Enforce a Passcode profile to protect devices with passcodes each time they return from an idle state. A passcode ensures that all sensitive corporate information on managed devices remains protected.

Passcodes set using this payload only take effect if the passcode is stricter than existing passcodes. For example, if the existing Microsoft Account passcode requires stricter settings than the Passcode payload requirements, the device continues to use the Microsoft Account passcode.

Prerequisites

To push the Passcode profile to devices, you must first enable it in the Agent Settings. Navigate to Devices & Users > Windows > Windows 7 > Agent Settings and select Enforce Passcode.

Procedure

To configure the Passcode profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows 7.
  3. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  4. Select the Passcode profile.
  5. Select Require Passcode on device and configure the Passcode settings:
    Settings Descriptions
    Allow Simple Value Select to allow simple passcodes instead of complex passcodes requiring multiple characters and numbers.
    Enforce Passcode History

    Enter a value to force end users to select a passcode they have not used before.

    The value entered (0-24) is the number of passcodes kept in the history that an end user has used before. You cannot use Previous passcodes again until it is no longer kept in the history.

    Maximum Passcode Age (days) Enter the number of days a passcode can be used before it must be changed.
    Minimum Passcode Age (days) Enter the number of days that must pass before an end user may change their passcode. If the value is 0, then Passcode History is not effective.
    Minimum Passcode Length Enter the minimum number of characters a passcode must have.
    Setup Account Lockout
    Account Lockout Duration (mins.) Enter the number of minutes a device is locked out after entering the passcode incorrectly too many times.
    Account Lockout Threshold Enter the number of passcode attempts allowed before the device is locked out.
    Rest Account Lockout Count After (mins.) Enter the number of minutes that must pass after a failed login attempt before the failed login attempt-counter is reset. This value must be less than or equal to Account Lockout Duration.
    Enable Screen Lockout
    Inactivity Period Before Locking Screen (mins.) Enter the number of minutes of inactivity that must pass before the screen is automatically locked.
    Enterprise Wipe
    Reset Password and Account Lockout Policies upon Enterprise Wipe

    Enabled by default

    Enable to reset password and account lockout polices to simple values with no enforcement after an Enterprise Wipe command is sent to the device.

  6. Select Save & Publish when you are finished to push the profile to devices.