Category filter

How to Set Passcode Rules for macOS Devices?

Devices used for work should have better security posture than personal devices. The macOS device password protects the corporate apps and resources on it from unauthorized access. It is possible to remotely configure an enterprise-grade password criterion for the macOS devices using Hexnode UEM. The devices will be marked as non-compliant if it fails to meet the password requirements that have been set or if no password is configured on the devices.


  • This feature is supported only Enterprise, Ultimate and Ultra pricing plans.
  • The password policy attached to a device via Hexnode will not be enforced in the case of network users logging into their Mac. Their password policy will be managed by the directory.

Configuring macOS Passcode Settings

To set up passcode restrictions,

  1. Login to the Hexnode MDM portal.
  2. Go to Policies, create a new policy or edit an already existing one.
  3. In the case of a new policy, add a policy name, which is mandatory before saving the policy, and an optional description.
  4. Navigate to macOS > Passcode > Configure to avail the different passcode restrictions available on macOS.

Passcode configurations:

Password Settings Description
Allow simple value Uncheck this option to block users from setting simple values as the device passcode. Simple values include structured and repeating character sequences (For instance: abcd, 1234, etc.). By default, this option is checked.
Require alphanumeric value Check this option to enforce the use of alphanumeric characters – a mix of numbers and letters as the device password. By default, this field is unchecked. If enabled, the password should contain at least 1 letter and 1 number.
Change password at next login If this option is checked, the user is prompted to change the password to meet the required criteria before logging in the next time.

  • Suppose the password policy is reapplied after modifications, with the option Change password at next login enabled. It may make the System Preferences or other settings unlockable on the device using the existing password even before the next login. In such cases, the user should change the password by accessing the Change Password button in Users & Groups preferences.
  • On Mac devices with Silicon chip, if the action Lock Device is initiated from the portal when a password policy is applied with this option enabled, then admin password cannot be used to unlock the device. The device needs to be wiped for the user to login to the device again.

Minimum passcode length Set the minimum length of the device passcode. It could be any integer between 1 and 16. If the minimum passcode length is set to 7, users will be blocked from setting a password with 6 or less characters. By default, this field is left empty. That is, Hexnode will not change the device passcode length settings in the Mac.
Minimum complex characters Enter the minimum number of special characters – numbers, uppercase letters and symbols (#, $, &, etc.), that the passcode should have. It can take a value between 1 and 4. If 2 is configured as the minimum number of complex characters, you cannot set a password with less than 2 special characters. By default, Hexnode does not update this setting on the device.

When setting a password with special characters, it is recommended to exclude characters like ¡, ™, £, ¢, ∞, §, ¶, •, ª, º, –, ≠, «, ‘, “, æ, …, ÷, ≥, ≤.

Maximum passcode age in days Passcode age is the maximum number of days after which the passcode will expire. The passcode that was used to unlock the device will become invalid after the set period and the user can only unlock the device after changing the password. You can set a value between 0 and 730 days as the password age. By default, this is 0. That is, the OS will never force the password to expire.

After associating a password policy, if the user alters the device time and date such that it exceeds the passcode age, the user may experience multiple password reset prompts.

Auto lock Automatically locks the device if it stays idle for a specified amount of time. Available values are never (default), 1 minute, 2 minutes, 3 minutes, 4 minutes, 5 minutes, 10 minutes and 15 minutes.

  • If Auto-Lock is configured in the policy, then the Screensaver will get automatically enabled on the device even if it has not been configured via Hexnode portal.
  • If both Screensaver and Auto-Lock are configured, then the most restrictive setting (lesser time) will get reflected on the device.

Passcode history It allows the device to store some recently used passcodes which cannot be reused as the new passcode. The available values are from 0 to 50.
If the value is set to 0 (default), no password will be stored on the device. That is, you can reuse the current password as the new password when the current one expires.
Setting a value of 5 will store five recently used passcodes on the device. The OS will block any attempt by the user to use any of the previous 5 passcodes while setting a new one. However, reusing the first password as the sixth passcode or later will render no issues.
Grace period for device to lock The time limit before a device can be unlocked without a passcode. Values are none (default), immediately, 1 minute, 5 minutes, 15 minutes, 1 hour and 4 hours. If 5 minutes is set, you can unlock the device without entering the passcode within 5 minutes of inactivity.

Associating Passcode Restrictions with Devices

Associating the policy with target Apple devices:

  • When the policy is not yet saved,
    1. Go to Policy Targets within the Policies tab.
    2. Click on Devices > + Add devices, select the required devices and click OK to associate the policy with the target devices.
  • When the policy has already been saved,
    1. From the Policies tab, select the appropriate policy.
    2. Then click on Manage > Associate Targets > choose the target devices and click on Associate to associate the policy with the target devices.

What happens at the device end?

The password policy will be applied for all users on the target Mac. If the current password of a user is non-compliant with the configuration, the next time the user attempts to log in, they will be prompted to change the password.

password change prompt appears on the device lock screen

If the user is already logged in, they won’t be able to modify any locked settings on System Preferences until the password is reset. The user will also be blocked from saving a new password till the entered password complies with your set criteria.

They will be required to change the password again when the compliance expires.


If devices with the associated password policy are updated to Sonoma (macOS 14), users may encounter an issue where they are prompted to reset the device password after next login. However, the system may not accept the password even if it meets the system requirements.

Until Apple resolves the issue or presents a troubleshooting mechanism, the following alternatives can be carried out:

Method 1

Attempt a device restart, and then proceed to set a new password as per the system requirements.

Method 2

If another user account is already present on the device, attempt to log in to that account and then proceed to restart the device. After restart, set a new password as per the system requirements.

Method 3

Initiate a password reset from the device’s recovery mode. Follow the steps to reset the password.

  1. Shut down the device.
  2. Press and hold the power button to enter the recovery mode.
  3. In the Utilities menu, select Terminal.
  4. Type resetpassword and press enter.
  5. A window will pop up allowing you to change the passwords for user accounts on the device.

Method 4

If the issue occurs on a device with a single user account, create an admin account on the device using the following steps:

  1. On the Hexnode portal, go to the Manage tab.
  2. Select the required devices.
  3. Click Actions > Create User Account.
  4. Set the Account type as Administrator and configure the account settings.
  5. Click Create to create an admin account on the devices.

After creating the admin account, log into it and reset the password of the affected user account.

Method 5

Remove the existing password policy associated with the device and follow these steps:

  1. Allow the user to log in to the account.
  2. After the user has logged in, re-associate the password policy with the device.

  • Managing Mac Devices