Passcode Profiles

By Ryan Cleary

Learn how to deploy Passcode settings using Kandji

When using Passport, you'll need to remove the Passcode library item from the Classic Blueprint or Assignment Map containing Passport to avoid configuration conflicts. Your IdP should handle password requirements. Click here to learn more.

Kandji's Passcode settings profile allows you, as an administrator, to define the expectations and complexity required on users' local account passwords. This profile helps you improve and enforce security standards and maintain password hygiene across your fleet of managed devices.

You can deploy Passcode profiles to macOS, iOS, and iPadOS devices.

Configurable Options Within the Passcode Library Item 

Require Passcode
Disallow Simple Passcode
Require Alphanumeric Passcode
Minimum Passcode Length
Minimum Complex Characters
Max Passcode Age
Passcode History / Repetition
Require after Sleep / Screen Saver / Lock

Start Screen Saver After Timer

(macOS Feature)

Maximum failed attempts before account lockout
(macOS Feature)
Account lockout duration
(macOS Feature)
Force password reset
(macOS Feature)
Maximum available Auto-Lock delay
(iOS / iPadOS Feature)

Maximum Failed Attempts before Erasing Device

(iOS / iPadOS Feature)

Create a Passcode Profile

Log in to your Kandji tenant before performing the next steps. 

  1. Create a Passcode Profile in Kandji by selecting Library > Add New > Passcode > Add & Configure

  2. Enter a unique name

  3. Select the desired Classic Blueprints or Assignment Maps to assign the library item to

  4. Configure your requirements based on device type

  5. Click Save

Important Considerations 

Max Passcode Age

  • With auto-generated user accounts, such as Auto Admin accounts and accounts created with the Create a User Account Parameter, the creation date for those accounts defaults to 12/31/1969. 
  • A passcode reset will be forced during the first login attempt on auto-generated accounts if Max Passcode Age is enabled in the Passcode Library Item.

Force Password Reset on macOS

  • If you need to force users to reset their macOS login password, you can use the Passcode Library item and the Force password reset option to trigger a password reset on their next login.
  • Enabling this option will prompt all users, including users that have a password that does meet the password complexity requirements, on the Mac to reset their password, and will be enforced only once. You can re-select the option in the future if you need to force another reset.
  • We strongly recommend alerting your users before this option is deployed to ensure they will be prepared for the prompt.

Enrolling existing devices with Passcode profiles set

If you are adding new devices to your Kandji tenant, be mindful that the users' passwords may never have changed, which could conflict with the Max Passcode Age option. Be sure to advise your users on what to expect, or consider distributing a Passcode profile out to your organization at a later date.