Skip to content

Password policies configuration (macOS user policy)

With the Password policies configuration you define requirements for the passwords of Mac user accounts.

When you assign the Password policies configuration to a device that doesn’t meet the password requirements, a grace period of 60 minutes starts. Within the grace period, the device asks the user to change the password every time they open the Home screen. After the grace period, the user may not start any apps on the device, including internal apps.

Setting Description
Allow simple value Users are allowed to use sequential or repeated characters in their password, for example 1111 or abcde.
Require alphanumeric value Passwords must contain at least one letter or number.
Minimum password length Specifies the minimum number of characters a password must contain.
Minimum number of complex characters Specifies the minimum number of non-alphanumeric characters (for example & or !) a password must contain.
Maximum password age in days Requires users to change their password in the specified interval.

Value range: 0 (no password change required) to 730 days.

Maximum Auto-Lock (in minutes) In this field, you can specify the maximum value the user is allowed to configure on the device.

Auto-Lock specifies how soon (in minutes) the device will be locked if it has not been used.

Password history The number of previously used passwords Sophos Mobile stores.

When the user sets a new password, it mustn’t match a password that was already used.

Maximum grace period for device lock In this field, you can specify the maximum value the user is allowed to configure on the device.

The grace period for device lock specifies for how long the device can be unlocked after a lock without a password prompt.

If you select None, the user can select any of the intervals available.

If you select Immediately, users must enter a password every time they unlock their devices.

Number of failed attempts until device wipe In this field, you can specify the number of failed attempts to enter the correct password before the device is wiped.

After six failed attempts, a time delay is imposed before a password can be entered again. The delay increases with each failed attempt. After the final failed attempt, all data and settings are securely removed from the device.

The time delay starts after the sixth attempt. So if you set this value to 6 or lower, no delay is imposed and the device is wiped when the attempt limit is exceeded.