Password Policies for Mac (macOS) Devices

Securing enterprise Mac devices is a very important aspect of managing them. A quality password acts as the first line of defense in protection against unattended access and stolen/lost devices.

Scalefusion helps you define a password policy that can be applied to the devices, thereby forcing the users to create a password that complies with your organizational policies. In this document, we will walk through through how to configure and publish a password policy.

Password Policy

Creating a Password Policy

1. Navigate to Device Profiles & Policies > Passcode Policy and click on the Mac tab.

2. Enable Require Password to start defining the password policy.

   

3. The table below shows the Password options applicable for Mac (macOS) devices,

   Setting	Description	Known Behavior
   Require Password	Enable this setting if you want to enforce a password.
   Select Password Type	Choose between Numeric & Alphanumeric.
   Minimum Password Length	Select a minimum Password length that is enforced.	Accepted values are between 4 to 16.
   Change the Password at the next login	With this setting, the user(s) will be asked to reset the password at their next login. If you make updates in Password policy with this flag on, you will be prompted to reset the password again. Hence, resetting password is not a one time activity.	On certain macOS versions enabling this flag may cause the user to reset the password on every login, in which case you can relax (disable this setting) this to prevent the behavior. If the password policy is modified with having this setting enabled, then the system preference activities on the device may become unlockable during the existing session (before the next login). In these cases, the user should reset the password first.
   Enforce Complex Password	Select if you want the password to contain Symbols
   Select Password Expiry (in days)	Select an optimal period after which the password should expire, and the user is forced to set a password.
   Maximum Password History List	Choose an optimal value on how often users can repeat the passwords once they expire.
   Maximum Failed Attempts to User Account Lock	Select an optimal value for unsuccessful attempts, after which the account will be locked.	After maximum failed attempts, the Mac device is locked, and a message is shown that the "Account has been blocked. Contact your administrator".
   Reset Time After Max Failed Attempts	Configure the time duration during which device will remain locked for the user on reaching maximum failed attempts	This setting is enabled only if you have configured Maximum Failed Attempts to User Account Lock
   Set Maximum Inactivity time	Select a time interval of inactivity, after which the device will auto-lock and ask for a password.

4. Click Save Policy once you have set the password policy.

Publishing a Password Policy

1. Once you have created a password policy, you can publish it to the Device Profiles. To do so, navigate to Device Profiles & Policies > Passcode Policy and click on Apply to Device.

   

2. Select the Device Profile(s) where you want to apply the policy and click on SUBMIT.

   Please make sure that Allow Password Change is enabled under macOS Device Profile > Restrictions > Security & Privacy.

   
   

   

End User Experience

The Password policy takes effect or is enforced in the following two cases,

1. When the users subsequently log in to the Mac device.

2. When the user attempts to Change Password from System Preferences.