You can create a password policy to manage local user passwords in the Workspace ONE Access service. Local users can change their password according to the password policy rules.

Local users can change their password from the Workspace ONE Intelligent Hub portal in the Account Settings Profile page drop-down menu by their name.

Configure Password Policy for Local Users

You create a password policy to manage local user passwords in the Workspace ONE Access server. The local user password policy is a set of rules and restrictions on the format and expiration of the local user passwords. The password policy applies only to local users that you created from the Workspace ONE Access console.

The password policy can include password restrictions, a maximum lifetime of a password, and for password resets, the maximum lifetime of the temporary password. You can also set up the lockout policy.

The password restrictions include a combination of uppercase, lowercase, numerical, and special characters to require strong passwords be set. The default password policy enforces the following conditions.

  • Minimum password length of eight characters
  • Minimum of one uppercase character (A-Z)
  • Minimum of one lowercase character (a-z)
  • Minimum of one numerical character (0-9)
  • Minimum of one non-alphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '

You also configure the following password rules to enforce strong passwords.

  • Maximum number of identical adjacent characters that can be used in a password
  • Password history to prevent password reuse
  • Minimum number of characters that can be reused in a new password

To prevent unauthorized access to an account, you can configure an account lockout policy. The policy settings determine the number of failed sign-in attempts within a specific duration of time that activates the user account lockout. An account is locked out for the number of minutes defined in the policy. The default configuration is five failed sign-in attempts in 15 minutes. When a user attempts to sign in a sixth time within 15 minutes and fails, the account is locked out for 15 minutes.

  1. In the Workspace ONE Access console, select Users & Groups > Settings
  2. To edit the password restriction parameters, click Password Policy. Set the following values.
    Option Description
    Minimum length for passwords The minimum password length is eight characters. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.
    Lowercase characters Passwords must contain a minimum of one lowercase character.
    Uppercase characters Passwords must contain a minimum of one uppercase character.
    Numerical characters Passwords must contain a minimum of one numerical character.
    Special characters Passwords must contain a minimum of one non-alphanumeric character such as & # % $ !
    Consecutive identical characters Set the maximum number of identical adjacent characters. For example, if you enter 1, the following password is allowed: p@s$word, but this password is not allowed: p@$$word.
    Password history Set the number of the previous passwords that cannot be selected. For example, if a user cannot reuse any of the last six passwords, type 6. To deactivate this feature, set the value to 0.
    Number of characters from previous password allowed Enforce a minimum number of characters that can be reused in a new password. For example, if 0 is set, users cannot use any of the same characters from the previous password. If this text box is left blank, this rule is not applied.
  3. In the Password Management section, edit the password lifetime parameters.
    Option Description
    Temporary password lifetime Set the number of hours a password reset or forgot password link is valid.
    • The default lifetime value is 24 hours for new Workspace ONE Access tenants deployed after February 24, 2022.
    • Workspace ONE Access tenants deployed before February 24, 2022 might have inherited the old default of 168 hours or have an admin-modified lifetime value to be greater than 24 hours. For security purposes, you should minimize the temporary password lifetime to only the number of hours that your organization deems necessary.
    Password lifetime Set the maximum number of days that a password can exist before the user must change it.
    Password reminder Set the number of days before a password expires that the password expiry notice is sent.
    Password reminder notification frequency After the first password expiry notice is sent, set how frequently reminders are sent.

    Each box must have a value to set up the password lifetime policy. To not set up a password lifetime policy, enter 0.

  4. Define the account lockout policy in the Account Lockout section.
    Option Description
    Failed password attempts The number of incorrect passwords that can be entered. Default is 5. If you set the default to 0, accounts are never locked out for failed password attempts.
    Failed authentication attempts interval The number of minutes in which failed sign-in attempts are counted. The default is 15 minutes.
    Account lockout duration After the failed authentication attempts interval is reached, an account is locked out for the number of minutes set here. The account is automatically unlocked when the time is up. The default is 15 minutes. If you set the minutes to 0, a user's account is not locked out. Users can continue to retry to log in.
  5. Click Save.