Passcode

The Passcode settings enforce the use of a secure passcode to unlock an Android device.

The following table describes the passcode settings that you can configure on a device.

Policy setting Description Support Matrix
Configure Device Passcode Policy: This policy enforces device passcodes on Profile Owner (PO) and Device Owner (DO) modes for Android Enterprise 5.0+. An administrator can reset the passcode in Device Owner (DO) mode only. Android 5.0+ (PO) and (DO)
Configure Device Passcode IT administrators can set a passcode to all the enrolled devices. When a device gets enrolled to IBM MaaS360, the device is automatically set with the admin-configured Passcode. This policy is supported from Android 8.90+. Android 5.0+ (DO)
Set Passcode
Note: Enable the Configure Device Passcode checkbox to view this setting.
Set a passcode for the device. This policy is supported from Android 8.90+.
Android 5.0+ (DO)
Delay for passcode prompt after lock screen The amount of time that passes before a passcode prompt appears on the screen of a locked Android device. The values are as follows.
  • Immediate (default)
  • 15 seconds
  • 30 seconds
  • 1 minute
  • 2 minutes
  • 3 minutes
  • 4 minutes
  • 5 minutes
  • 10 minutes
DO With KNOX (SAFE 2.0+)
Allowed idle time (in minutes) before auto-lock The amount of time the device remains inactive before the device is locked automatically. The values are as follows.
  • 15 seconds
  • 30 seconds
  • 1 minute
  • 2 minutes
  • 3 minutes
  • 4 minutes
  • 5 minutes
  • 10 minutes
  • 15 minutes
  • 30 minutes
Android 5.0+ (PO & DO)
Allowed idle time (in hours) for stronger authentication The amount of time that a user can wait before stronger authentication is forced on the device. The range is 1 - 72 hours. Android 8.0+ (PO & DO)
Number of failed passcode attempts before all data is erased (factory reset) The number of password attempts that are allowed before the device is wiped. The range is 0 - 16 attempts.

If you leave this field blank or enter a zero in the field, the device remains unlocked and data is not wiped from the device.

Android 5.0+ (PO & DO)
Configure Work Profile Passcode Policy: The passcode for the Work Profile. (Android 7.0+ PO only). The passcode prompt is displayed when a user opens the Work Profile feature or app. If a device uses a device-level passcode (either optional or enforced) and that passcode matches the Work Profile passcode, then the user can enter the passcode once to unlock both the device and the Work Profile. Android 7.0+ (PO)
Minimum Passcode Complexity Specify the minimum complexity requirement of a password for the screen lock. The password is applied in the form of predefined complexity buckets (High, Medium, Low, and None). Users must create a matching or a stronger passcode, but they cannot set a password with a lesser complexity level.
Requirements:
  • None: A passcode is not required.
  • Low: The passcode must satisfy one of the following.
    • PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
    • Pattern
  • Medium: The passcode must satisfy one of the following.
    • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
    • Alphabetic, length at least 4
    • Alphanumeric, length at least 4
  • High: The passcode must satisfy one of the following.
    • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
    • Alphabetic, length at least 6
    • Alphanumeric, length at least 6
Notes:
  • If this policy setting is turned on, the deprecated passcode settings Minimum Passcode Qualityand Minimum Passcode Length are not supported.
  • Use the Minimum Passcode Quality setting to enable passcode restrictions for Android 5.0 - 11.0 devices.
  • Android 12+ (PO) and (DO)
  • For Profile Owner (PO) devices, requires MaaS360 for Android app version 7.50 or later.
  • For Device Owner (DO) devices, requires MaaS360 for Android app version 7.70 or later.
Minimum Passcode Quality The type of passcode that users can create. Users can create a matching or a strong passcode. The values are as follows.
  • Any
  • Numeric
  • Alphabetic
  • Complex
  • Numeric Complex
  • Weak Bio-metric (allows for low-security bio-metric recognition)
Note: Google deprecated Minimum Passcode Quality and Minimum Passcode Length for setting passcode on Profile Owner (PO) devices. MaaS360 no longer supports these deprecated policies when users upgrade to the MaaS360 for Android app version 7.90+ on Android devices with version 12 and later. Use Minimum Passcode Complexity to set device and work profile passcode restrictions for Profile Owner devices.
Android 7.0+ (PO), Android 5.0+ (DO)
Minimum Passcode Length (4 - 16 characters) The minimum number of characters that are needed for a passcode. The range is 4 - 16 characters.
Note: Google deprecated Minimum Passcode Quality and Minimum Passcode Length for setting passcode on Profile Owner (PO) devices. MaaS360 no longer supports these deprecated policies when users upgrade to the MaaS360 for Android app version 7.90+ on Android devices running OS version 12 and later. Use Minimum Passcode Complexity to set device and work profile passcode restrictions for Profile Owner devices.
Android 7.0+ (PO)
Maximum passcode age (in days) The number of days that can pass before a passcode must be changed. The range is 1 - 999 days.

If you leave this field blank or enter a zero in the field, the passcode never expires.

Android 7.0+ (PO)
Passcode History The number of times a unique passcode is used before an older passcode can be used again. The range is 0 - 99 times.

If you leave this field blank or enter a zero in the field, you can reuse a passcode that you previously used on the device.

Android 7.0+ (PO)
Allowed idle time (in minutes) before auto-lock The amount of time the device remains inactive before the device is locked automatically. The values are as follows.
  • 15 seconds
  • 30 seconds
  • 1 minute
  • 2 minutes
  • 3 minutes
  • 4 minutes
  • 5 minutes
  • 10 minutes
  • 15 minutes
  • 30 minutes
Android 7.0+ (PO)
Allowed idle time (in hours) for stronger authentication The amount of time that a user can wait before stronger authentication is forced on the device. The range is 1 - 72 hours. Android 8.0+ (PO)
Number of failed passcode attempts before all data is erased (factory reset) The number of password attempts that are allowed before the device is wiped. The range is 0 - 16 attempts.

If you leave this field blank or enter a zero in the field, the device remains unlocked and data is not wiped from the device.

Android 7.0+ (PO)
Disallow Unified Password This policy setting specifies that the managed profile is not allowed to have a unified lock screen challenge with the primary user. Setting this restriction alone does not automatically set a separate challenge for the Work Profile. Android 9.0+ (PO)