Enforce password policies for your devices

You can distribute policies in a configuration profile that users install. Passcode and password settings configured remotely with your mobile device management (MDM) solution can push policies directly to devices. That means policies can be enforced and updated with no user involvement.

Typical password policies

Policies pushed to devices can include requirements for:

If you’re using a directory service such as Active Directory, a Mac can automatically use your domain password settings. If there are Active Directory and MDM policies, the more stringent policy is applied.

If Managed Apple IDs are being used, passcode policies vary from those listed here. For more information, see one of the following:

iPhone and iPad passcode options

If an iPhone or iPad is configured to access a Microsoft Exchange account, Exchange ActiveSync policies are pushed to the device wirelessly. The available set of policies varies depending on the version of Exchange ActiveSync and Exchange Server. If Exchange and MDM policies exist, the more stringent policy is applied.

By default, the user’s passcode can be defined as a six-digit personal identification number (PIN) on Face ID and Touch ID –capable devices or a four-digit PIN on all other devices. In iOS and iPadOS, you can choose from an extensive set of passcode policies to meet your security needs.

When the passcode payload is installed on an iPhone or iPad, the user has 60 minutes to enter a passcode. After that, the payload forces the user to enter a passcode using the specified settings.

Note: Password policies aren’t supported with Shared iPad .