Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright
Enforce password policies for your devices
You can distribute policies in a configuration profile that users install. Passcode and password settings configured remotely with your mobile device management (MDM) solution can push policies directly to devices. That means policies can be enforced and updated with no user involvement.
Typical password policies
Policies pushed to devices can include requirements for:
An initial passcode or password on the device
An alphanumeric value
Minimum passcode length
Minimum number of complex characters
Maximum passcode age
Time before auto-lock
Passcode or password history (unable to use previous passwords)
Grace period for an iPhone and iPad lock
Maximum number of failed attempts before the user account is disabled
Delay (in minutes) after maximum number of failed attempts on a Mac
If you’re using a directory service such as Active Directory, a Mac can automatically use your domain password settings. If there are Active Directory and MDM policies, the more stringent policy is applied.
If Managed Apple Accounts are being used, passcode policies vary from those listed here. For more information, see one of the following:
Use Managed Apple Accounts in the Apple School Manager User Guide
Use Managed Apple Accounts in the Apple Business Manager User Guide
iPhone and iPad passcode options
If an iPhone or iPad is configured to access a Microsoft Exchange account, Exchange ActiveSync policies are pushed to the device wirelessly. The available set of policies varies depending on the version of Exchange ActiveSync and Exchange Server. If Exchange and MDM policies exist, the more stringent policy is applied.
By default, the user’s passcode can be defined as a six-digit personal identification number (PIN) on Face ID and Touch ID–capable devices or a four-digit PIN on all other devices. For devices with iOS and iPadOS, you can choose from an extensive set of passcode policies to meet your security needs.
When the passcode payload is installed on an iPhone or iPad, the user has 60 minutes to enter a passcode. After that, the payload forces the user to enter a passcode using the specified settings.
Note: Password policies aren’t supported with Shared iPad.