Setting a passcode policy requires your end users to enter a passcode, providing a first layer of defense for sensitive data on devices.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Android.
  2. Configure the General profile settings as appropriate.
  3. Select Passcode from the payload list and configure the Passcode settings:
    Settings Description
    Enable Work Passcode Policy Enable to apply passcode policies only to Android badged apps.
    Minimum Passcode Length Ensure passcodes are appropriately complex by setting a minimum number of characters.
    Passcode Content

    Ensure the passcode content meets your security requirements by selecting one of the following:

    Any, Numeric, Alphanumeric, Alphabetic, Complex, Complex numeric or Weak Biometric from the drop-down menu.

    Use simple values for quick access or alphanumeric passcodes for enhanced security. You can also require a minimum number of complex characters (@, #, &,! , ,? ) in the passcode.

    Weak Biometric passcode content allows low-security biometric unlock methods, such as face recognition.

    Important: If the minimum number of complex characters in the password is greater than 4, at least one lowercase character and one uppercase character is required(SAFE v5.2 devices only).
    Maximum Number of Failed Attempts Specify the number of attempts allowed before the device is wiped.
    Maximum Passcode Age (days) Specify the maximum number of days the passcode can be active.
    Passcode Change Alert Set the amount of time prior to the expiration of the passcode that the user is notified to change their passcode. This option is also available in Device Passcode Policy.

    The user is prompted to change the passcode through prompt on their device, but they are not blocked from performing any other functions on their device. You can configure a compliance policy or use the settings in the Workspace ONE Intelligent Hub for Android to create and enforce a passcode being re-added to the device.

    Passcode History Set the number of times a passcode must be changed before a previous passcode can be used again.
    Device Lock Timeout Range (in Minutes) Set the period of inactivity before the device screen locks automatically
    Passcode Required Change (in minutes) Set the amount of time after unlocking a device with a non-strong authentication method (such as fingerprint or face recognition) before a passcode is required. This option is also available in Device Passcode Policy.
    Allow One Lock Disable to force separate passcode for Work profile and device
    Note: Applies to Android 9.0+ Work Profile devices and COPE devices only.
    Allow Biometric options Enable to allow biometric unlock methods, such as face recognition.
    Allow Fingerprint Sensor Enable to allow users to use their fingerprint to unlock their devices. Disable to prevent using fingerprint as the primary method of authentication and instead requires that the end user enter the specified type of password in the profile instead.
    Allow Face Scanning Disable to prevent the Face Unlock method from being configurable or selectable.
    Note: Applies to Android 9.0+ Work Managed devices only.
    Allow Iris Scanning Disable to prevent the Iris Scanner method from being configurable or selectable.
    Note: Applies to Android 9.0+ Work Managed devices only.
    Enable Device Passcode Policy Apply passcode policies for the device enrolled with a Work Profile. This passcode will need to be entered to unlock the device and can be applied in addition to the work passcode. For Work Managed devices, this passcode policy is applied to the device.
    Minimum Passcode Length Ensure passcodes are appropriately complex by setting a minimum number of characters.
    Set initial passcode Enable to set an initial passcode at the device level on all deployed devices. After deployment, it is possible to reset the passcode at the device level.
    Note: Applies to Android 7.0+ Work Managed devices only.
    Passcode Content

    Ensure the passcode content meets your security requirements by selecting Any, Numeric, Alphanumeric, Alphabetic,Complex, or Complex Numeric from the drop-down menu.

    Maximum Number of Failed Attempts Specify the number of attempts allowed before the device is wiped.
    Maximum Passcode Age (days) Specify the maximum number of days the passcode can be active.
    Passcode Change Alert Set the amount of time prior to the expiration of the passcode that the user is notified to change their passcode.
    Passcode History Set the number of times a passcode must be changed before a previous passcode can be used again.
    Device Lock Timeout Range (in Minutes) Set the period of inactivity before the device screen locks automatically.
    Allow Biometric options Enable to allow biometric unlock methods, such as face recognition.
    Allow Fingerprint Unlock Enable to allow users to use their fingerprint to unlock their devices and prevents using fingerprint as the primary method of authentication and instead requires that the end user enter the specified type of password in the profile instead.
    Allow Face Scanning Disable to prevent the Face Unlock method from being configurable or selectable on the Samsung device.
    Note: Applies to Android 9.0+ Work Managed devices only.
    Allow Iris Scanning Disable to prevent the Iris Scanner method from being configurable or selectable on the Samsung device.
    Note: Applies to Android 9.0+ Work Managed devices only.
    Passcode Visible Enable to show the passcode on the screen as it is entered. For Samsung devices.

    Requires you to enable OEM Settings in the General profile and Samsung from Select OEM dropdown.

    Require SD Card Encryption Indicate if the SD card requires encryption. For Samsung devices.

    Requires you to enable OEM Settings in the General profile and Samsung from Select OEM dropdown.

    Maximum Number of Repeating Characters Prevent your end users from entering easily cracked repetitive passcodes like '1111' by setting a maximum number of repeating characters. For Samsung devices.
    The following settings apply if you select Complex from the Passcode Content text box.
    Setting Description
    Minimum Number of Letters Specify the number of letters that can be included in the passcode.
    Minimum Number of Lower Case Letters Specify the number of lowercase letters required in the passcode.
    Minimum Number of Upper Case Letters Specify the number of uppercase letters required in the passcode.
    Minimum Number of Non-Letters Specify the number of special characters required in the passcode.
    Minimum Number of Numerical Digits Specify the number of numerical digits required in the passcode.
    Minimum Number of Symbols Specify the number of symbols required in the passcode.
    The following settings apply for setting a passcode on Samsung device.

    These settings only display when OEM Settings in the General profile and Samsung from Select OEM dropdown.

    are selected.
    Setting Description
    Passcode Visible Enable to show the passcode on the screen as it is entered.
    Allow Fingerprint Unlock Enable to allow users to use their fingerprint to unlock their devices and prevents using fingerprint as the primary method of authentication and instead requires that the end user enter the specified type of password in the profile instead.
    Require SD Card Encryption Indicate if the SD card requires encryption.
    Require Passcode Requires user to enter the passcode used to encrypt the SD card. If left unchecked, Some devices allow the SD card to be encrypted without user interaction.
    Maximum Number of Repeating Characters Prevent your end users from entering easily cracked repetitive passcodes like '1111' by setting a maximum number of repeating characters.

    Maximum length of numeric sequences

    Prevent your end user from entering an easily cracked numeric sequence like 1234 as their passcode. For Samsung devices.
    Allow Iris Scanner Disable to prevent the Iris Scanner method from being configurable or selectable on the Samsung device.
    Alllow Face Unlock Disable to prevent the Face Unlock method from being configurable or selectable on the Samsung device.
    Lockscreen Overlay

    Enable to push information to the end user devices and display this information over the lock screen.

    • Image Overlay – Upload images to display over the lock screen. You can upload a primary and secondary image and determine the position and transparency of the images.
    • Company Information – Enter company information to display over the lock screen. This can be used for emergency information in the event the device has been lost or reported stolen.

    The Lockscreen Overlay setting is for Safe 5.0 devices and above only. The Lockscreen Overlay settings remains configured on the device while in use and cannot be changed by the end user.

    For more information on Lockscreen Overlay settings, see Configure Lockscreen Overlay (Android).

  4. Select Save & Publish to assign the profile to associated devices.