Category filter
Hexnode UEM Password Policy for iOS: Enforcing Device Security
The iOS Password Policy in Hexnode UEM allows administrators to enforce specific passcode requirements on enrolled devices (iOS, iPadOS) to ensure corporate data remains secured against unauthorized access. This policy can be configured and deployed to devices, users, or device groups via the Hexnode console.
Prerequisites
For effective passcode policy management on iOS devices:
- Supervision Status: Certain advanced passcode policies (e.g., minimum length restrictions) are most consistently enforced on Supervised iOS devices.
- Policy Association: The policy must be successfully associated with the target device(s), user(s) or user group(s).
General Passcode Settings
These general settings govern the core behavior and requirement for passcodes on the device.
| Settings | Function/Requirement | Supported Values |
|---|---|---|
| Allow simple value | Allows users to set simple passcodes (e.g., 1234, 1111). | Enabled / Disabled (Disabling forces complex passcodes) |
| Minimum Passcode Length | Sets the minimum number of characters required for the passcode. | 1 to 16 characters |
| Minimum complex characters | Specifies the minimum count of non-alphanumeric characters needed for complexity. | 1 to 4 characters |
| Require Alphanumeric Passcode | Forces the passcode to include a mix of alphabetic, numeric, and symbolic characters. | Enabled / Disabled |
Passcode History and Expiration
These settings manage the lifecycle of the passcode, enforcing rotation and preventing reuse of old passwords.
| Settings | Function/Requirement | Supported Values |
|---|---|---|
| Passcode History | Determines how many past passcodes the device remembers, preventing users from reusing recent passwords. | 1 to 50 previous passcodes |
| Maximum passcode age | Sets the expiration period, forcing the user to change the passcode after a specific number of days. | 1 to 730 days |
| Grace Period for device lock | Defines the maximum time (in seconds or minutes) the device can remain idle before the passcode is required. | Up to 4 hours (Customizable in seconds/minutes) |
Failed Attempts and Device Wipe
These security settings define the consequences of repeated incorrect passcode attempts, protecting sensitive corporate data.
| Settings | Function/Requirement | Supported Values |
|---|---|---|
| Failed Attempts | Sets the number of incorrect passcode attempts allowed before the device is automatically locked or wiped. | 4 to 10 attempts |
Deployment and Compliance
Procedure: Deploying the Policy
- Navigate: Go to Policies > Device Policies in the Hexnode console.
- Create/Select: Create a new policy or select an existing one.
- Configure: Under iOS > Enterprise, configure the Passcode settings.
- Save: Save the policy configuration.
- Associate: Navigate to Policy Targets and associate the policy with the required Devices, Users, or Groups.
- Save: Click Save to deploy the new passcode policy to the endpoints.
Compliance Enforcement
- Non-Compliance Action: If a device fails to meet the configured passcode requirements (e.g., the user is using a password that is too short), Hexnode UEM Compliance Policies can be configured to mark the device as non-compliant.
Troubleshooting
- Why are users unable to set their preferred passcode?
Check the Minimum Passcode Length and Minimum complex characters settings. These strict policies override user preferences to enforce complexity.
- Why is the device not enforcing the policy immediately?
The device must successfully check in with the Hexnode server to receive the new policy payload. Verify the device has an active network connection.
Frequently Asked Questions (FAQs)
- Can the grace period setting be bypassed?
No. The Grace Period for device lock is enforced by the operating system once the policy is applied, requiring the passcode after the specified idle time.
- What happens if the passcode history is set too high?
A very high Passcode History (e.g., 50) means the user must use a completely unique password each time they are forced to change it, which can lead to users forgetting their passcodes.
- What is the risk of enabling ‘Allow simple value’?
Enabling this reduces security significantly, as it allows simple PINs (like 4-digit numbers) which are easy to guess or crack. It should be disabled in high-security environments.
