | Specifies the number of non-alphanumeric characters (such as $ and !) the passcode must contain. | No |
Maximum passcode age (in days) | Requires users to change their passcode at the interval you specify. It can be set to “none,” or from 1 to 730 days. | No |
Maximum Auto-Lock (in minutes) | If the device isn’t used for the period of time you specify, it automatically locks. It can be set to “none,” or set to lock after 1 to 5 minutes. Enter the passcode to unlock the device. | No |
Passcode history | The device refuses a new passcode if it matches a previously used passcode. You can specify how many previous passcodes are remembered and compared. It can be set to “none,” or from 1 to 50 passcodes. | No |
Maximum grace period for device lock | Specifies how soon the device can be unlocked again after use, without reprompting again for the passcode. | No |
Maximum number of failed attempts | The number of failed passcode attempts that can be made before an iOS or iPadOS device is erased or a macOS device is locked. If you don’t change this setting, after six failed attempts, the device imposes a time delay before a passcode can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS or iPadOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if you set this value to 6 or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded. | No |
Delay after failed login attempts (macOS-only) | The number of minutes before the login window reappears, after the maximum number of failed attempts is reached. | No |
Force a password change when the user authenticates (macOS-only) | The user must enter a new password the next time they authenticate. | No |