You can create a password policy to manage local user passwords in the Workspace ONE Access service. Local users can change their password according to the password policy rules.

Local users can change their password from the Workspace ONE Intelligent Hub portal in the Account Settings Profile page drop-down menu by their name.

Configure Password Policy for Local Users

You create a password policy to manage local user passwords in Workspace ONE Access.The local user password policy is a set of rules and restrictions on the format and expiration of the local user passwords. The password policy applies only to local users that you created from the Workspace ONE Access console.

The password policy can include password restrictions, a maximum lifetime of a password, and for password resets, the maximum lifetime of the temporary password. You can also set up the lockout policy.

The default password policy requires six characters. The password restrictions can include a combination of uppercase, lowercase, numerical, and special characters to require strong passwords be set.

To prevent unauthorized access to an account, you can configure an account lockout policy. The policy settings determine the number of failed sign-in attempts within a specific duration of time that activates the user account lockout. An account is locked out for the number of minutes defined in the policy. The default configuration is five failed sign-in attempts in 15 minutes. When a user attempts to sign in a sixth time within 15 minutes and fails, the account is locked out for 15 minutes.

  1. In the Workspace ONE Access console, select Users & Groups > Settings
  2. To edit the password restriction parameters, click Password Policy.
    Option Description
    Minimum length for passwords Six characters is the minimum length, but you can require more than six characters. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.
    Lowercase characters Minimum number of lowercase characters. Lowercase a-z
    Uppercase characters Minimum number of uppercase characters. Uppercase A-Z
    Numerical characters (0-9) Minimum number of numerical characters. Base 10 digits (0-9)
    Special characters Minimum number of non-alphanumeric characters, for example & # % $ !
    Consecutive identical characters Maximum number of identical adjacent characters. For example, if you enter 1, the following password is allowed: p@s$word, but this password is not allowed: p@$$word.
    Password history Number of the previous passwords that cannot be selected. For example, if a user cannot reuse any of the last six passwords, type 6. To deactivate this feature, set the value to 0.
    Number of characters from previous password allowed Enforce a minimum number of characters that can be reused in a new password. For example, if 0 is set, users cannot use any of the same characters from the previous password. If this text box is left blank, this rule is not applied.
  3. In the Password Management section, edit the password lifetime parameters.
    Option Description
    Temporary password lifetime Number of hours a password reset or forgot password link is valid.
    • The default lifetime value is 24 hours for new Workspace ONE Access tenants deployed after February 24, 2022.
    • Workspace ONE Access tenants deployed before February 24, 2022 might have inherited the old default of 168 hours or have an admin-modified lifetime value to be greater than 24 hours. For security purposes, you should minimize the temporary password lifetime to only the number of hours that your organization deems necessary.
    Password lifetime Maximum number of days that a password can exist before the user must change it.
    Password reminder Number of days before a password expiration that the password expiry notice is sent.
    Password reminder notification frequency After the first password expiry notice is sent, how frequently reminders are sent.

    Each box must have a value to set up the password lifetime policy. To not set up a password lifetime policy, enter 0.

  4. Define the account lockout policy in the Account Lockout section.
    Option Description
    Failed password attempts The number of incorrect passwords that can be entered. Default is 5. If you set the default to 0, accounts are never locked out for failed password attempts.
    Failed authentication attempts interval The number of minutes in which failed sign-in attempts are counted. The default is 15 minutes.
    Account lockout duration After the failed authentication attempts interval is reached, an account is locked out for the number of minutes set here. The account is automatically unlocked when the time is up. The default is 15 minutes. If you set the minutes to 0, a user's account is not locked out. Users can continue to retry to log in.
  5. Click Save.