SOTI Pulse Logo

Maximum passcode age on iOS

N
Nicolas
cepo

Hello !

We have set up a reactive profile for iOS. I want to enforce the use of a passcode on the iPhone, but without it expiring. In Configurations > Passcode, I have therefore selected a minimum length, but there is also the ‘maximum passcode age’ setting, which, according to the documentation, accepts values from 0 to 730... but I cannot select 0. If I enter ‘0’, it reverts to ‘1’, and the passcode needs to be changed every day... I simply want to disable the expiry, but this does not seem to be possible. Does anyone know why, whether I am doing something wrong or if it is a bug? I wanted to add a screenshot to this post but I keep getting a 400 error :-)

I should point out that we are not yet Mobicontrol customers; we are currently in a trial period on a trial licence, which expires in a few days, so I cannot create a ticket. Thank you 

Edited a month ago
SOTI MobiControl
ANSWERS
RS
Rafael Schäfer
a month ago (edited a month ago)

The minimum is 1: https://developer.apple.com/documentation/devicemanagement/passcode

maxPINAgeInDays
integer

The number of days for which the passcode can remain unchanged. After this number of days, the system forces the user to change the passcode before it unlocks the device.

Minimum: 1
Maximum: 730

Not sure if the MDM could "not send" this option to avoid setting it but this should be a question from you to your trial contact at Soti and would most likely then a feature request to be made to make this option to be turned on/off.
I would guess yes, as no "default" setting is defined in the documentation but for others.

 

Btw: Yes, i also get always http400 error when trying to upload a picture or insert it by Copy&Paste.

N
Nicolas
a month ago

Thank you Rafael for your very quick reply!

So I understand that this is a limitation on Apple’s side once the “maxPINAgeInDays” parameter is sent. However, I believe (based on the documentation) that this parameter is not mandatory and that Mobicontrol might not send it?

In other words, there could be an option to tick or untick the expiry setting. (Or allow the option to be set to ‘0’, and if the user enters 0, this parameter is not sent). We currently use Sophos as our MDM to manage iPhones, and there is indeed an option that specifies ‘Maximum password validity in days (1 to 730 or 0 for unlimited)’, and this works because the lock codes do not expire for us. In my view, this should therefore also be possible on the Mobicontrol side, but in that case I understand that it would require development and therefore a support ticket

RS
Rafael Schäfer
a month ago

At least looks for me like that.

I'm not an apple guy and also not from Soti so can't tell by sure but including your experience with Sophos it sounds like fitting my assumption. And i think it's worth mentioning for you, if you speak to your trial contact from Soti, if this is a "killing" missing feature, if they could make it happen (maybe even within the 730 days, so you can start with 730 days and when it gets in place, remove it), ideally soon as this change sounds relatively easy to implement but Soti can tell you that better than I😁.

RC
Raymond Chan
24 days ago

There is no actual programming needed to fix this GUI related problem in Soti MobiControl web-console design.   Instead of using the built-in password profile payload,  just edit a MobiControl custom profile payload defining password policy without any lines mentioning about the key "maxPINAgeInDays".   With an existing profile reusable template including standard XML header and payload header fields,  it takes less than one minute to leave out the "maxPINAgeInDays" field, and just include the other keys such as

 

<key>allowSimple</key>

<true/>

<key>forcePIN<//key>

 <true/>

<key>maxFailedAttempts</key>

<integer>10</integer>

<key>maxGracePeriod</key>

<integer>15</integer>

<key>maxInactivity</key>

<integer>15</integer>

<key>minComplexChars</key>

<integer>1</integer>

<key>minLength</key>

<integer>8</integer>

<key>requireAlphanumeric<//key>

 <true/>

 

to get the custom profile XML ready for deployment via MobiControl.

 

RS
Rafael Schäfer
23 days ago

Nice thing and would help him right away.

But a feature request in this case would also make sense for the long run (or maybe a issue report as it's no working as it should).

A
ASBMOD@SOTI
17 days ago

Hi @Nicolas

Thanks for posting on SOTI Pulse, and thank you Rafael and Raymond for responding to the post. Your expertise and willingness to help are greatly appreciated.

Have you had an opportunity to test the solutions suggested by Raymond and Rafael, and have they successfully addressed your query?

If not, or if you have any additional questions or concerns, please do not hesitate to reach out. We are dedicated to providing assistance and support.

Additionally, Rafael suggested submitting a feature request. If you would like to move forward with that, I would recommend creating a support case with us so the issue can be investigated further. You may also call our support line, and one of our agents will be able to create a case for you during the call.

Please let me know if you have any other questions.

N
Nicolas
11 days ago

Hello,

Thank you all for your help; I hadn’t been able to test it until now, but it seems to be working so far.

It’s still not the most practical way of doing things, though, because if we want to change the policy, we have to edit the XML. It’s even less practical if several of us need to update these policies, as is the case in our company.

And as this ‘maxPINageInDays’ setting isn’t made mandatory by Apple, I consider this to be a SOTI-side issue, so I don’t agree with the statement that ‘There is no actual programming needed to fix this GUI-related problem in the Soti MobiControl web console design’.

The XML allows us to work around the problem (and thank you, Raymond), but to resolve the issue, I believe development on the SOTI side is necessary. I will therefore create a ticket regarding this, as suggested by @ASBMOD@SOTI

Thank you again

Similar Discussions