Passcode Policies
Configure password and passcode requirements for managed devices. These settings enforce device unlock security and control lockout behavior.
General Settings
| Field | Type | Description |
|---|---|---|
AllowSimple | boolean | Allow simple passcodes (e.g., 1111, 1234, 0000). When disabled, the user must create a non-sequential, non-repeating passcode. |
MinimumLength | integer | Minimum passcode length (1–16). Default is 4. |
RequiredCharacters | object | Minimum number of specific character types required in the passcode. |
Required Characters
| Field | Type | Description |
|---|---|---|
MinimumDigits | integer | Minimum number of numeric digits (0–9) |
MinimumLowercase | integer | Minimum number of lowercase letters (a–z) |
MinimumUppercase | integer | Minimum number of uppercase letters (A–Z) |
MinimumSymbols | integer | Minimum number of symbols (e.g., !, @, #, $) |
Example
json
{
"AllowSimple": false,
"MinimumLength": 8,
"RequiredCharacters": {
"MinimumDigits": 1,
"MinimumLowercase": 1,
"MinimumUppercase": 1,
"MinimumSymbols": 1
}
}Lockout & Auto-Lock
| Field | Type | Description |
|---|---|---|
MaxFailedAttempts | integer | Number of failed passcode attempts before the device wipes (1–11). Set to 0 to disable wipe on failure. |
AutoLockTimeout | integer | Minutes of inactivity before the device auto-locks (1–60). On macOS this is the screen saver delay. |
GracePeriod | enum | How long the device remains unlocked after the first correct entry before requiring the passcode again. Options: Immediate, 1 minute, 5 minutes, 15 minutes, 1 hour, 4 hours. |
Grace Period Behavior
- Immediate: The passcode is required every time the device wakes.
- 1 minute / 5 minutes / 15 minutes: The device stays unlocked for the specified duration after the screen turns off.
- 1 hour / 4 hours: Longer grace periods for less sensitive environments.
Inactivity & Passcode Age
| Field | Type | Description |
|---|---|---|
MaximumInactivity | integer | Maximum minutes of device inactivity before the passcode is required (1–99999). On macOS this controls the screen saver lock delay. |
MaximumAge | integer | Maximum number of days a passcode can be used before the user is forced to change it (1–730). Set to 0 for no expiration. |
PasswordHistory | integer | Number of previous passcodes remembered (1–50). The user cannot reuse any passcode in the history. Set to 0 to disable history enforcement. |
Platform Support
| Setting | iOS | iPadOS | macOS |
|---|---|---|---|
| AllowSimple | Yes | Yes | Yes |
| MinimumLength | Yes | Yes | Yes |
| RequiredCharacters | Yes | Yes | Yes |
| MaxFailedAttempts | Yes | Yes | Yes |
| AutoLockTimeout | Yes | Yes | Yes |
| GracePeriod | Yes | Yes | Yes |
| MaximumInactivity | Yes | Yes | Yes |
| MaximumAge | Yes | Yes | Yes |
| PasswordHistory | Yes | Yes | Yes |
All passcode policy settings apply uniformly across iOS, iPadOS, and macOS. tvOS and watchOS do not support passcode policy enforcement via MDM.
