Category filter
Enforce passcode requirements on iOS devices using a configuration profile
Mobile devices used by an organization can store sensitive information that requires protection. One of the key security measures that the organizations can take to safeguard their devices and data is to use a passcode. However, enforcing passcode requirements across a fleet of iOS devices can be a challenge, especially for IT administrators who need to ensure that all devices meet specific security standards. This is where configuration profiles come into play. By leveraging a configuration profile, IT administrators can easily set passcode requirements and enforce them across all iOS devices within their network.
To deploy this profile to multiple devices, you can use Hexnode’s Deploy Custom Configuration feature.
The sample configuration profiles provided below are created using various profile creator applications.
This configuration profile is supported on devices running iOS 4.0 or later.
Set up passcode requirements
Use the custom configuration profile to enforce the passcode requirements on the devices.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>allowSimple</key> <true/> <key>maxFailedAttempts</key> <integer>11</integer> <key>maxGracePeriod</key> <integer>0</integer> <key>maxInactivity</key> <integer>2</integer> <key>maxPINAgeInDays</key> <real>30</real> <key>minComplexChars</key> <integer>0</integer> <key>minLength</key> <integer>0</integer> <key>pinHistory</key> <real>1</real> <key>requireAlphanumeric</key> <false/> <key>PayloadIdentifier</key> <string>com.apple.mobiledevice.passwordpolicy.A8968855-5A96-4286-B5F6-6BF0C99BA1E1</string> <key>PayloadType</key> <string>com.apple.mobiledevice.passwordpolicy</string> <key>PayloadUUID</key> <string>A8968855-5A96-4286-B5F6-6BF0C99BA1E1</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDisplayName</key> <string>Passcode</string> <key>PayloadIdentifier</key> <string>iOS.CB48718C-91C2-4A7D-B693-6A5CE5188AF3</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>8F96F276-2D17-460C-944E-A5FDB13A65C3</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> |
Configure the below keys in the configuration profile based on your preferences.
- The <key>allowSimple</key> key allows the users to set a simple passcode that contains characters that are repeated or arranged in increasing or decreasing order. For example, 12345 or ABCDEF.
- The <key>maxFailedAttempts</key> specifies the maximum number of unsuccessful attempts that a user can make to enter the correct passcode. If this limit is exceeded, the device will introduce a time delay before allowing another passcode entry. The length of the delay will progressively increase with each subsequent failed attempt. When this number is exceeded in iOS, the device is wiped.
- The <key>maxGracePeriod</key> specifies the maximum grace period, in minutes, to unlock a phone without the need to enter a passcode. The default value is 0, indicating that there is no grace period, and a passcode is required immediately.
- The <key>maxInactivity</key> sets the upper limit on the number of minutes that a device can remain idle without being unlocked by the user before the system automatically locks it. When this time limit is reached, the device is locked and requires the user to enter the passcode. While this setting can be customized by the user, it cannot exceed the maximum value specified here.
- The <key>maxPINAgeInDays</key> determines the number of days for which the passcode can be used before it must be changed. Once this time period has elapsed, the user will be required to change the passcode before being able to unlock the device.
- The <key>minComplexChars</key> determines the minimum number of complex characters that are required to be included in a passcode. Complex characters are defined as characters that are not numbers or letters, such as *^$#. Note that for User Enrollments, this property is not applicable.
- The <key>minLength</key> sets the minimum length required for a passcode.
The minimum value is 0 and the maximum can be 16. - The <key>pinHistory</key> specifies the number of previous passcodes that a new passcode must not match. Assuming a value of 6 has been set, if a user changes their current passcode from “1234abc,” they will be unable to reuse it as their passcode for the next six attempts.
- The <key>requireAlphanumeric</key> requires the use of alphabetic characters in the passcode, in addition to numeric characters.
- If <key>forcePIN</key> key is set to true, it forces the user to set a PIN.
The minimum value is 2 and the maximum value can be 11.
The minimum value is 0 and the maximum value can be 15.
The minimum value is 0 and the maximum value can be 730.
The minimum value is 0 and the maximum can be 4.
The minimum value is 1 and the maximum can be 50.
- Only the following passcode requirements will be enforced if this configuration profile is associated with iOS devices enrolled through user enrollment.
- Passcode Type – PIN (Digits only)
- Allow Simple Value – Disabled
- Minimum passcode length – 6 digits
- To create and customize configuration profiles, you can use tools like Apple Configurator, Profile Manager or manually create them using text editors.
- Use non-encrypted .mobileconfig, .xml, or plist files to deploy profiles across devices.
- Ensure that you do not associate conflicting configurations with the devices.
- Use wildcards to fetch key values from the portal.
- It is recommended to manually validate the configuration profile on a system before executing it in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the configuration profile.
