Learn how to deploy Passcode settings inside Kandji
When using Passport, you'll need to remove the Passcode library item from the Blueprint containing Passport to avoid configuration conflicts. Your IdP should handle password requirements. Click here to learn more.
Kandji's Passcode settings profile allows you as an administrator to define the expectations and complexity required on users' local account passwords. These profiles help you improve and enforce security standards, and maintain password hygiene across your fleet of managed devices.
You can deploy Passcode profiles to macOS, iOS, and iPadOS devices.
Conditions you can configure based on device type.
Here's a matrix of options available across the different Apple device types.
| macOS | iOS | tvOS | |
| Require Passcode | ✅ | ✅ | ✅ |
| Disallow Simple Passcode | ✅ | ✅ | ✅ |
| Require Alphanumeric Passcode | ✅ | ✅ | ✅ |
| Minimum Passcode Length | ✅ | ✅ | ✅ |
| Minimum Complex Characters | ✅ | ✅ | ✅ |
| Max Passcode Age | ✅ | ✅ | ✅ |
| Passcode History / Repetition | ✅ | ✅ | ✅ |
| Require after Sleep / Screen Saver / Lock | ✅ | ✅ | ✅ |
Start Screen Saver After Timer (macOS Feature) | ✅ | ❌ | ❌ |
| Maximum failed attempts before account lockout (macOS Feature) | ✅ | ❌ | ❌ |
| Account lockout duration (macOS Feature) | ✅ | ❌ | ❌ |
| Force password reset (macOS Feature) | ✅ | ❌ | ❌ |
| Maximum available Auto-Lock delay (iOS / iPadOS Feature) | ❌ | ✅ | ✅ |
Maximum Failed Attempts before Erasing Device (iOS / iPadOS Feature) | ❌ | ✅ | ✅ |
❌ limited to specific device types such as macOS, iOS and iPadOS.
With auto-generated user accounts, such as Auto Admin accounts and accounts created with the Create a User Account Parameter, the creation date for those accounts defaults to 12/31/1969. Therefore, if Max Passcode Age is enabled in the Passcode Library Item, it will force a passcode reset on the first login attempt.
Create a Passcode Profile
Log in to your Kandji instance before performing the next steps.
Create a Passcode Profile in Kandji by selecting Library > Add New > Passcode > Add & Configure
Enter a unique name
Select your desired Blueprints
Configure your requirements based on device type
Click Save
Important considerations
Force Resetting Passwords on macOS
If you need to force users to reset their macOS login password, you can use the Passcode Library item and the Force password reset option to trigger a password reset on their next login.
Enabling this option will prompt all users, including users that have a password that does meet the password complexity requirements, on the Mac to reset their password, and will be enforced only once. You can re-select the option in the future if you need to force another reset.
We strongly recommended alerting your users before this option is deployed to ensure they will be prepared for the prompt.
Enrolling existing devices with Passcode profiles set
If you are adding new devices into your Kandji instance, be mindful that the user password may have never changed which could conflict with the Max Passcode Age option. Be sure to advise your users on what to expect, or consider distributing a Passcode profile out to your organization at a later date.