The payload that configures a passcode policy.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Allow Simple Value allowSimple If `false`, the system prevents use of a simple passcode. A simple passcode contains repeated characters, or increasing or decreasing characters, such as `123` or `CBA`. | boolean | optional | true | ✗No | |
Require Passcode on Device forcePIN If `true`, the system forces the user to enter a PIN. | boolean | optional | false | ✗No | |
Maximum Number of Failed Attempts maxFailedAttempts The number of failed passcode attempts that the system allows the user before it erases or locks the device. After six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt. On macOS, set `minutesUntilFailedLoginReset` to define the time delay. The time delay begins after the sixth attempt, so if `MaximumFailedAttempts` is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit.
After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device. Range: 2 - 11 | integer | optional | 11 | ✗No | |
Auto-Lock maxInactivity The maximum number of minutes for which the device can be idle without the user unlocking it, before the system locks it. When this limit is reached, the system locks the device and the passcode is required to unlock it. The user can edit this setting, but the value can't exceed the `maxInactivity` value.
On macOS, the system translates this inactivity value to screen-saver settings. The maximum value for macOS is `60`.
Setting this key removes the `never` option in the Settings UI on user enrolled devices. Range: 0 - 15 | integer | optional | — | ✗No | |
Maximum Passcode Age maxPINAgeInDays The number of days for which the passcode can remain unchanged. After this number of days, the system forces the user to change the passcode before it unlocks the device. Range: 1 - 730 | integer | optional | — | ✗No | |
Minimum Number of Complex Characters minComplexChars The minimum number of complex characters that a passcode needs to contain. A _complex_ character is a character other than a number or a letter, such as `&`, `%`, `$`, and `#`.
The system ignores this property for user enrollments. Range: 0 - 4 | integer | optional | 0 | ✗No | |
Minimum Passcode Length minLength The minimum overall length of the passcode. This value is independent of the value for `minComplexChars`. Range: 0 - 16 | integer | optional | 0 | ✗No | |
Require Alphabetic Value requireAlphanumeric If `true`, the system requires alphabetic characters instead of only numeric characters. | boolean | optional | false | ✗No | |
Passcode History pinHistory This value defines _N_, where the new passcode must be unique within the last _N_ entries in the passcode history. Range: 1 - 50 | integer | optional | — | ✗No | |
Grace Period for Device Lock maxGracePeriod The maximum grace period, in minutes, to unlock the phone without entering a passcode. The default is `0`, which is no grace period and requires a passcode immediately. On macOS, the system translates this grace period value to screen-saver settings. | integer | optional | 0 | ✗No | |
minutesUntilFailedLoginReset minutesUntilFailedLoginReset The number of minutes before the system resets the login after the maximum number of unsuccessful login attempts is reached. This key requires setting `maxFailedAttempts`. Available in macOS 10.10 and later. | integer | optional | — | ✓Yes | macOS (10.10+) |
changeAtNextAuth changeAtNextAuth If `true`, the system causes a password reset to occur the next time the user tries to authenticate. If this key is set in a device profile, the setting takes effect for all users, and admin authentications may fail until the admin user password is also reset. Available in macOS 10.13 and later. | boolean | optional | false | ✓Yes | macOS (10.13+) |
customRegex customRegex Specifies a regular expression, and its description, used to enforce password compliance. Use the simpler passcode restrictions whenever possible, and rely on regular expression matching only when necessary. Mistakes in regular expressions can lead to frustrating user experiences, such as unsatisfiable passcode policies, or policy descriptions that don't match the enforced policy.
Available in macOS 14 and later. 2 subkeys | dictionary | optional | — | ✓Yes | macOS (14.0+) |
└─ passwordContentRegex passwordContentRegex A regular expression string that the system matches against the password to determine whether it complies with a policy. The regular expression uses the ICU syntax ([https://unicode-org.github.io/icu/userguide/strings/regexp.html](https://unicode-org.github.io/icu/userguide/strings/regexp.html)). The string must not exceed 2048 characters in length. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)visionOS (2.0+)watchOS (10.0+) |
└─ passwordContentDescription passwordContentDescription Contains a dictionary of keys for supported OS language IDs (for example, "en-US"), and whose values represent a localized description of the policy enforced by the regular expression. Use the special `default` key can for languages that aren't contained in the dictionary. 1 subkey | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)visionOS (2.0+)watchOS (10.0+) |
└─ └─ ANY ANY A localized description. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)visionOS (2.0+)watchOS (10.0+) |
