This Library Item is available for Apple, Windows, and Android devices
When using Passport, you must remove the Passcode Library Item from any Classic Blueprint or Assignment Map containing Passport to avoid conflicts. Your IdP should handle password requirements. Learn more.
Platform Support Matrix
| Feature | macOS | iOS | tvOS | visionOS | Windows | Android |
|---|---|---|---|---|---|---|
| Require Passcode | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Disallow Simple Passcode | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Require Alphanumeric Passcode | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Minimum Passcode Length | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Minimum Complex Characters | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Max Passcode Age | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Passcode History / Repetition | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Require after Sleep / Screen Saver / Lock | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Start Screen Saver After Timer | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Maximum failed attempts before account lockout | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Account lockout duration | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Force password reset | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Maximum available Auto-Lock delay | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Maximum Failed Attempts before Erasing Device | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ |
Create a Passcode Profile Library Item
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.1
Navigate to Library
Navigate to the Library and select Add Library Item.
2
Select Passcode
Search for and select Passcode.
3
Name the Library Item
Give the Library Item a Name.
4
Select Platforms
Select the platforms where the profile should be installed under Install on.
5
Assign to Blueprints
Assign it to one or more Blueprints.
Shared Settings
These settings are available across platforms:- Require passcode Requires a passcode on the device.
-
Disallow simple passcode
Prevents simple sequences (e.g.,
123,CBA) or repeating characters (e.g.,111,AAA). - Minimum passcode length Defines the minimum number of characters in the passcode.
- Maximum passcode age Number of days a passcode can remain unchanged before a new one is required.
- Passcode history Prevents reuse of previously used passcodes.
- Maximum failed attempts before lockout or erasing device The allowed number of failed passcode attempts before all data on the device will be erased, or on Mac, the account is locked.
Windows: Setting this key for Windows will result in a device erasure if the threshold is exceeded. Use Account lockout duration below instead to enforce lockouts without device erasure.Non-Mac: Non-Mac devices will immediately be erased after the number of failed passcode attempts is reached.
Platform-Specific Settings
- Apple
- Windows
- Android Device Passcode
- Android Work Profile Passcode
Apple-Specific Settings
These settings apply only to Apple devices. Platform support is noted in parentheses.- Require alphanumeric passcode (All Apple platforms) Requires letters as well as numbers.
- Require passcode after screen lock (All Apple platforms) Defines the time before a passcode is required after screen lock.
-
Minimum complex characters (All Apple platforms)
Defines the number of required special characters such as
%,$, or#. - Start screen saver after (macOS only) Defines the idle time before the screen saver starts.
- Account lockout duration (macOS only) Determines how long an account remains locked after failed attempts.
- Force password reset (macOS only) Prompts the user to reset their password at next login.
- Maximum available auto-lock delay (iOS, iPadOS, tvOS, visionOS) Defines the maximum period of time available in the Auto-Lock setting.
Important Considerations
Max Passcode Age (macOS)
With auto-generated user accounts, such as Auto Admin accounts and accounts created with theCreate a User Account parameter, the creation date defaults to 12/31/1969. A passcode reset will be forced during the first login attempt if Max Passcode Age is enabled.
Force Password Reset (macOS)
If you enable Force Password Reset, users will be prompted to change their password at their next login. This occurs regardless of whether the existing password meets current complexity requirements. The reset is enforced only once, but you can re-enable the option in the future if needed.Consider alerting users before deploying this option to avoid disruption.
Enrolling Existing Devices
When adding new devices to Iru, users’ passwords may never have changed. This could conflict with Max Passcode Age. Consider delaying deployment or providing advance notice to users.Creating Android Work Profile Passcode Policies
For Android company-owned work profile devices, you can configure a separate passcode policy specifically for the work profile. To create a work profile passcode policy:1
Navigate to Library
Navigate to the Library
2
Add Library Item
Select Add Library Item
3
Select Android Work Profile Passcode
Search for and select Android Work Profile Passcode
Deployment: You can simultaneously deploy both the Passcode and the Android Work Profile Passcode Library Items to the same device, configuring separate policies for device and work profile access.
Best Practices
1
Plan your deployment
Test passcode policies on a small group of devices before rolling out to your entire fleet.
2
Communicate with users
Inform users about new passcode requirements and provide guidance on creating strong passwords.
3
Consider user experience
Balance security requirements with user convenience to avoid excessive lockouts.
4
Monitor compliance
Regularly check that devices are compliant with passcode policies.
Troubleshooting
Users locked out after policy deployment
Users locked out after policy deployment
Possible causes:
- Existing passwords don’t meet new complexity requirements
- Max passcode age forcing immediate password changes
- Account lockout threshold too low
- Provide advance notice before deploying new policies
- Consider a grace period for password changes
- Adjust lockout thresholds if appropriate
Passcode policies not applying
Passcode policies not applying
Possible causes:
- Device not enrolled or agent not running
- Policy not assigned to device’s Blueprint
- Platform-specific limitations
- Verify device enrollment and agent status
- Check Blueprint assignments
- Review platform-specific documentation
Android work profile issues
Android work profile issues
Possible causes:
- Conflicting device and work profile policies
- Work profile not properly configured
- Device compliance issues
- Review both device and work profile passcode settings
- Ensure work profile is properly set up
- Check device compliance status
Security Recommendations
Strong Requirements
Implement strong passcode requirements while considering user experience and productivity.
Regular Updates
Encourage regular password updates and provide tools to help users create strong passwords.
Monitoring
Monitor passcode compliance and failed attempt logs for security insights.
Education
Provide user education on password security best practices and company policies.