Passcode MDM payload settings for Apple devices
You can specify whether a password or passcode is required to access and use an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution. Use the Passcode payload to set iPhone and iPad device policies if you aren’t using Microsoft Exchange passcode policies. When the configuration profile is installed, users are asked to enter a password or passcode that meets the policies you specify. Otherwise, the profile won’t be installed. When the Passcode payload is installed on an iPhone or iPad, users have 60 minutes to enter a passcode. If users don’t do so within that time frame, the payload forces them to enter a passcode using the specified settings.
If you use device passcode policies and Exchange passcode policies, the two sets of policies are merged and the strictest settings are enforced. For more information about supported Exchange ActiveSync policies, see Integrate Apple devices with Microsoft Exchange.
The Passcode payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.mobiledevice.passwordpolicy
Supported operating systems and channels: iOS, iPadOS, macOS device, watchOS.
Supported enrollment types: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: False—only one Passcode payload can be delivered to a device.
You can use the settings in the table below with the Passcode payload.
Use regular expression
Specifies a regular expression, and its description, used to enforce password compliance.
Password content description
(Part of use regular expression)
Contains a dictionary of keys for supported operating system language IDs (for example, “en-us”), and whose values represent a localized description of the policy enforced by the regular expression. Use the special default key for languages that aren’t contained in the dictionary.
Allow simple value
Permits users to use sequential or repeated characters in their passcodes or passwords—for example, “3333” or “DEFG.”
Require alphanumeric value
Requires that the passcode or password contain at least one letter and one number.
Specifies the minimum number of characters a passcode or password can contain.
Minimum number of complex characters
Specifies the number of characters (such as $ and !) that the passcode or password must contain.
Maximum passcode or password age (in days)
Requires users to change their passcode or password at the interval you specify. It can be set to “none” or from 1 to 730 days.
Maximum Auto-Lock (in minutes)
If the device isn’t used for the period of time you specify, it automatically locks. It can be set to “never” on devices using Automated Device Enrollment or Device Enrollment or can be set to lock after 1 to 5 minutes. Enter the passcode or password to unlock the device.
iPhone and iPad devices enrolled with User Enrollment honor this key, but the user is unable to choose “never.”
Passcode or password history
A device refuses a new passcode or password if it matches a previously used passcode or password. You can specify how many previous passcodes or passwords are remembered and compared. It can be set to “none,” or from 1 to 50 passcodes or passwords.
Maximum grace period for device lock
Specifies how soon a device can be unlocked again after use, without prompting again for the passcode or password. An iPhone and iPad can be adjusted for a more frequent rate. The options are immediately, 1, 5, 10, 15 minutes, or 1, 4, or 8 hours.
Maximum number of failed attempts
Forces a device to be erased after a specified number of incorrect attempts.
If you don’t change this setting, after six failed attempts, the device imposes a time delay before a passcode or password can be entered again.
The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS or iPadOS device. After the final attempt on a Mac computer, the user account gets disabled.
The passcode or password time delay begins after the sixth attempt, so if you set this value to 6 or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded.
Delay after failed login attempts
The number of minutes before the login window reappears, after the maximum number of failed attempts is reached.
Force a password change when the user authenticates
Forces users to enter a new password the next time they authenticate.
Note: Each MDM vendor implements these settings differently. To learn how Passcode settings are applied to your devices, consult your MDM vendor’s documentation.