Category Filter

How to Set Passcode Rules for macOS Devices?

Devices that you use for work should have a better security posture than personal devices. The device password protects the corporate apps and resources on it from unauthorized access. You can remotely configure an enterprise-grade password criterion for setting up users’ local device passcodes using Hexnode MDM. The device will be marked as non-compliant if it fails to meet the password requirements that you have set or if no password is configured on the device.


The password policy attached to a device via Hexnode will not be enforced in the case of network users logging into their Mac. Their password policy will be managed by the directory.

Configure passcode settings via policy

To set up passcode restrictions,

  1. Navigate to Policies.
  2. Continue with a policy you’ve saved before, or create a new one by clicking on New Policy.
  3. Under macOS, select Passcode.
  4. Click on Configure.

You’ll have the following options to be configured.

Password Settings Description
Allow simple value Uncheck this option to block users from setting simple values as device passcode. Simple values include structured and repeating character sequences (For instance: abcd, 1234, etc.). By default, this option is checked.
Require alphanumeric value Check this option to enforce using alphanumeric characters – a mix of numbers and letters as the device password. By default, this field is unchecked. If enabled, the password should contain at least 1 letter and 1 number.
Minimum passcode length Set the minimum length of the device passcode. It could be any integer between 1 and 16. If the minimum passcode length is set to 7, users will be blocked from setting a password with 6 or less characters. By default, this field is left empty. That is, Hexnode will not change the device passcode length settings in the Mac.
Minimum complex characters Enter the minimum number of special characters – numbers, uppercase letters and symbols (#, $, &, etc.), that the passcode should have. It can take a value between 1 and 4. If 2 is configured as the minimum number of complex characters, you cannot set a password with less than 2 special characters. By default, Hexnode doesn’t update this setting on the device.
Maximum passcode age in days Passcode age is the maximum number of days after which the passcode will expire. The passcode that was used to unlock the device will become invalid after the set period and the user can only unlock the device after changing the password. You can set a value between 0 and 730 days as the password age. By default, this is 0. That is, the OS will never force the password to expire.
Auto lock Automatically locks the device if it stays idle for the specified amount of time. Available values are never (default), 1 minute, 2 minutes, 3 minutes, 4 minutes, 5 minutes, 10 minutes and 15 minutes.
Passcode history Allows the device to store some recently used passcodes which cannot be reused as the new passcode. The available values are from 0 to 50.

If the value is set to 0 (default), no password will be stored on the device. That is, you can reuse the current password as the new password when the current one expires.

Setting a value 5 will store five recently used passcodes on the device. The OS will block any attempt by a user to use any of previous 5 passcodes while setting a new one. However, reusing the first password as the sixth passcode or later will render no issues.

Grace period for device to lock The time limit before a device can be unlocked without a passcode. Values are none (default), immediately, 1 minute, 5 minutes, 15 minutes, 1 hour and 4 hours. If 5 minutes is set, you can unlock the device without entering any passcode within 5 minutes of inactivity.

A user will be blocked from changing the password, if it does not comply with the set password criteria.

Associating Passcode Restrictions with a Device

If you haven’t saved the policy yet, you can

  1. Go to Policy Targets.
  2. Click on + Add Devices.
  3. Search and select the devices.
  4. Click OK.

You can also associate the policy with device groups, users, user groups or domains from the left pane underneath Policy Targets.

If you have already saved the policy,

  1. From Policies, select the policy to be associated.
  2. Click on Manage > Associate Targets and select the device.
  3. Click on Associate to apply policy to the device.