Android: Password rules
Android
: Password rulesGlobal (all Android devices)
Android
devices)Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Password complexity | Specify the minimum complexity level for the device password. Low complexity allows patterns and PINs with repeating or sequential values. Medium complexity requires PINs with no repeating or sequential values and a minimum length of 4 or a password with a minimum length of 4. High complexity requires PINs with no repeating or sequential values and minimum length of 8 or a password with a minimum length of 6. Applies only to devices with Android OS 12 or later with a user privacy activation type (Android Enterprise and Android Management). |
| Low |
|
Password requirements | Specify the minimum requirements for a device password. If set to "Unspecified," a user does not need to set a password. If set to "Something," the user must set a password but there are no requirements for length or quality. If set to "Numeric," "Alphabetic," or "Alphanumeric," the password must contain at least the specified character types and can also include other character types. If set to "Complex," you can set specific requirements for different character types. Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. |
| Unspecified |
|
Minimum password length | Specify the minimum number of characters that the device password must contain. This rule takes effect only if the "Password requirements" rule is set to "Numeric," "Alphabetic," "Alphanumeric," or "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| 4 characters | Minimum: 4 characters Maximum: 16 characters |
Maximum failed password attempts | Specify the number of times that a user can enter an incorrect password before a device is wiped or deactivated. Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 attempts Maximum: 2147483647 attempts | |
Maximum inactivity time lock | Specify the maximum number of minutes of user inactivity that must elapse before a device locks. On Android devices with a work profile, the work space also locks. Users can set a shorter time period on the device. Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 1 minute Maximum: 60 minutes | |
Secondary authentication timeout | Specify the maximum amount of time, in hours, that the user can use secondary authentication methods, such as a fingerprint, before the user must unlock the device with a strong authentication method such as a password. The maximum is 72 hours. If set to 0, a timeout value is not sent to the device. Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 hours Maximum: 72 hours | |
Password expiration timeout | Specify the maximum amount of time that the device password can be used. After the specified amount of time elapses, the password expires and a user must set a new password. If set to 0, the password does not expire. Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 seconds Max: 9223372036854770 seconds | |
Password history restriction | Specify the maximum number of previous passwords that a device checks to prevent a user from reusing a device password. If set to 0, the device does not check previous passwords. This rule takes effect only if the "Password requirements" rule is set to "Numeric," "Alphabetic," "Alphanumeric," or "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 passwords Maximum: 2147483647 passwords | |
Minimum uppercase letters required in password | Specify the minimum number of uppercase letters that the device password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 letters Maximum: 2147483647 letters | |
Minimum lowercase letters required in password | Specify the minimum number of lowercase letters that the device password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 letters Maximum: 2147483647 letters | |
Minimum letters required in password | Specify the minimum number of letters that the device password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 letters Maximum: 2147483647 letters | |
Minimum non-letters in password | Specify the minimum number of non-letter characters (numbers or symbols) required in the password. This rule takes effect only if you set the "Password requirements" rule to "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| 0 characters | Minimum: 0 characters Maximum: 16 characters |
Minimum numerical digits required in password | Specify the minimum number of numerals that the device password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 numerals Maximum: 2147483647 numerals | |
Minimum symbols required in password | Specify the minimum number of non-alphanumeric characters that the device password must contain. For Android devices, a complex password must contain at least one non-alphanumeric character. This rule takes effect only if you set the "Password requirements" rule to "Complex." Password requirement policy rules are no longer applicable to user privacy activation types (Android Enterprise and Android Management); for user privacy activations, use the Password complexity rule instead. Depends on: Password requirements |
| Minimum: 0 characters Maximum: 2147483647 characters |
Global (Samsung Knox devices only)
Samsung Knox
devices only)Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Allow facial authentication | Specify whether a user can authenticate with the device using facial recognition. Applies only to devices that support Samsung Knox API level 3 and later. |
| Selected | |
Allow iris authentication | Specify whether a user can authenticate with the device using an iris scan. Applies only to devices that support Samsung Knox MDM version 5.1.0 and later. |
| Selected | |
Maximum numeric sequence length | Specify the maximum length of the numeric sequence that is allowed in the device password. Only applies when device password quality is Numeric, Alphanumeric or Complex. Applies only to devices that support Samsung Knox API level 4 and later. |
| Minimum: 0 characters Maximum: 16 characters | |
Minimum number of changed characters for new device passwords | Specify the minimum number of changed characters that a new password must include compared to the previous password. Knox calculates the difference between the two passwords using the Levenshtein algorithm. Characters can be numeric, alphabetic, or symbolic. According to the Levenshtein algorithm, strings like "test" and "best" differ from each other by one unit. "Test" and "toad" differ from each other by three units. "Test" and "est" differ from each other by one unit. If set to 0, no restrictions are applied. Applies only to devices that support Samsung Knox API level 6 and later. |
| Minimum: 0 characters Maximum: 16 characters | |
Allow device password visibility | Specify whether the Device password is visible when a user is typing it. If this rule is not selected, users and apps cannot change the visibility setting. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Require lock screen message | Specify whether you set a message to display when the device is locked. If this rule is not selected, the user can choose a message to display on the lock screen. Applies only to devices that support Samsung Knox API level 2 and later. |
| Not selected | |
Lock screen message | Specify the text to display on the device when the device is locked. Applies only to devices that support Samsung Knox API level 6 and later. Depends on: Require lock screen message |
| Maximum: 300 characters | |
Maximum character sequence length | Specify the maximum length of the character sequence that is allowed in the device password. Only applies when device password quality is Alphabetic, Alphanumeric or Complex. Applies only to devices that support Samsung Knox API level 6 and later. |
| Minimum: 0 characters Maximum: 16 characters |
Work profile (all Android devices)
Android
devices)Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Force device to request password for work profile | Specify whether the device always requests a password to unlock the work profile. When this rule is selected, unlocking the device doesn't unlock the work profile, even if the device and work profile passwords are the same. |
| Not Selected | |
Password requirements | Specify the minimum requirements for a work profile password. If set to "Something," the user must set a password but there are no requirements for length or quality. If set to "Numeric," "Alphabetic," or "Alphanumeric," the password must contain at least the specified character types and can also include other character types. If set to "Complex," the password must contain at least a letter, number and special symbol. If set to "Numeric Complex," the password must contain numeric characters with no repeating sequence (4444) or ordered sequence (1234, 4321, 2468). If set to "Biometric Weak," the password allows for low-security biometric recognition technology. |
| Something |
|
Maximum failed password attempts | Specify the number of times that a user can enter an incorrect work profile password before the device is deactivated and the work profile is removed. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." Depends on: Password requirements |
| 0 attempts | Minimum value: 0 attempts Maximum value: 2147483647 attempts |
Maximum inactivity time lock | Specify the maximum number of minutes of user inactivity that must elapse before the device and work space lock. If you set a value for both this rule and the global "Maximum inactivity time lock" rule, both the device and work space will lock when either timer expires. Users can set a shorter time period on the device. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." Depends on: Password requirements |
| Minimum value: 0 minutes Maximum value: 60 minutes | |
Secondary authentication timeout | Specify the maximum amount of time, in hours, that the user can use secondary authentication methods, such as a fingerprint, before the user must unlock the device with a strong authentication method such as a password. The maximum is 72 hours. If set to 0, a timeout value is not sent to the device. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." Depends on: Password requirements |
| Minimum value: 0 hours Maximum value: 72 hours | |
Password expiration timeout | Specify the maximum amount of time that the work profile password can be used. After the specified amount of time elapses, the password expires and the user must set a new password. If set to 0, the password does not expire. This rule takes effect only if the "Password requirements" rule is set to something other than "Unspecified." Depends on: Password requirements |
| 0 seconds | Minimum value: 0 seconds Max: 92233720368547 seconds |
Password history restriction | Specify the maximum number of previous passwords that a device checks to prevent a user from reusing a work profile password. If set to 0, the device does not check previous passwords. This rule takes effect only if the "Password requirements" rule is set to "Numeric," "Alphabetic," "Alphanumeric," "Complex," or "Numeric Complex." Depends on: Password requirements |
| Minimum value: 0 passwords Maximum value: 2147483647 passwords | |
Minimum password length | Specify the minimum number of characters that the work profile password must contain. This rule takes effect only if the "Password requirements" rule is set to "Numeric," "Alphabetic," "Alphanumeric," "Complex," or "Numeric Complex." Depends on: Password requirements |
| Minimum value: 0 characters Maximum value: 2147483647 characters | |
Minimum uppercase letters required in password | Specify the minimum number of uppercase letters that the work profile password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Depends on: Password requirements |
| 0 letters | Minimum value: 0 letters Maximum value: 24 letters |
Minimum lowercase letters required in password | Specify the minimum number of lowercase letters that the work profile password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Depends on: Password requirements |
| 0 letters | Minimum value: 0 letters Maximum value: 24 letters |
Minimum non-letters in password | Specify the minimum number of non-letter characters (numbers or symbols) required in the password. This rule takes effect only if you set the "Password requirements" rule to "Complex." Depends on: Password requirements |
| 0 characters | Minimum value: 0 characters Maximum value: 16 characters |
Minimum letters required in password | Specify the minimum number of letters that the work profile password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Depends on: Password requirements |
| 1 letter | Minimum value: 0 letters Maximum value: 16 letters |
Minimum numeric digits required in password | Specify the minimum number of numerals that the work profile password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Depends on: Password requirements |
| 1 number | Minimum value: 0 numerals Maximum value: 16 numerals |
Minimum symbols required in password | Specify the minimum number of non-alphanumeric characters that the work profile password must contain. This rule takes effect only if you set the "Password requirements" rule to "Complex." Depends on: Password requirements |
| 1 character | Minimum value: 0 characters Maximum value: 16 characters |
Work profile (Samsung Knox devices only)
Samsung Knox
devices only)Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Allow fingerprint authentication | Specify whether the user can use fingerprint authentication in the work profile. Applies only to devices that support Samsung Knox API level 12 and later. |
| Selected | |
Allow iris authentication | Specify whether a user can authenticate with the work profile using an iris scan. Applies only to devices that support Samsung Knox API level 13 and later. |
| Selected | |
Allow password visibility | Specify whether the work profile password is visible when a user is typing it. If this rule is not selected, users and apps cannot change the visibility setting. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Enforce two-factor authentication | Specify whether a user must use two-factor authentication to access the work profile. For example, you can use this rule if you want the user to authenticate using a fingerprint and a password. Applies only to devices that support Samsung Knox API level 24 and later. |
| Not Selected | |
Maximum character sequence length | Specify the maximum length of the character sequence that is allowed in the work profile password. Only applies when work profile password quality is Alphabetic, Alphanumeric or Complex. Applies only to devices that support Samsung Knox API level 6 and later. |
| Minimum value: 0 characters Maximum value: 16 characters | |
Maximum numeric sequence length | Specify the maximum length of the numeric sequence that is allowed in the work profile password. Only applies when work profile password quality is Numeric, Alphanumeric or Complex. Applies only to devices that support Samsung Knox API level 4 and later. |
| Minimum value: 0 numerals Maximum value: 16 numerals | |
Minimum number of changed characters for new work profile passwords | Specify the minimum number of changed characters that a new password must include compared to the previous password. Device calculates the difference between the two passwords using the Levenshtein algorithm. Characters can be numeric, alphabetic, or symbolic. According to the Levenshtein algorithm, strings like "test" and "best" differ from each other by one unit. "Test" and "toad" differ from each other by three units. "Test" and "est" differ from each other by one unit. If set to 0, no restrictions are applied. Applies only to devices that support Samsung Knox API level 6 and later. |
| Minimum value: 0 characters Maximum value: 16 characters |
Personal profile (Samsung Knox devices only)
Samsung Knox
devices only)Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Enforce two-factor authentication | Specify whether a user must use two-factor authentication to access the device. For example, you can use this rule if you want the user to authenticate using a fingerprint and a password. Applies only to devices that support Samsung Knox API level 24 and later. | Work and personal - full control (Premium) | Not Selected |
Knox MDM
Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Password requirements | Specify the minimum requirements for a device password. If set to "Numeric," "Alphabetic," or "Alphanumeric," the password must contain at least the specified character types and can also include other character types. If set to "Complex," you can set specific requirements for different character types. | Work and personal - full control (Samsung Knox) | Numeric |
|
Minimum password length | Specify the minimum length of the password on Knox MDM devices. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | 4 characters | Minimum: 4 characters Maximum: 16 characters |
Minimum lowercase letters required in password | Specify the minimum number of lowercase letters that the password must contain on Knox MDM devices. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | 0 letters | Minimum: 0 letters Maximum: 16 letters |
Minimum uppercase letters required in password | Specify the minimum number of uppercase letters that the password must contain on Knox MDM devices. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | Minimum: 0 letters Maximum: 16 letters | |
Minimum complex characters required in password | Specify the minimum number of complex characters (for example, numbers or symbols) that the password must contain on Knox MDM devices. If you set this value to 1, then at least one number is required. If you specify a value greater than 1, then at least one number and at least one symbol are required. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | 2 characters | Minimum: 0 characters Maximum: 16 characters |
Maximum character sequence length | Specify the maximum length of an alphabetic sequence that is allowed in the device password. For example, if the alphabetic sequence length is set to 5, the alphabetic sequence "abcde" is allowed but the sequence "abcdef" is not allowed. If set to 0, there are no alphabetic sequence restrictions. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | Minimum: 0 letters Maximum: 16 letters | |
Maximum numeric sequence length | Specify the maximum length of the numeric sequence that is allowed in the device password. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | Minimum: 0 numbers Maximum: 16 numbers | |
Maximum inactivity time lock | Specify the maximum period of user inactivity before the device locks (key guard lock). If the device is managed by multiple EMM solutions, the device uses the lowest value as the inactivity period. If the device uses a password, the user must provide the password to unlock the device. A value of 0 means no restriction is set. Users can set a shorter time period on the device. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | Minimum: 0 seconds Maximum: 1,000,000 seconds | |
Maximum failed password attempts | Specify the number of times that a user can enter an incorrect password before a device is wiped. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | 0 | Minimum: 0 Maximum: 10 |
Password history restriction | Specify the maximum number of previous passwords that a device checks to prevent a user from reusing a device password. If set to 0, the device does not check previous passwords. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | Minimum: 0 Maximum: 100 | |
Password expiration timeout | Specify the maximum amount of days that the device password can be used. After the specified amount of days elapses, the password expires and a user must set a new password. If set to 0, the password does not expire. Depends on: Password requirements | Work and personal - full control (Samsung Knox) | 0 | Minimum: 0 Maximum: 365 days |
Allow password visibility | Specify if the device password is visible when the user is typing it. If this rule is not selected, users and third-party apps cannot change the visibility setting. | Work and personal - full control (Samsung Knox) | Selected | |
Allow fingerprint authentication | Specify whether the user can use fingerprint authentication for a Knox enabled device. Applies only to devices that support Samsung Knox MDM version 5.1.0 and later. | Work and personal - full control (Samsung Knox) | Selected | |
Require lock screen message | Specify whether you set a message to display when the device is locked. If this rule is not selected, the user can choose a message to display on the lock screen. | Work and personal - full control (Samsung Knox) | Not selected | |
Lock screen message | Specify the text to display on the device when the device is locked. Depends on: Require lock screen message | Work and personal - full control (Samsung Knox) | Maximum: 300 characters |
Knox MDM Premium - Workspace
Name | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Password requirements | Specify the minimum requirements for the Knox Workspace password. If set to "Numeric," "Alphabetic," or "Alphanumeric," the password must contain at least the specified character types and can also include other character types. If set to "Numeric Complex," the password must contain at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences. If set to "Complex," you can set specific requirements for different character types. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. |
| Numeric |
|
Minimum lowercase letters required in password | Specify the minimum number of lowercase letters that the Knox Workspace password must contain. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements |
| 0, no restriction | Minimum: 0 Maximum: 16 letters |
Minimum uppercase letters required in password | Specify the minimum number of uppercase letters that the Knox Workspace password must contain. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements |
| 0, no restriction | Minimum: 0 Maximum: 16 letters |
Minimum complex characters required in password | Specify the minimum number of complex characters (for example, numbers or symbols) that the Knox Workspace password must contain. At least one number and one symbol are required. Depends on: Password requirements |
| 3 characters | Minimum: 3 characters Maximum: 16 characters |
Maximum character sequence length | Specify the maximum length of an alphabetic sequence that is allowed in the Knox Workspace password. For example, if the alphabetic sequence length is set to 5, the alphabetic sequence "abcde" is allowed but the sequence "abcdef" is not allowed. If set to 0, there are no alphabetic sequence restrictions. Depends on: Password requirements |
| 0, no restriction | Minimum: 0 Maximum: 16 letters |
Minimum number of changed characters for new passwords | Specify the minimum number of changed characters that a new password must include compared to the previous password. Knox Workspace calculates the difference between the two passwords using the Levenshtein algorithm. Characters can be numeric, alphabetic, or symbolic. According to the Levenshtein algorithm, strings like "test" and "best" differ from each other by one unit. "Test" and "toad" differ from each other by three units. "Test" and "est" differ from each other by one unit. If set to 0, no restrictions are applied. |
| 0, no restriction | Minimum: 0 Maximum: 64 characters |
Minimum password length | Specify the minimum length of the password for the Knox Workspace. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. |
| 4 characters | Minimum: 4 characters Maximum: 16 characters |
Maximum inactivity time lock | Specify the maximum period of user inactivity in the Knox Workspace before the workspace locks. A value of 0 means no restriction is set. Users can set a shorter time period on the device. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. |
| 0, no restriction | Minimum: 0 Maximum: 10000000 seconds |
Maximum failed password attempts | Specify the number of times that a user can enter an incorrect password before the Knox Workspace is wiped. If set to 0, there are no restrictions on the number of times a user can enter an incorrect password. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. Depends on: Password requirements |
| 10 | Minimum: 0 Maximum: 10 |
Password history restriction | Specify the maximum number of previous passwords that a device checks to prevent a user from reusing a Knox Workspace password. If set to 0, the device does not check previous passwords. Depends on: Password requirements |
| 0, no restriction | Minimum: 0 Maximum: 100 |
Password expiration timeout | Specify the maximum number of days that the Knox Workspace password can be used. After the specified number of days elapses, the password expires and a user must set a new password. If set to 0, the password does not expire. Depends on: Password requirements |
| 0, password doesn't expire | Minimum: 0 Maximum: 365 days |
Allow keyguard customizations | Specify whether the Knox Workspace can use keyguard customizations, such as trust agents. If this rule is not selected, keyguard customizations are turned off as specified in the provided feature list. Applies only to devices that support Samsung Knox MDM version 5.4.0 and later. |
| Selected | |
Allow keyguard trust agents | Specify whether a user can keep the workspace unlocked for 2 hours after the workspace inactivity timeout value. If you do not set an inactivity timeout value, the user can perform this action by default. This rule applies to the Knox Workspace only. Applies only to devices that support Samsung Knox MDM version 5.4.0 and later. Depends on: Allow keyguard customizations |
| Not selected | |
Allow password visibility | Specify whether the Knox Workspace password is visible when a user is typing it. If this rule is not selected, users and apps cannot change the visibility setting. |
| Selected | |
Enforce two-factor authentication | Specify whether a user must use two-factor authentication to access the Knox Workspace. For example, you can use this rule if you want the user to authenticate using a fingerprint and a password. |
| Not selected | |
Allow fingerprint authentication | Specify whether the user can use fingerprint authentication for the Knox Workspace. Applies only to devices that support Samsung Knox MDM version 5.4.0 and later. |
| Selected | |
Allow iris authentication | Specify whether a user can authenticate with the work space using an iris scan. Applies only to devices that support Samsung Knox MDM version 5.4.0 and later. |
| Selected |