Skip to main content
Cisco Meraki

Systems Manager Passcode Payload

The passcode policy payload allows the MDM administrator to specify various requirements for passcodes or passwords on enrolled devices. The majority of settings on this payload do what you would expect, but due to the differences between various operating systems, these values may be interpreted differently on client devices. This article describes the differences between OSs for each available setting on the passcode payload, where applicable.  

Passcode Payload General Settings

Passcode Strength

Allow Simple Values 

Apple devices: This prevents setting the passcode to sequences of repeating or sequential characters (i.e. 1111, 1234, abcd, etc.). Setting this value to "False" has the same behavior as setting minimum complex characters to "1."

Android devices: Same as Apple devices.

Require Alphanumeric Values

Apple devices: Forces at least one alpha character to be included in the passcode (abcd) instead of allowing only numeric characters (1234).

Android devices: Same as Apple devices.

Minimum Length

Apple devices: Defines the minimum length of the passcode. Values may range from 0 to 14.

Android devices: Same as Apple devices.

Minimum Number of Complex Characters

Apple devices: Defines the minimum number of non-alphanumeric characters (!@#$). Values may range from 0 to 4.

Android devices: Same as Apple devices.

Maximum Passcode Age

Apple devices: The number of days which a passcode may remain unchanged. Allowed values range from 1 to 730. Setting this value to 0 will trigger an immediate passcode change on iOS devices.

Android devices: Same as Apple devices.

Auto-Lock

Apple devices: Sets the maximum duration a device may remain idle before locking the screen or enabling the screen saver. Allowed values 0-15. 
NOTE: on iOS/iPadOS this value may be adjusted down by end users, but cannot exceed the value specified, and will round down to the nearest allowed value by the UI.  

iPhone: 1,2,3,4,5

iPad: 1,2,5,10,15

Android devices: Sets the maximum duration a device may remain idle before locking the screen. Allowed values 0-15.

Maximum Number of Failed Attempts

Apple devices: Sets the maximum number of failed log-in attempts. Allowed values 4-10. Default (when unset): 11. On macOS, this will lock the device when exceeded; on iOS/iPadOS, this will erase the device.  

Android devices: Sets the maximum number of failed log-in attempts. Allowed values 4-10. Erases the device when exceeded. Default: unlimited.

Exceptions

iOS User-Mode Enrollment

Devices which are enrolled via user-mode on iOS can be scoped with a passcode payload, but all values on it are ignored by the device in favor of the following settings:

  • Allow simple values: False

  • Require PIN: True

  • Minimum passcode length: six characters

  • Was this article helpful?