Passcode Profiles

By Ryan Cleary

Learn how to deploy Passcode settings inside Kandji

When using Passport, you'll need to remove the Passcode library item from the Blueprint containing Passport to avoid configuration conflicts. Your IdP should handle password requirements. Click here to learn more.

Kandji's Passcode settings profile allows you as an administrator to define the expectations and complexity required on users' local account passwords. These profiles help you improve and enforce security standards, and maintain password hygiene across your fleet of managed devices.

You can deploy Passcode profiles to macOS, iOS, and iPadOS devices.

Conditions you can configure based on device type.

Here's a matrix of options available across the different Apple device types.

 macOSiOStvOS
Require Passcode
Disallow Simple Passcode
Require Alphanumeric Passcode
Minimum Passcode Length
Minimum Complex Characters
Max Passcode Age
Passcode History / Repetition
Require after Sleep / Screen Saver / Lock

Start Screen Saver After Timer

(macOS Feature)

Maximum failed attempts before account lockout
(macOS Feature)
Account lockout duration
(macOS Feature)
Force password reset
(macOS Feature)
Maximum available Auto-Lock delay
(iOS / iPadOS Feature)

Maximum Failed Attempts before Erasing Device

(iOS / iPadOS Feature)

  limited to specific device types such as macOS, iOS and iPadOS.

With auto-generated user accounts, such as Auto Admin accounts and accounts created with the Create a User Account Parameter, the creation date for those accounts defaults to 12/31/1969. Therefore, if Max Passcode Age is enabled in the Passcode Library Item, it will force a passcode reset on the first login attempt.

Create a Passcode Profile

Log in to your Kandji instance before performing the next steps. 

  1. Create a Passcode Profile in Kandji by selecting Library > Add New > Passcode > Add & Configure

  2. Enter a unique name

  3. Select your desired Blueprints

  4. Configure your requirements based on device type

  5. Click Save

Important considerations 

Force Resetting Passwords on macOS

If you need to force users to reset their macOS login password, you can use the Passcode Library item and the Force password reset option to trigger a password reset on their next login.

Enabling this option will prompt all users, including users that have a password that does meet the password complexity requirements, on the Mac to reset their password, and will be enforced only once. You can re-select the option in the future if you need to force another reset.
We strongly recommended alerting your users before this option is deployed to ensure they will be prepared for the prompt. 

Enrolling existing devices with Passcode profiles set

If you are adding new devices into your Kandji instance, be mindful that the user password may have never changed which could conflict with the Max Passcode Age option. Be sure to advise your users on what to expect, or consider distributing a Passcode profile out to your organization at a later date.