Skip to content

Passcode Policies

Configure password and passcode requirements for managed devices. These settings enforce device unlock security and control lockout behavior.

General Settings

FieldTypeDescription
AllowSimplebooleanAllow simple passcodes (e.g., 1111, 1234, 0000). When disabled, the user must create a non-sequential, non-repeating passcode.
MinimumLengthintegerMinimum passcode length (1–16). Default is 4.
RequiredCharactersobjectMinimum number of specific character types required in the passcode.

Required Characters

FieldTypeDescription
MinimumDigitsintegerMinimum number of numeric digits (0–9)
MinimumLowercaseintegerMinimum number of lowercase letters (a–z)
MinimumUppercaseintegerMinimum number of uppercase letters (A–Z)
MinimumSymbolsintegerMinimum number of symbols (e.g., !, @, #, $)

Example

json
{
  "AllowSimple": false,
  "MinimumLength": 8,
  "RequiredCharacters": {
    "MinimumDigits": 1,
    "MinimumLowercase": 1,
    "MinimumUppercase": 1,
    "MinimumSymbols": 1
  }
}

Lockout & Auto-Lock

FieldTypeDescription
MaxFailedAttemptsintegerNumber of failed passcode attempts before the device wipes (1–11). Set to 0 to disable wipe on failure.
AutoLockTimeoutintegerMinutes of inactivity before the device auto-locks (1–60). On macOS this is the screen saver delay.
GracePeriodenumHow long the device remains unlocked after the first correct entry before requiring the passcode again. Options: Immediate, 1 minute, 5 minutes, 15 minutes, 1 hour, 4 hours.

Grace Period Behavior

  • Immediate: The passcode is required every time the device wakes.
  • 1 minute / 5 minutes / 15 minutes: The device stays unlocked for the specified duration after the screen turns off.
  • 1 hour / 4 hours: Longer grace periods for less sensitive environments.

Inactivity & Passcode Age

FieldTypeDescription
MaximumInactivityintegerMaximum minutes of device inactivity before the passcode is required (1–99999). On macOS this controls the screen saver lock delay.
MaximumAgeintegerMaximum number of days a passcode can be used before the user is forced to change it (1–730). Set to 0 for no expiration.
PasswordHistoryintegerNumber of previous passcodes remembered (1–50). The user cannot reuse any passcode in the history. Set to 0 to disable history enforcement.

Platform Support

SettingiOSiPadOSmacOS
AllowSimpleYesYesYes
MinimumLengthYesYesYes
RequiredCharactersYesYesYes
MaxFailedAttemptsYesYesYes
AutoLockTimeoutYesYesYes
GracePeriodYesYesYes
MaximumInactivityYesYesYes
MaximumAgeYesYesYes
PasswordHistoryYesYesYes

All passcode policy settings apply uniformly across iOS, iPadOS, and macOS. tvOS and watchOS do not support passcode policy enforcement via MDM.

Released under the MIT License