The local user password policy is a set of rules and restrictions on the format and expiration of the local user passwords. The password policy applies only to local users that you created from the Workspace ONE Access console.

The password policy can include password restrictions, a maximum lifetime of a password, and for password resets, the maximum lifetime of the temporary password. You can also set up the lockout policy

The default password policy requires six characters. The password restrictions can include a combination of uppercase, lowercase, numerical, and special characters to require strong passwords be set.

You can configure an account lockout policy to prevent unauthorized access to an account. The policy settings determine the number of failed sign-in attempts within a specific duration of time that activates the user account lockout. An account is locked out for the number of minutes defined in the policy. The default configuration is five failed sign-in attempts in 15 minutes. When a user attempts to sign in a sixth time within 15 minutes and fails, the account is locked out for 15 minutes.


  1. In the Workspace ONE Access console, select Users & Groups > Settings
  2. Click Password Policy to edit the password restriction parameters.
    Option Description
    Minimum length for passwords Six characters is the minimum length, but you can require more than six characters. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.
    Lowercase characters Minimum number of lowercase characters. Lowercase a-z
    Uppercase characters Minimum number of uppercase characters. Uppercase A-Z
    Numerical characters (0-9) Minimum number of numerical characters. Base 10 digits (0-9)
    Special characters Minimum number of non-alphanumeric characters, for example & # % $ !
    Consecutive identical characters Maximum number of identical adjacent characters. For example, if you enter 1, the following password is allowed: p@s$word, but this password is not allowed: p@$$word.
    Password history Number of the previous passwords that cannot be selected. For example, if a user cannot reuse any of the last six passwords, type 6. To disable this feature, set the value to 0.
    Number of characters from previous password allowed Enforce a minimum number of characters that can be reused in a new password. For example, if 0 is set, users cannot use any of the same characters from the previous password. If this text box is left blank, this rule is not applied.
  3. In the Password Management section, edit the password lifetime parameters.
    Option Description
    Temporary password lifetime Number of hours a password reset or forgot password link is valid. The default is 168 hours
    Password lifetime Maximum number of days that a password can exist before the user must change it.
    Password reminder Number of days before a password expiration that the password expiry notice is sent.
    Password reminder notification frequency After the first password expiry notice is sent, how frequently reminders are sent.
    Each box must have a value to set up the password lifetime policy. To not setup a password lifetime policy, enter 0.
  4. Define the account lockout policy in the Account Lockout section.
    Option Description
    Failed password attempts The number of incorrect passwords that can be entered. Default is 5. If you set the default to 0, accounts are never locked out for failed password attempts.
    Failed authentication attempts interval The number of minutes in which failed sign-in attempts are counted. The default is 15 minutes.
    Account lockout duration After the failed authentication attempts interval is reached, an account is locked out for the number of minutes set here. The account is automatically unlocked when the time is up. The default is 15 minutes. If you set the minutes to 0, a user's account is not locked out. Users can continue to retry to log in.
  5. Click Save.