Kaspersky Secure Mobility Management
4.1
English

Contents

Configuring device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

In this section

Configuring a strong unlock password for an Android device

Configuring a strong unlock password for iOS MDM devices
Page top
[Topic 136564]

Configuring a strong unlock password for an Android device

Expand all | Collapse all

To keep an Android device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password is not compliant with security requirements criterion.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To configure the use of an unlock password:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Device Management section.
  5. If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password check box in the Screen lock section.

    If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.

  6. Specify the following options, if required:
    • Minimum number of characters

      The minimum number of characters in the user password. Possible values: 4 to 16 characters.

      The user's password is 4 characters long by default.

      The following is applicable only to personal and work profiles:

      • In personal profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 10 or later.
      • In work profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 12 or later.

      The values are determined by the following rules:

      • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
      • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
    • Minimum password complexity requirements (Android 12 or earlier in device owner mode)

      Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

      • Numeric

        The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

        This option is selected by default.

      • Alphabetic

        The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

      • Alphanumeric

        The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

      • Not specified

        The user can set any password.

      • Complex

        The user must set a complex password according to the specified password properties:

        • Minimum number of letters
        • Minimum number of digits
        • Minimum number of special symbols (for example, !@#$%)
        • Minimum number of uppercase letters
        • Minimum number of lowercase letters
        • Minimum number of non-letter characters (for example, 1^&*9)
      • Complex numeric

        The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

      • Weak biometric

        The user can use biometric unlock methods or set a stronger complex password.

      This option applies only to devices running Android 12 or later in device owner mode.

    • Maximum password age, in days

      Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

      The default value is 0. This means that the password won't expire.

      This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

    • Number of days to notify that a password change is required (for device owner mode)

      Specifies the number of days to notify the user before the password expires.

      The default value is 0. This means that the user won't be notified about password expiration.

      This option applies only to devices operating in device owner mode.

    • Number of recent passwords that can't be used as a new password (all Android versions; Android 10 or later in device owner mode)
    • Period of inactivity before the device screen locks, in seconds

      Specifies the period of inactivity before the device locks. After this period, the device will lock.

      The default value is 0. This means that the device won't lock after a certain period.

    • Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0 or later in device owner mode)

      Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

      The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

      This option applies only to devices running Android 8.0 or later in device owner mode.

    • Allow biometric unlock methods (Android 9 or later; Android 10 in device owner mode)

      If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

      This check box is selected by default.

      This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

    • Allow use of fingerprints (all Android versions; Android 10 in device owner mode)

      The use of fingerprints to unlock the screen.

      This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

      If the check box is selected, the use of fingerprints on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

      This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

      This check box is selected by default.

      This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.

      On some Xiaomi devices with Android work profile, the work profile may be unlocked by a fingerprint only if you set the Period of inactivity before the device screen locks value after setting a fingerprint as the screen unlocking method.

    • Allow face scanning (Android 9 or later; Android 10 in device owner mode)
    • Allow iris scanning (Android 9 or later; Android 10 in device owner mode)

      If the check box is selected, the use of iris scanning on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

      This check box is available only if the Allow biometric unlock methods (Android 9 or later; Android 10 or later in device owner mode) check box is selected.

      This check box is selected by default.

      This setting applies only to devices running Android 9 or later. Starting from Android 10, this setting applies only to the device owner mode.

    • Allow the device to start up before prompting the password

      If the check box is selected, the device starts up and loads system processes and background apps before prompting the user to enter the unlock password.

      Once this option is applied, it cannot be reverted without resetting the device to factory defaults.

      If the check box is cleared, the startup requirements remain unchanged.

      This check box is cleared by default.

    • Unlock password

      This option lets you set the password on the user device.

      On devices running Android 7.0–10 inclusive, this option applies to personal devices on which no password is set.

      On devices running Android 11 or later, this option applies only if the device is in device owner mode.

      Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.

      • If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
      • If the device is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

      If you leave this option empty, no changes are applied to the device.

  7. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On some HUAWEI devices, an issue message about too simple screen unlocking method appears.

To set a correct PIN code on a HUAWEI device, the user must do the following:

  1. In the issue message, tap the Edit button.
  2. Enter the current PIN code.
  3. In the Set new password window, tap the Change unlock method button.
  4. Select the Custom PIN unlock method.
  5. Set the new PIN code.

    The PIN code must be compliant with policy requirements.

A correct PIN code is now set on the device.

Page top
[Topic 90495]

Configuring a strong unlock password for iOS MDM devices

To protect iOS MDM device data, configure the unlock password strength settings.

By default, the user can use a simple password. A simple password is a password that contains successive or repetitive characters, such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.

To configure the strength settings for an iOS MDM device unlock password:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Password section.
  5. In the Password settings section, select the Apply settings on device check box.
  6. Configure unlock password strength settings:
    • To allow the user to use a simple password, select the Allow simple password check box.

    • To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
    • To require use of a password, select the Force use of password check box. If the check box is cleared, the mobile device can be used without a password.

    • In the Minimum password length list, select the minimum password length in characters.
    • In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").
    • In the Maximum password lifetime field, specify the period of time in days during which the password will stay current. When this period expires, Kaspersky Device Management for iOS prompts the user to change the password.
    • In the Enable Auto-Lock in list, select the amount of time after which iOS MDM device Auto-Lock should be enabled.

    • In the Password history field, specify the number of used passwords (including the current password) that Kaspersky Device Management for iOS will compare with the new password when the user changes the old password. If passwords match, the new password is rejected.
    • In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
    • In the Maximum number of access attempts, select the number of access attempts that the user can make to enter the iOS MDM device unlock password.
  7. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Kaspersky Device Management for iOS checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not conform to the policy, the user is prompted to change the password.

Page top
[Topic 88130]