When using Passport, you'll need to remove the Passcode library item from the Classic Blueprint or Assignment Map containing Passport to avoid configuration conflicts. Your IdP should handle password requirements. Click here to learn more.
Kandji's Passcode settings profile allows you, as an administrator, to define the expectations and complexity required on users' local account passwords. This profile helps you improve and enforce security standards and maintain password hygiene across your fleet of managed devices.
You can deploy Passcode profiles to macOS, iOS, iPadOS, and visionOS devices.
Configurable Options Within the Passcode Library Item
| macOS | iOS | tvOS | visionOS |
|---|---|---|---|---|
Require Passcode | ✅ | ✅ | ✅ | ✅ |
Disallow Simple Passcode | ✅ | ✅ | ✅ | ✅ |
Require Alphanumeric Passcode | ✅ | ✅ | ✅ | ✅ |
Minimum Passcode Length | ✅ | ✅ | ✅ | ✅ |
Minimum Complex Characters | ✅ | ✅ | ✅ | ✅ |
Max Passcode Age | ✅ | ✅ | ✅ | ✅ |
Passcode History / Repetition | ✅ | ✅ | ✅ | ✅ |
Require after Sleep / Screen Saver / Lock | ✅ | ✅ | ✅ | ✅ |
Start Screen Saver After Timer | ✅ | ❌ | ❌ | ❌ |
Maximum failed attempts before account lockout | ✅ | ❌ | ❌ | ❌ |
Account lockout duration | ✅ | ❌ | ❌ | ❌ |
Force password reset | ✅ | ❌ | ❌ | ❌ |
Maximum available Auto-Lock delay | ❌ | ✅ | ✅ | ✅ |
Maximum Failed Attempts before Erasing Device | ❌ | ✅ | ✅ | ✅ |
Create a Passcode Profile
Log in to your Kandji tenant before performing the next steps.
Create a Passcode Profile in Kandji by selecting Library > Add New > Passcode > Add & Configure.
Enter a unique name.
Select the desired Classic Blueprints or Assignment Maps to assign the library item to.
Configure your requirements based on device type.
Click Save.
Important Considerations
Max Passcode Age
With auto-generated user accounts, such as Auto Admin accounts and accounts created with the Create a User Account Parameter, the creation date for those accounts defaults to 12/31/1969.
A passcode reset will be forced during the first login attempt on auto-generated accounts if Max Passcode Age is enabled in the Passcode Library Item.
Force Password Reset on macOS
If you need to force users to reset their macOS login password, you can use the Passcode Library item and the Force password reset option to trigger a password reset on their next login.
Enabling this option will prompt all users, including users that have a password that does meet the password complexity requirements, on the Mac to reset their password, and will be enforced only once. You can re-select the option in the future if you need to force another reset.
We strongly recommend alerting your users before this option is deployed to ensure they will be prepared for the prompt.
Enrolling existing devices with Passcode profiles set
If you are adding new devices to your Kandji tenant, be mindful that the users' passwords may never have changed, which could conflict with the Max Passcode Age option. Be sure to advise your users on what to expect, or consider distributing a Passcode profile out to your organization at a later date.