Product documentation
XenMobile
Server 10
View PDF

Passcode device policy

July 28, 2022
Contributed by:
C K

You create a passcode policy in XenMobile based on your organization’s standards. You can require passcodes on users’ devices and can set various formatting and passcode rules. You can create policies for iOS, macOS, Android, Samsung KNOX, Android Enterprise, and Windows desktop/tablet. Each platform requires a different set of values, which are described in this article.

To add or configure this policy, go toConfigure > Device Policies. For more information, seeDevice policies.

iOS settings

Image of Device Policies configuration screen

  • Passcode required:Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.
  • Passcode requirements
    • Minimum length:In the list, click the minimum passcode length. The default is6.
    • Allow simple passcodes:Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default isOn.
    • Required characters:Select whether to require passcodes to have at least one letter. The default isOff.
    • Minimum number of symbols:In the list, click the number of symbols the passcode must contain. The default is0.
  • Passcode security
    • Device lock grace period (minutes of inactivity):In the list, click the length of time before users must enter a passcode to unlock a locked device. The default isNone.
    • Lock device after (minutes of inactivity):In the list, click the length of time a device can be inactive before it is locked. The default is None.
    • Passcode expiration in days (1-730):Type the number of days after which the passcode expires. Valid values are 1-730. The default is0, which means the passcode never expires.
    • Previous passwords saved (0-50):Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is0, which means users can reuse passwords.
    • Maximum failed sign-on attempts:In the list, click the number of times a user can fail to sign in successfully after which the device is fully wiped. The default isNot defined.

macOS settings

Image of Device Policies configuration screen

  • Passcode required:Select this option to require a passcode and to display the configuration options for an iOS passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, and policy settings.
  • If you do not enablePasscode required, next to延迟后failed sign-on attempts, in minutes, type the number of minutes to delay before allowing users to reenter their passcodes.
  • If you enablePasscode required, configure the following settings:
  • Passcode requirements
    • Minimum length:In the list, click the minimum passcode length. The default is6.
    • Allow simple passcodes:Select whether to allow simple passcodes. Simple passcodes are a repeated or sequential set of characters. The default isOn.
    • Required characters:Select whether to require passcodes to have at least one letter. The default isOff.
    • Minimum number of symbols:In the list, click the number of symbols the passcode must contain. The default is0.
  • Passcode security
    • Device lock grace period (minutes of inactivity):In the list, click the length of time before users must enter a passcode to unlock a locked device. The default isNone.
    • Lock device after (minutes of inactivity):In the list, click the length of time a device can be inactive before it is locked. The default isNone.
    • Passcode expiration in days (1-730):Type the number of days after which the passcode expires. Valid values are 1-730. The default is0, which means the passcode never expires.
    • Previous passwords saved (0-50):Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is0, which means users can reuse passwords.
    • Maximum failed sign-on attempts:In the list, click the number of times a user can fail to sign in successfully after which the device is locked. The default isNot defined.
    • 延迟后failed sign-on attempts, in minutes:Type the number of minutes to delay before allowing a user to reenter a passcode.
    • Force passcode reset:The next time a user authenticates, they must reset their passcode.
  • Policy settings
    • Profile scope:Select whether this policy applies to aUseror an entireSystem. The default isUser. This option is available only on macOS 10.7 and later.

Android settings

Image of Device Policies configuration screen

Note:

The default setting for Android isOff.

  • Passcode required:Select this option to require a passcode and to display the configuration options for an Android passcode device policy. The page expands to let you configure settings for passcode requirements, passcode security, encryption, and Samsung SAFE.
  • Passcode requirements
    • Minimum length:In the list, click the minimum passcode length. The default is 6.
    • Biometric recognition:Select whether to enable biometric recognition. If you enable this option, the Required characters field is hidden. The default isOff.
    • Required characters:In the list, click No Restriction, Both numbers and letters, Numbers only, or Letters only to configure how passcodes are composed. The default is No restriction.
    • Advanced rules:Select whether to apply advanced passcode rules. This option is available for Android 3.0 and later. The default isOff.
    • When you enableAdvanced rules,from each of the following lists, click the minimum number of each character type that a passcode must contain:
      • Symbols:The minimum number of symbols.
      • Letters:The minimum number of letters.
      • Lowercase letters:The minimum number of lowercase letters.
      • Uppercase letters:The minimum number of uppercase letters.
      • 数量s or symbols:The minimum number of numbers or symbols.
      • 数量s:The minimum number of numbers.
  • Passcode security
    • Lock device after (minutes of inactivity):In the list, click the length of time a device can be inactive before it is locked. The default isNone
    • Passcode expiration in days (1-730):Type the number of days after which the passcode expires. Valid values are 1-730. The default is0, which means the passcode never expires.
    • Previous passwords saved (0-50):Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is0, which means users can reuse passwords.
    • Maximum failed sign-on attempts:In the list, click the number of times a user can fail to sign in successfully after which the device is wiped. The default isNot defined.
  • Encryption

    • Enable encryption:Select whether to enable encryption. This option is available for Android 3.0 and later. The option is available regardless of thePasscode requiredsetting.

      To encrypt their devices, users must start with a charged battery and keep the device plugged in for the hour or more that encryption takes. If they interrupt the encryption process, they may lose some or all of the data on their devices. After a device is encrypted, the process cannot be reversed except by doing a factory reset, which erases all the data on the device.

  • Samsung SAFE

    Note:

    As a workaround for disabling face or Iris recognition on Samsung SAFE devices: Create a Restrictions device policy for Samsung SAFE. In the Restrictions policy, turn onDisable Applicationsand addcom.samsung.android.bio.face.serviceorcom.samsung.android.server.iristo the table. Then, deploy the Restrictions policy.

    • Use same passcode across all users:Select whether to use the same passcode for all users. The default isOff. This setting applies only to Samsung SAFE devices and is available regardless of thePasscode requiredsetting.
    • When you enableUse same passcode across all users, type the passcode to be used by all users in thePasscodefield.
    • When you enablePasscode required, configure the following Samsung SAFE settings:
      • Changed characters:Type the number of characters users must change from their previous passcode. The default is0.
      • 数量of times a character can occur:Type the maximum number of times a character can occur in a passcode. The default is0.
      • Alphabetic sequence length:Type the maximum length of an alphabetic sequence in a passcode. The default is0.
      • Numeric sequence length:Type the maximum length of a numeric sequence in a passcode. The default is0.
      • Allow users to make password visible:Select whether users can make their passcodes visible. The default isOn.
      • Configure biometric authentication. Select whether to enable biometric authentication. The default isOff. If you set it toOn, you can set these options:
        • Allow fingerprint. Select to allow users to authenicate using a fingerprint.
        • Allow iris. Select to allow users to authenicate using an iris.
      • Forbidden strings:You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny, clickAddand then do the following:
        • Forbidden strings:Type the string users may not use.
        • ClickSaveto add the string or clickCancelto cancel adding the string.

Samsung KNOX settings

Image of Device Policies configuration screen

  • Passcode requirements
    • Minimum length:In the list, click the minimum passcode length. The default is6.
    • Allow users to make password visible:Select whether to let users make the password visible.
    • Forbidden strings:You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny, click Add and then do the following:
      • Forbidden strings:Type the string users may not use.
      • ClickSaveto add the string or clickCancelto cancel adding the string.
  • Minimum number of
    • Changed characters:Type the number of characters users must change from their previous passcode. The default is0.
    • Symbols:Type the minimum number of required symbols in a passcode. The default is0.
  • Maximum number of
    • 数量of times a character can occur:Type the maximum number of times a character can occur in a passcode. The default is0.
    • Alphabetic sequence length:Type the maximum length of an alphabetic sequence in a passcode. The default is0.
    • Numeric sequence length:Type the maximum length of a numeric sequence in a passcode. The default is0.
  • Passcode security
    • Lock device after (minutes of inactivity):In the list, click the number of seconds a device can be inactive before it is locked. The default isNone.
    • Passcode expiration in days (1-730):Type the number of days after which the passcode expires. Valid values are 1-730. The default is0, which means the passcode never expires.
    • Previous passwords saved (0-50):Type the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0-50. The default is0, which means users can reuse passwords.
    • If the number of failed sign on attempts is exceeded, the device is locked:In the list, click the number of times a user can fail to sign on successfully after which the device is locked. The default isNot defined.
    • If the number of failed sign on attempts is exceeded, the device is wiped:In the list, click the number of times a user can fail to sign on successfully, after which the KNOX container (along with the KNOX data) is wiped from the device. Users need to reinitialize the KNOX container after the wiping occurs.The default isNot defined.

Android Enterprise settings

Image of Device Policies configuration screen

For Android Enterprise devices, you can require a passcode for the device or a security challenge for the Android Enterprise work profile or both.

For devices running Android 9.0 or later and Samsung Knox 3.0 and later, configure settings for Samsung Knox on theAndroid Enterprisepage. For devices running earlier versions of Android or Samsung Knox, use theSamsung Knoxpage.

Note:

When devices running Samsung Knox 3.0 are enrolled as work profile devices, device passcode settings for Knox 3.0 and later do not apply to the device passcode, even if you configure them.

  • Device Passcode Required:Requires a passcode on the device. When this setting isOn, configure the settings underPasscode requirements for device passcodeandPasscode security for device passcode. Default isOff.
  • Show apps and shortcuts while passcode is not in compliance:When this setting isOn, apps and shortcuts on the device are not hidden, even when the passcode is not compliant. When this setting isOff, apps and shortcuts are hidden when the passcode is not compliant. If you enable this setting, Citrix recommends you create an automated action to mark the device as out of compliance when the passcode is not in compliance. Default isOff.
  • Passcode requirements for device passcode:
    • Minimum length:Specifies the minimum passcode length. The default is 6.
    • Allow users to make password visible:设备运行诺克斯三星3.0,后来那t have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled as work profile devices. Allows users to make the password visible. Default isOff.
    • Biometric recognition:Enables biometric recognition. If this setting isOn,Required charactersfield is hidden. The default isOff.
    • Required characters:Specifies the types of characters required for passcodes. In the list, chooseNo Restriction,Both numbers and letters,数量s only, orLetters only. UseNo restrictionsonly for devices running Android 7.0. Android 7.1 and later don’t honor theNo restrictionssetting. The default isBoth numbers and letters.
    • Forbidden strings:设备运行诺克斯三星3.0,后来那t have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled as work profile devices. Specifies strings users can’t use as passcodes. You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny: clickAdd; type the string you don’t want users to use; clickSaveto add the string or clickCancelto cancel adding the string.
    • Advanced rules:Applies advanced rules for the types of characters that can occur in passcodes. When this setting isOn, configure the settings underMinimum number ofandMaximum number of. This setting is not available for Android devices earlier than Android 5.0. The default isOff.
    • Minimum number of:
      • Symbols:Specifies the minimum number of symbols. Default is0.
      • Letters:Specifies the minimum number of letters. Default is0.
      • Lowercase letters:Specifies the minimum number of lowercase letters. Default is0.
      • Uppercase letters:Specifies the minimum number of uppercase letters. Default is0.
      • 数量s or symbols:Specifies the minimum number of numbers or symbols. Default is0.
      • 数量s:Specifies the minimum number of numbers. Default is0.
      • Changed characters:设备运行诺克斯三星3.0,后来那t have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled as work profile devices. Specifies the number of characters users must change from their previous passcode. The default is0.
    • Maximum number of:设备运行诺克斯三星3.0,后来那t have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled as work profile devices.
      • 数量of times a character can occur:Specifies the maximum number of times a character can occur in a passcode. The default is0, which means there is no maximum limit.
      • Alphabetic sequence length:Specifies the maximum length of an alphabetic sequence in a passcode. The default is0, which means there is no maximum limit.
      • Numeric sequence length:Specifies the maximum length of a numeric sequence in a passcode. The default is0, which means there is no maximum limit.
  • Passcode security for device passcode:
    • Wipe the device after (failed sign-on attempts):Specifies the number of times a user can fail to sign on after which the device is fully wiped. Default isNot defined.
    • Lock device after (minutes of inactivity) (0-999):Specifies the number of minutes a device can be inactive before it is locked. The default isNone.
    • Passcode expiration in days (1-730):Specifies the number of days after which the passcode expires. Valid values are 1–730. The default is0, which means the passcode never expires.
    • Previous passwords saved (0-50):Specifies the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. Default is0, which means users can reuse passwords.
    • Lock the device after (failed sign-on attempts)设备运行诺克斯三星3.0,后来那t have a valid Knox license key configured. For fully managed devices only. This setting does not apply to devices enrolled as work profile devices. Specifies the number of times a user can fail to sign on, after which the device is locked. Default isNot defined.
  • Work profile security challenge:Require users to complete a security challenge for access to apps running in an Android Enterprise work profile. For devices running Android 7.0 and later. When this setting isOn, configure the settings underPasscode requirements for work profile security challengeandPasscode security for work profile security challenge. Default isOff.
  • Passcode requirements for work profile security challenge:
    • Minimum length:Specifies the minimum passcode length. Default is 6.
    • Allow users to make password visible:For devices running Knox 3.0 and later that have a valid Knox license key configured. Allows users to make the password visible. Default isOff.
    • Biometric recognition:Enables biometric recognition. If this setting isOn,Required charactersfield is hidden. The default isOff.
    • Required characters:Specifies the types of characters required for passcodes. In the list, chooseNo Restriction,Both numbers and letters,数量s only, orLetters only. UseNo restrictionsonly for devices running Android 7.0. Android 7.1 and later don’t honor theNo restrictionssetting. The default isBoth numbers and letters.
    • Forbidden strings:诺克斯为设备运行3.0和以后有valid Knox license key configured. Specifies strings users can’t use as passcodes. You create forbidden strings to prevent users from using insecure strings that are easy to guess like “password”, “pwd”, “welcome”, “123456”, “111111”, and so on. For each string you want to deny: clickAdd; type the string you don’t want users to use; clickSaveto add the string or clickCancelto cancel adding the string.
    • Advanced rules:Applies advanced rules for the types of characters that can occur in passcodes. When this setting isOn, configure the settings underMinimum number ofandMaximum number of. This setting is not available for Android devices earlier than Android 5.0. The default isOff.
    • Minimum number of:
      • Symbols:Specifies the minimum number of symbols. Default is0.
      • Letters:Specifies the minimum number of letters. Default is0.
      • Lowercase letters:Specifies the minimum number of lowercase letters. Default is0.
      • Uppercase letters:Specifies the minimum number of uppercase letters. Default is0.
      • 数量s or symbols:Specifies the minimum number of numbers or symbols. Default is0.
      • 数量s:Specifies the minimum number of numbers. Default is0.
      • Changed characters:For devices running Knox 3.0 and later that have a valid Knox license key configured. Specifies the number of characters users must change from their previous passcode. The default is0.
    • Maximum number of:For devices running Knox 3.0 and later that have a valid Knox license key configured.
      • 数量of times a character can occur:Specifies the maximum number of times a character can occur in a passcode. The default is0, which means there is no maximum limit.
      • Alphabetic sequence length:Specifies the maximum length of an alphabetic sequence in a passcode. The default is0, which means there is no maximum limit.
      • Numeric sequence length:Specifies the maximum length of a numeric sequence in a passcode. The default is0, which means there is no maximum limit.
    • Enable unified passcode:IfOn, users use one passcode for their device and work profile. IfOff:
      • Users must use different passcodes for their device and work profile.
      • TheUse one locksetting on the device, which users set if they want to use one passcode for their device and work profile, is disabled. User can’t enable it.
      • If the passcode requirement for the work profile security challenge is more complex than the device passcode: Users with theUse one locksetting enabled are prompted to change their work profile passcodes.

      The default isOff. Available starting with Android 9.0.

  • Passcode security for work profile security challenge
    • Wipe the container after (failed sign-on attempts):Specifies the number of times a user can fail to sign on, after which the work profile and its data is wiped from the device. Users need to reinitialize the work profile after the wiping occurs. Default isNot defined.
    • Lock container after (minutes of inactivity):Specifies the number of minutes a device can be inactive before the work profile is locked. The default isNone.
    • Passcode expiration in days (1-730):Specifies the number of days after which the passcode expires. Valid values are 1–730. The default is0, which means the passcode never expires.
    • Previous passwords saved (0-50):Specifies the number of used passwords to save. Users are unable to use any password found in this list. Valid values are 0–50. The default is0, which means users can reuse passwords.
    • Lock the container after (failed sign-on attempts):For devices running Knox 3.0 and later that have a valid Knox license key configured. Specifies the number of times a user can fail to sign on, after which the device is locked. Default isNot defined.

Windows Desktop/Tablet settings

Image of Device Policies configuration screen

  • Disallow convenience logon:Select whether to allow users to access their devices with picture passwords or biometric logons. The default isOff.
  • Minimum passcode length:In the list, click the minimum passcode length. The default is6.
  • Maximum passcode attempts before wipe:In the list, click the number of times a user can fail to sign in successfully after which corporate data is wiped from the device. The default is4.
  • Passcode expiration in days (0-730):Type the number of days after which the passcode expires. Valid values are 0-730. The default is0, which means the passcode never expires.
  • Passcode history: (1-24):Type the number of used passcodes to save. Users are unable to use any passcode found in this list. Valid values are 1-24. You must enter a number between 1 and 24 in this field. The default is0.
  • Maximum inactivity before device lock in minutes (1-999):Type the length of time in minutes that a device can be inactive before it is locked. Valid values are 1-999. You must enter a number between 1 and 999 in this field. The default is0.
Passcode device policy
July 28, 2022
Contributed by:
C K
July 28, 2022
Contributed by:
C K

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.