How to enforce a password policy on managed devices

Noel Rivera

May 29, 2020

12 min read

What is a password policy?  

Password policy is a set of rules designed to enforce strong passwordand secure practices around their usage in an organization. These rules may include minimum password length, complexity requirements, special characters, etc.  

Password policies work towards improving the safety of corporate data stored within the devices, systems, and networks coming under the purview of the enterprise.  

Many organizations lack the appropriate security measures required for today’s cyber landscape. You might think your organization or your employees would be more conscious when it comes to password creation. But if you look at the most popular passwords of 2020 you could see that passwords such as 12345678, qwerty, 12341234, etc. top the chart. So, a chink in the armor is highly likely to happen. These can be mitigated with the help of an airtight password policy.   

In this blog, we’ll be looking at a few best practices to follow to create an effective password policy and how these practices can be applied to your organization with the help of Hexnode MDM.  

Best practices for a password policy  

This is the bread and butter of any password policy. With the help of these fundamentals, you can build a password policy that could protect the devices, networks, and systems that come within your organization.  

Password history  

A rule can be set on how often employees are allowed to use old passwords. This can reduce the chances of employees using previously used passwords. It would be best to enforce a password history policy that determines an employee’s number of unique passwords before they try to reuse an old one. The employee should enter a minimum of at least 3-5 unique passwords 

Password age  

The admin and the IT team have to set an expiry date for the passwords used by the employees on their work devices. The passwords on such devices need to updated regularly so as to improve the security posture of your organization. Set a password age so that this is possible and employees can update their passwords on their own volition.  

Complexity requirements  

Complex passwords are hard to guess and therefore, are harder to crack. A solid complex password should be of at least six characters, it should also not contain any user name elements (such as their first name) and should use several types of characters — lower case and upper case, numbers, and symbols such as! * + etc. Set password complexity requirements in your password policy to make sure that employees adhere to the complexity standards are creating strong passwords. 

Password length  

Password length also plays a major role in determining the strength of a password. As such being the case, defining the total length of the password is crucial for organizations that should ideally include 12 characters but can be up to 16 to add to its complexity and security. 


Include the account lockout policy which determines the amount of time the device will remain locked out after a certain number of invalid password entries. You can select the ideal lock-out period that should be initiated after the maximum number of erroneous password attempts has been made. 

 Now, since we have an idea regarding the best practices to be followed while preparing a password policy, let’s see how we can put these tips into action using Hexnode MDM. 

Password policy management with Hexnode

Hexnode allows the admin to configure the password rules to be maintained by the end-users. These rules define the complexity and strength of the password which in turn increases the safety of the device. 

These rules are pushed to specific devices as policies through the Hexnode MDM console using the following path. 

Policies Tab > New PolicySelect Relevant platform > Password/ Passcode 

The IT admin can also check the password compliance of each device through Hexnode’s portal. This way the admin can initiate further actions if necessary. The compliance depends upon the restrictions which are stipulated below.

The following are the restrictions which the admin can use in these policies across multiple platforms 

iOS and macOS devices 

When pushing a passcode policy to an iOS device, the employee is required to set up a device passcode specific to the set passcode rules. Specifically, for iOS devices, these are the different scenarios that might happen while setting up a password policy. 

  • If the device already has a passcode and complies with the rules of the set passcode: No change is required in such a case and the device can be unlocked with the same passcode. 
  • If the device has a passcode but does not comply with the passcode rules set: A pop-up will be displayed in such a case asking the user to reset the passcode based on the passcode rules set. The user would be asked to enter the old passcode in order to set a new passcode and then reset the device passcode according to the rules applied to the device. 
  • If the device does not have a passcode: a pop-up will be displayed asking the user to set a device passcode based on the passcode rules which are pushed through policy to the device. 

For macOS devices, the configurations or rules can be set up directly. 

These are the configurations or rules for iOS and macOS devices. 

  • Allow Simple value: By allowing simple value, employees can now set passwords with simple characters like ABCDE or 12345. This is allowed by default. For security purposes, it would be better to disallow employees from using a simple value as a password as it is easier to hack. 
  • Require Alphanumeric value: Alphanumeric passwords are a combination of both alphabets and numerical values, like a1b2c3. From a security standpoint, setting this as a requirement would increase the security posture of the device. 
  • Minimum Passcode length: A password length ranging from 1-16 can be selected. If you select a certain length, say 10, a password shorter than 10 characters won’t be allowed. Password length is one of the fundamentals of a strong password policy. So, choose wisely. As stated earlier our suggestion would be a password ranging from 12- 16 characters. 
  • Minimum Complex characters: As we said earlier, complexity is of the key rules to be applied to password policy. A password’s complexity can be increase by adding complex characters such as ! @, #, etc. By adding these characters the password is made to be much stronger than a simple value password or a normal alphanumerical password. You can set the range from 1 to 4 characters through Hexnode. 
  • Maximum Passcode age: You can set a value from 1 to 730 (in days), after which the password becomes invalid and needs to be updated. Once the password expires, the device remains locked unless a new password is set and applied. 
  • AutolockYou can either choose never to disable auto-lock or set a value from 1 to 15 (in minutes) after which the device will be locked automatically. This is an especially important future because, if an employee leaves an unlocked device unattended, then it’s a huge security risk.  So, to enhance security it would always be better to enable this configuration and set a value that is ideal to you. 
  • Passcode HistoryYou can have the device store the last 1 to 50 passcodes so that these passcodes are not allowed to be set again for the specified number of times. Suppose you set the value as 5. An employee has the passcode qwerty123. The employee cannot use qwerty123 as the passcode for the next five times if he changes the current passcode. The more unique passwords users are made to enter, the better. Unique passwords are harder to crack and hence lead to better security. 
  • Grace Period: The period up to which a user can unlock the device without using passcodes. Values are None, Immediately, 1 minute, 5 minutes, 15 minutes, 1 hour, and 4 hours. If the value is set 5 minutes, then employees can unlock their device within 5 minutes without using a passcode. 
  • Failed Attempts (iOS only): You can essentially wipe the data in a device by setting a value from 4 to 10 attempts. If an employee enters a wrong passcode for the specified number of times, the device data will be wiped automatically. 

 Android and Android work profile 

While setting up a password policy for Android, when you select the password option, you would be given two choices. These choices are device password and work profile password. The devicpassword, as the name suggests applies to the device as a whole. It locks the entire device and any configurations or rules set would apply to the device as a whole. Work profile password deals with the Android work profile, the separate work container that can be created inside an android, which separates work data from personal data. This is a separate, encrypted work container so any password policy pushed via work profile password would only apply to this container.  

The following are the configurations available to both android and android work profile. 

  • Password requirementsYou can select the type of characters that the user needs to use in a passcode. It can take simple value, numbers, alphabets, alphanumeric or complex value. The default value is ‘simple value’. As said earlier for enhancing security, going with a complex password is always desirable.  
  • Minimum Password Length: The password length can be set anywhere between 4- 16 characters. This is not applicable to simple value or numerical passwords 
  • Password age: The number of days before which the passcode needs to be changed. It can take values as Never, 10, 20, 50, 70, 120, 250, 360, 470, 600 or 720. If 50 is set, then the passcode will expire after 50 days. The employee should change their passcode before that. 
  • Auto-Lock after: Set the amount of idle time before the device is locked automatically. The available values are never, 1 minute, 2 minutes, 3 minutes, 4 minutes, 5 minutes, 10 minutes, and 15 minutes. By default, auto-lock will be disabled. If 5 minutes is set and the device is idle for 5 minutes, the device will be locked automatically. In the case of work profile, the whole device doesn’t go into lockdown, only the apps present within the work profile. 
  • Password History:  Similar to the configuration in iOS the employee can set up to 1 to 50 unique passwords for their work device. Consider the value set as 3. A user’s current passcode is asdf1234. If he changes this passcode, the current passcode cannot be used for the next 3 times. 
  • Failed Attempts: In the case of a device password, you can wipe the entire data from the device after a set number of failed attempts. But in the case of a work profile, only the data in the work container would be removed.  
  • Complexity Requirements: Whenever a “complex password “is selected as the passcode requirement the admin can dictate certain parameters for characters in the password. These include: 
  • Minimum number of letters (Alphabets) in the password 
  • Minimum uppercase letters 
  • Minimum lowercase letters 
  • Minimum non-alphabetical characters 
  • Minimum symbols 

Windows devices 

Hexnode MDM facilitates strict password policy compliance on users of Windows devices, thereby preventing unauthorized access to the device. 

  • Allow simple value: You can select this option to enable users to set simple passwords (without special characters or numbers) on their devices. Similar to the options we saw on Android, iOS, and macOS. 
  • Password type: For windows devices, you have the option of configuring a numerical password or alpha-numerical password. You can also leave it up to the employee to choose the type of password. This is the default setting. 
  • Password age: Select the maximum number of days before which the password needs to be changed. You can set any value in the range of 0 – 730 days. 
  • Auto-lock: Similar to the Android, iOS, and macOS devices you can set a time value for auto-locking the device if it remains ideal for too long. 
  • Password History: Password history is set to block the users from reusing the password for a specified number of times. You can set any value in the range 0 – 50. 

Removing the password from a device

Since you are now all set an airtight password policy, now we should look into a scenario where the employee might not available to unlock the device for you. They might have left the organization and they forgot to give you the password they set. You can remotely reset the password in Android and iOS devices in such cases.  

Beyond what Hexnode MDM can provide you as an IT manager could instill some knowledge among the users so that the password policy is successful from inside out. 

Make sure the employees are aware of the importance of a strong password

The IT department should make sure that the employees are well aware of the importance of a strong password. According to Verizon’s Data Breach Investigations Report 2016, about 80% of Hacking attempts occur due to stolen, default, or weak credentials. You can curb this issue to an extent by providing employees with relevant knowledge regarding a strong password. The IT department should take it up as their responsibility to explain the various issues or losses that could be faced by the company if such a breach happens. The employees should be made aware of all the risks, common or complex, caused due to lax password security. 

Define a strong password if the employees have doubts 

Strong password creation should be taken up as a part of cyber-security enhancement and the IT department should be able to help the employees to set up a strong password, if necessaryThe IT department can utilize the best practices which are mentioned above to give the employees and idea about a strong password. Various tenants of a strong password like its length, number of complex characters, password history, etc. should be explained to them is need be. 

A strong password policy is an absolute necessity in today’s cyber world. It often overlooked by many organizations and they have paid for it dearly.  Do not make that same mistake. Always remember, data that is work keeping, is worth protecting.

Noel Rivera

Existential and Curious.

Share your thoughts