Category Filter

How to Set Passcode Rules for macOS using Hexnode MDM?

A passcode unlocks device thereby providing access to the device features. A passcode is not only required to unlock a device and access all features, setting up advanced security settings require you to enter your passcode for additional security, setting up an iCloud account, for instance. iCloud? Advanced security? Yes, it is. Setting up an iCloud account gains access to features like Find My Mac which is, of course, an advanced security feature.

Configure passcode settings via policy

To set up passcode restrictions, from your Hexnode MDM console,

  1. Click on the Policies tab.
  2. Continue with a policy you’ve saved before, or create a new one by clicking on New Policy.
  3. Under macOS, select Passcode.
  4. Press the Configure button if you don’t have a policy which has the passcode rules already configured.


Password Settings Description
Allow simple value Allow users to set a simple password such as abcd or 1234 on their device. It is by default allowed to provide a simple passcode.
Require alphanumeric value Users are forced to set an alphanumeric password on their device, such as abcd1234. Users aren’t forced to provide an alphanumeric value by default.
Minimum passcode length The minimum length that a passcode should have. The minimum value that can be set is 1 and the maximum is 16. Users aren’t allowed to set a passcode with 6 characters if the minimum passcode length is set 7. This setting can be skipped, and is skipped by default.
Minimum complex characters The minimum number of special characters (such as #, $ or &) a passcode should have. Allowed values are from 1 to 4. If set 2, a passcode with one or no special characters (pqr$ or abcd) is not allowed. This setting is not configured by default. If are not going to set this up, leave it be.
Maximum passcode age in days The number of days up to which a passcode is considered a valid one after which the user cannot use the device until they change the passcode. A prompt to change the password will display on the screen when the current one expires. Available values are 0 to 730 (in days), with 0 as the default value. 0 is used to skip setting this option up.
Auto lock Automatically locks the device if it is idle for the specified amount of time. Available values are never (default), 1 minute, 2 minutes, 3 minutes, 4 minutes, 5 minutes, 10 minutes and 15 minutes.
Passcode history Allows the device to store some recently used passcodes which cannot be used later while changing the passcode. The available values are from 0 to 50, with 0 (default) skipping this option. Setting a value 5 will store five recently used passcodes on the device and it will block any attempt by a user to use any one of them while changing the passcode. Adding a 6th passcode will delete the first one.
Grace period for device to lock The time limit before a device can be unlocked without a passcode. Values are none (default), immediately, 1 minute, 5 minutes, 15 minutes, 1 hour and 4 hours. If 5 minutes is set, the device can be unlocked within 5 minutes without using a passcode.

Associating Passcode Restrictions to a Device

If you haven’t saved the policy yet, you can

  1. Go to Policy Targets tab.
  2. Click on + Add Devices.
  3. Search for and select devices which the policy needs to be associated with.
  4. Done adding devices? Click OK.

To add more devices to the list, click on + Add Devices again. This will not affect your previous selection. Associate policies to device groups, users, user groups or domains from the left pane underneath the Policy Targets tab.

If you are on a page that lists the policies,

  1. Check a policy.
  2. Select Associate Targets from Manage drop-down.
  3. Add devices to get the policy associated.