Passcode settings

Use this payload to specify whether a passcode is required to use the device, the characteristics of the passcode, and how often the passcode must be changed.

Note: Use the passcode payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.

If you use device policies and Exchange passcode policies, the two sets of policies are merged and the strictest settings are enforced. For information about supported Exchange ActiveSync policies, see the Microsoft Exchange section of the iOS Deployment Reference.

When the passcode payload is installed on an iOS device, the user has 60 minutes to enter a passcode. If the user doesn’t do so within that time frame, the payload forces the user to enter a passcode using the specified settings.



Allow simple value

Permits users to use sequential or repeated characters in their passcodes. For example, “3333” or “DEFG.”

Require alphanumeric value

Requires that the passcode contain at least one letter or number.

Minimum passcode length

Specifies the minimum number of characters a passcode can contain.

Minimum number of complex characters

Specifies the number of non-alphanumeric characters (such as $ and !) the passcode must contain.

Maximum passcode age (in days)

Requires users to change their passcode at the interval you specify. It can be set to “none,” or from 1 to 730 days.

Maximum Auto-Lock (in minutes)

If the device isn’t used for the period of time you specify, it automatically locks. It can be set to “none,” or set to lock after 1 to 5 minutes. Enter the passcode to unlock the device.

Passcode history

The device refuses a new passcode if it matches a previously used passcode. You can specify how many previous passcodes are remembered and compared. It can be set to “none,” or from 1 to 50 passcodes.

Maximum grace period for device lock

Specifies how soon the device can be unlocked again after use, without reprompting again for the passcode.

Maximum number of failed attempts

The number of failed passcode attempts that can be made before an iOS device is erased or an OS X device is locked.

If you don’t change this setting, after six failed attempts, the device imposes a time delay before a passcode can be entered again.

The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS device. An OS X device locks after the final attempt.

The passcode time delay begins after the sixth attempt, so if you set this value to six or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded.

Delay after failed login attempts (OS X only)

The number of minutes before the login window reappears, after the maximum number of failed attempts is reached.