Password policies configuration (macOS user policy)

With the Password policies configuration you define requirements for the passwords of Mac user accounts.

Note When the Password policies configuration is assigned to a device, a grace period of 60 minutes starts. Within the grace period, the user is asked to change the password when they return to the Home screen to comply with the policies. After the grace period, the user may not start any apps on the device, including internal apps.

Setting/Field

Description

Allow simple value

Users are allowed to use sequential or repeated characters in their password, for example 1111 or abcde.

Require alphanumeric value

Passwords must contain at least one letter or number.

Minimum password length

Specifies the minimum number of characters a password must contain.

Minimum number of complex characters

Specifies the minimum number of non-alphanumeric characters (for example & or !) a password must contain.

Maximum password age in days

Requires users to change their password in the specified interval. Value range: 0 (no password change required) to 730 days.

Maximum Auto-Lock (in minutes)

In this field, you can specify the maximum value the user is allowed to configure on the device. Auto-Lock specifies how soon (in minutes) the device will be locked if it has not been used.

Password history

In this field, you can specify how many old passwords are remembered and compared with new ones. When the user defines a new password, it is not accepted if it matches a previously used password. Value range: 1 to 50 or 0 (no password history).

Maximum grace period for device lock

In this field, you can specify the maximum value the user is allowed to configure on the device. The grace period for device lock specifies for how long the device can be unlocked after a lock without a password prompt. If you select None, the user can select any of the intervals available. If you select Immediately, users must enter a password every time they unlock their devices.

Number of failed attempts until device wipe

In this field, you can specify the number of failed attempts to enter the correct password before the device is wiped. After six failed attempts, a time delay is imposed before a password can be entered again. The delay increases with each failed attempt. After the final failed attempt, all data and settings are securely removed from the device. The time delay starts after the sixth attempt. So if you set this value to 6 or lower, no delay is imposed and the device is wiped when the attempt limit is exceeded.