Back to top

Password policy

Last updated July 26th, 2023

Refer to the following device password management policies to enable or disable password management capabilities and set device login authentication values.

To set a unique device password policy:

  1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.

  2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.

  3. Next to the appropriate Profile Owner or Device Owner field, click Configure.

  4. Navigate to one of the following Password Policy fields as needed. Click Configure. Once the updates have been completed, click OK. Updated password settings are saved and deployed to devices based on the deployment schedule.

  • Set the Enable password policy controls with KSP value to True to permit the management of password policies on a device. Enable this option before changing any of the device’s password settings. If this option is not set to True, then any password or user authentication settings are ignored.

  • Refer to the following Biometric authentication options to use personal traits (fingerprints, iris, and facial recognition) as device user authenticators. Consider biometric authenticators as an alternative to traditional passwords that are susceptible to human mistakes, phishing attempts and duplication.

    • Enable fingerprint authentication — Set this value to True to permit the use of fingerprint recognition as a device user authenticator.

    • Enable Iris authentication — Set this value to True to permit the use of an iris as a device user authenticator. Iris scanning measures the unique patterns in the human iris (the colored circles in the eye). The iris scanner then creates a digital representation of the data and store it in a database for potential use as a user authenticator.

    • Enable Face recognition — Set this value to True to utilize a digital image of a device user’s face as an authenticator. An authentication request matches the user’s facial image with the image stored in the database before device access is granted. If a lock is set in DO and it is using P/P/P authentication, the user should not be able to use facial authentication in PO.

  • Set the Enable multifactor authentication value to True to enable multifactor authentication (2FA), enforcing a device unlock only after two successful authentication methods are provided. If enabling multifactor authentication, one authentication method must be biometric (fingerprint, iris, or face), and the other must be a lock screen method (PIN, password, or pattern). Multifactor authentication is only supported on Knox 3.2.1 and above devices. Keep in mind, the incorrect use of multifactor authentication with “One lock” and a biometric policy could result in a locked device requiring qualified support assistance to unlock.

  • Refer to the following Password change options to enforce how device users set their login password and the interval it is changed:

    • Set the Enforce Password Change value to True to force the user to change their password the next time they login to their device. If no password has been set, use this option to force the user to create a password. Verify existing password enforcement conditions before setting this value to True to ensure password enforcement changes do not occur at an unexpected time. If unsure, set this value to False.

    • Configure a Password Enforcement timeout <string> to define the maximum number of minutes a device user can wait to cancel or delay a password change.

  • Refer to the following Policy Restriction settings to manage various password complexity characteristics:

    • Set the Maximum Character Sequence Length <string> to define the maximum alphanumeric character sequence permitted for a device password. A value of zero (0) means there is no restriction on alphanumeric sequence length.

    • Set the Maximum Numeric Sequence Length <string> to specify the maximum numeric sequence length permitted for a device password. A value of zero (0) means there is no restriction on numeric sequence length.

    • Set the Minimum Password Length <string> to specify the minimum number of characters permitted for the device password. The larger the number, the greater potential strength of the device password. A value of zero (0) means there is no restriction.

  • Define the Allowed Time for User Activity before Device Locks to set the maximum number of milliseconds <string> for user activity before the device will lock. A value of zero (0) means no activity restrictions are in place.

  • Set the Maximum Failed Password Attempts to Wipe Data to define the number of failed password attempts <string> allowed before the data on the device is wiped and rendered unavailable. A value of zero (0) means there is no restriction on the number of failed login attempts. Keep in mind, the string provided via the API takes effect immediately, with no chance to revert the data once the defined number of password attempts is exceeded.

  • Enter the Maximum Failed Password Attempts to Disable Work Profile to set the number of failed password attempts <string> before the work profile and device itself are disabled. Once disabled, the device user is unable to restore the device with the password, and an administrator must re-enable the device. A value of zero (0) means there is no restriction on the number of failed login attempts.

  • Refer to the Define Password Quality value to select the level of complexity required when setting a device’s work profile password. From No Password to Complex Password (letter, numeric and alphanumeric characters required). A Numeric Complex password must include numeric characters with no repeating or ordered integers. Options include:

    • No Password
    • Some Password
    • Numeric
    • Alphabet
    • Alphanumeric
    • Numeric Complex
    • Complex
  • Use the Disable Keyguard Feature to select the specific Keyguard feature to disable. Keyguard is the code utilized in a device unlock operation. Options include None and Disable Trusted Agents.

  • Set the Password Visibility control to True to enable the ability to hide the password from view when entered on the device. Setting this control to False disables the ability to hide the password when entered, and provides no additional security.

Is this page helpful?