The Android Passcode Policy helps you secure personal and corporate Android devices. As an IT Admin, you can require and enforce a device passcode for the device itself, as well as a passcode to access corporate applications and data within an Android work profile.
This policy helps you configure these types of passcodes:
- Device passcode – Provides a first layer of defense for sensitive data on devices. The user must enter the passcode each time the device is unlocked. A device passcode applies to the whole device, whether it is enrolled with a work profile or as work-managed. This device applies to enrolled devices running Android 5.1 (Lollipop) and later.
- Work profile passcode – Controls access to corporate applications and data within the work profile. This is useful so users don’t have to enter complex passwords each time they unlock their devices and access a work app. This passcode applies to work profile-enrolled devices running Android 7.0 (Nougat) and later.
The policy also enforces settings for passcode length, complexity, failed attempts, and more.
Prerequisites
- JumpCloud’s Android Enterprise Mobility Management (EMM) is configured for your organization. See Set up Android EMM.
- Your Android devices are enrolled in EMM. See Add and Manage Android Devices and Users: Enroll Your Personal Android Device.
To create an Android Passcode policy:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Android tab.
- Select the Passcode policy from the list, then click configure.
- On the New Policy panel, optionally enter a new name for the policy, or keep the default. Policy names must be unique.
- For Policy Notes, enter details like when you created the policy, where you tested it, and where you deployed it.
- To configure a Device Passcode, go to Settings and configure these fields:
- Select Enable Device Passcode Policy to require a passcode to unlock the device.
- If you selected Enable Device Passcode Policy above, click Unlock and choose how long after a device is unlocked (using a password, PIN, or pattern) until it can be unlocked using any other authentication method (using a fingerprint, trust agents, or face, for example):
- Use Device Default – The timeout period is set to the device’s default. This is the default.
- Require Every Day – After 24 hours, the user must log into the device.
After this time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
- Age in Days – Choose how long a passcode can be active before it expires.
- Timeout Range – Choose how long a device can be idle before it is automatically locked.
- History – Specify how many times a passcode must be changed before a previous passcode can be reused. Valid values are 1-50.
- Maximum Failed Attempts – Choose how many times an invalid passcode can be entered before the device is wiped.
- For Complexity, select one of these options to define the passcode’s minimum requirements:
- Low – A pattern exists and there is a PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences.
- Medium – There is a PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences with at least 4 numbers, at least 4 alphabetic characters, and at least 4 alphanumeric characters.
- High – There is a PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences with at least 8 numbers, at least 4 alphabetic characters, and at least 6 alphanumeric characters.
When you make a selection for Complexity, this will apply to a personally-enrolled Work Profile device running Android 12.0 or higher. The values below will apply to all other enrollment types.
- Click Content Type and choose the type of characters to use in the passcode. Certain Android devices might force the user to set the alphabet values even if the requirement is set as numeric or complex numeric.
- Weak Biometric – The device must be secured with a low-security biometric recognition technology, at a minimum. This includes technologies that can recognize the identity of an individual that are roughly equivalent to a 3-digit PIN. This choice is considered Low Complexity.
- Simple – A password is required, but there are no restrictions on what the password must contain. This choice is considered Low Complexity.
- Numeric – The password must contain numeric characters. This choice is considered Medium Complexity.
- Complex Numeric – The password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences. This choice is considered Medium Complexity.
- Alphabetic – The password must contain alphabetic or symbol characters. This choice is considered High Complexity.
- Alphanumeric – The password must contain both numeric and alphabetic (or symbol) characters. This choice is considered High Complexity.
- Complex – The password must meet the minimum requirements specified for length, letters, symbols, etc. For example, if the minimum number of symbols is two, the password must contain at least two symbols. This choice is considered High Complexity.
- If you choseMinimum Length – Enter the minimum allowed password length.
- If you chose Numeric, ComplexNumeric, Alphabetic, or Alphanumeric for Content Type, this field is required:
- Minimum Length – Enter the minimum allowed password length.
- If you chose Complex for Content Type, these additional fields are required:
- Minimum Letters – Choose the number of letters required in the passcode.
- Minimum Lowercase Letters – Choose the number of lowercase letters required in the passcode.
- Minimum Uppercase Letters – Choose the number of uppercase letters required in the passcode.
- Minimum Non-Alpha Characters – Choose the number of special characters required in the passcode.
- Minimum Numbers – Choose how many numbers are required in the passcode.
- Minimum Symbols – Choose the number of symbols required in the passcode.
- To configure a Work Profile Passcode, go to Settings and configure these fields:
- Select Enable Work Profile Passcode Policy to require a passcode to access company data and apps.
- For Allow One Password, select Yes to let users enter the same passcode for the device and the work profile. Select No to require a separate lock for the work profile.
- If you selected No, complete these steps:
- Click Unlock to choose the length of time after a device is unlocked using strong authentication (password, PIN, pattern, etc.) and when the device can be unlocked with another type of authentication (a fingerprint, face recognition, a trust agent, etc.). Choose one of these:
- Use Device Default – The timeout period is set to the device’s default.
- Require Every Day – The timeout period is set to 24 hours.
- Click Age in Days to choose how long a passcode can be active before it expires.
- Click History to specify how many times a passcode must be changed before a previous passcode can be reused. Valid values are 1-50.
- Click Maximum Failed Attempts -to choose how many times an invalid passcode can be entered before the device is wiped.
- Click Content Type to choose the type of characters to use in the passcode. Certain Android devices might force the user to set the alphabet values even if the requirement is set as numeric or complex numeric.
- Weak Biometric – The device must be secured with a low-security biometric recognition technology, at a minimum. This includes technologies that can recognize the identity of an individual that are roughly equivalent to a 3-digit PIN. This choice is considered Low Complexity.
- Simple – A password is required, but there are no restrictions on what the password must contain. This choice is considered Low Complexity.
- Numeric – The password must contain numeric characters. This choice is considered Medium Complexity.
- Complex Numeric – The password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences. This choice is considered Medium Complexity.
- Alphabetic – The password must contain alphabetic or symbol characters. This choice is considered High Complexity.
- Alphanumeric – The password must contain both numeric and alphabetic (or symbol) characters. This choice is considered High Complexity.
- Complex – The password must meet the minimum requirements specified for length, letters, symbols, etc. For example, if the minimum number of symbols is two, the password must contain at least two symbols. This choice is considered High Complexity.
- If you chose Numeric, ComplexNumeric, Alphabetic, or Alphanumeric for Content Type, this field is required:
- Minimum Length – Enter the minimum allowed password length.
- Minimum Length – Enter the minimum allowed password length.
- If you chose Complex for Content Type, complete these additional fields:
- Minimum Letters – Choose the number of letters required in the passcode.
- Minimum Lower Case Letters – Choose the number of lowercase letters required in the passcode.
- Minimum Upper Case Letters – Choose the number of uppercase letters required in the passcode.
- Minimum Non-Alpha Characters – Choose the number of special characters required in the passcode.
- Minimum Numbers – Choose how many numbers are required in the passcode.
- Minimum Symbols – Choose the number of symbols required in the passcode.
- Click Unlock to choose the length of time after a device is unlocked using strong authentication (password, PIN, pattern, etc.) and when the device can be unlocked with another type of authentication (a fingerprint, face recognition, a trust agent, etc.). Choose one of these:
- (Optional) Select the Device Groups tab. Select one or more device groups where you will apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
- (Optional) Select the Devices tab. Select one or more devices where you’ll apply this policy.
For this policy to take effect, you must specify a device or a device group in Step 10 or Step 11.
- Click save.