Passcode declarative configuration for Apple devices
You can specify whether a password or passcode is required to access and use an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution. Use the passcode configuration to set iPhone and iPad device policies if you aren’t using Microsoft Exchange passcode policies. When the configuration profile is installed, users are asked to enter a password or passcode that meets the policies you specify. Otherwise, the profile won’t be installed. When the passcode configuration is installed on an iPhone or iPad, users have 60 minutes to enter a passcode. If users don’t do so within that time frame, the configuration forces them to enter a passcode using the specified settings.
If you use device passcode policies and Exchange passcode policies, the two sets of policies are merged and the strictest settings are enforced. For more information about supported Exchange ActiveSync policies, see Integrate Apple devices with Microsoft Exchange.
The Passcode configuration supports the following:
Minimum supported operating systems and channels: iOS 15, iPadOS 15, Shared iPad user, macOS 13 device, macOS 13 user, watchOS 10, visionOS 2.0.
Requires supervision: No.
Supported enrollment types: User Enrollment, Device Enrollment, Automated Device Enrollment.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Use regular expression macOS 14 | Specifies a regular expression, and its description, used to enforce password compliance. | No | |||||||||
Password content description (Part of use regular expression) macOS 14 | Contains a dictionary of keys for supported operating system language IDs (for example, “en-us”) whose values represent a localized description of the policy enforced by the regular expression. Use the special default key for languages that aren’t contained in the dictionary. | No | |||||||||
Require passcode on device | Requires the user to set a passcode without any requirements about the length or quality of the passcode. The presence of any other keys implicitly requires a passcode, and overrides this key’s value. | No | |||||||||
Require complex passcode | Requires a complex passcode. A complex passcode is one that doesn’t contain repeated characters or increasing or decreasing characters (such as “123” or “CBA”), and must contain at least one nonnumeric or nonalphabetic character. | No | |||||||||
Maximum number of failed attempts | Forces a device to be erased after a specified number of incorrect attempts. If you don’t change this setting, after six failed attempts, the device imposes a time delay before a passcode or password can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS or iPadOS device. After the final attempt on a Mac computer, the user account gets disabled. The passcode or password time delay begins after the sixth attempt, so if you set this value to 6 or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded. | No | |||||||||
Maximum grace period | The maximum period that a user can select, during which the user can unlock the device without a passcode. A value of 0 means no grace period, and the device requires a passcode immediately. In the absence of this key, the user can select any period. macOS translates this to screensaver settings. | No | |||||||||
Automatic device lock | The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period. macOS translates this to Screen Saver settings. | No | |||||||||
Passcode reuse limit | A device refuses a new passcode or password if it matches a previously used passcode or password. You can specify how many previous passcodes or passwords are remembered and compared. It can be set to “none,” or from 1 to 50 passcodes or passwords. | No | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how Passcode settings are applied to your devices, consult your MDM vendor’s documentation.