How to manage passwords using TinyMDM?
Passwords ensure data protection that are visible on a device, so strengthening them is essential. With TinyMDM, you can force passwords to be set on devices, and even remotely change or remove passwords if necessary.
A. Setting up a password
1. From the device home screen (compatible with all management modes)
To do this, log in to your TinyMDM account and open the Policies tab. Then, create a new policy using the Create a new policy button or modify an existing one with the Edit button.
Once the policy is open, go to the Device policy menu. To set a password mode for unlocking the device’s home screen, focus on the first block:
Among the password setting options, you can:
1. Set the password quality
- On devices running Android 11 or older version, you can choose between the following options:
- Any password, pattern or PIN: end user will be able to choose between a password, a pattern or a PIN code, compliant with the minimum size required.
- Only password or PIN: end user will have to choose between a password and a PIN code, compliant with the minimum size required.
- Only password or complex PIN: end user will have to choose between a password and a complex PIN code (no repeating or consecutive numbers), compliant with the minimum size required.
- Only password: end user will have to choose a password compliant with the minimum size required.
- Only complex password: end user will have to choose a password combining letters and numeric characters, compliant with the minimum size required.
- Only secure password: end user will have to choose a password combining letters, numeric and special characters, compliant with the minimum size required.
- On devices running Android 12 or newer version, you can choose between the following options:
- Low: pattern or PIN of at least 4 characters that can be ordered or repeated.
- Medium: PIN of at least 4 non-ordered, non-repeating characters or password of at least 4 characters (alphabetic or alphanumeric).
- High: PIN of at least 8 non-ordered, non-repeating characters or password of at least 6 characters (alphabetic or alphanumeric).
2. Set the minimum size (only for Android 11 and earlier versions):
- No minimum size required: end user will be able to choose the password length (not recommended)
- Minimum size: end user will have to setup a password with a minimum length: 6, 8 10, 12, 14 or 16 characters, depending on the password quality.
3. Disable fingerprint authentication
4. Disable facial recognition authentication
5. Set a maximum number of incorrect password entries before the device is reset. This applies to Fully Managed mode, Kiosk mode, or WPCO mode. If the device is in work profile mode (BYOD), this will only delete the work profile and will not reset the device.
6. Set a password expiration delay before renewal
7. Define the number of times before an old password can be reused. Example: if you set the limit to 10, you won’t be able to reuse that password until the tenth password change.
2. From the device’s work profile (compatible with WPCO and BYOD modes)
Pre-requisite: The device must be enrolled in BYOD or WPCO mode as it needs to have a work profile.
To do this, log in to your TinyMDM account and open the Policies tab. Create a new policy using the Create a new policy button or modify an existing policy with the Edit button.
Once the policy is open, go to the Device policy menu. To define a password method to unlock the work profile, focus on the second block:
Among the password settings options for the work profile, you can:
- Set the password type to access the work profile:
- On devices running Android 11 or older version, you can choose from the following options:
- Any password, pattern or PIN: end user will be able to choose between a password, a pattern or a PIN code, compliant with the minimum size required.
- Only password or PIN: end user will have to choose between a password and a PIN code, compliant with the minimum size required.
- Only password or complex PIN: end user will have to choose between a password and a complex PIN code (no repeating or consecutive numbers), compliant with the minimum size required.
- Only password: end user will have to choose a password compliant with the minimum size required.
- Only complex password: end user will have to choose a password combining letters and numeric characters, compliant with the minimum size required.
- Only secure password: end user will have to choose a password combining letters, numeric and special characters, compliant with the minimum size required
- On devices running Android 12 or newer version, you can choose between the following options
- Low: pattern or PIN of at least 4 characters that can be ordered or repeated.
- Medium: PIN of at least 4 non-ordered, non-repeating characters or password of at least 4 characters (alphabetic or alphanumeric).
- High: PIN of at least 8 non-ordered, non-repeating characters or password of at least 6 characters (alphabetic or alphanumeric).
2. Choose the minimum password size (only for Android 11 and earlier versions):
- No minimum size required: end user will be able to choose the password length (not recommended)
- Minimum size: end user will have to setup a password with a minimum length: 6, 8 10, 12, 14 or 16 characters, depending on the password quality.
3. Disable fingerprint authentication
4. Disable facial recognition authentication
5. Set a maximum number of incorrect password entries before the device is reset. This applies to devices in WPCO mode. If the device is in work profile mode (BYOD), this will only delete the work profile and will not reset the device.
6. Set a password expiration delay before renewal.
7. Define the number of times an old password can be reused. For example, if you set the limit to 10, you will not be able to reuse that password until the tenth password change.
For info: on devices configured in BYOD or WPCO mode, there is a feature called “One Lock“. This option allows you to unlock both the Work Profile and the device screen in a single action with a unique password, provided that the screen unlock password meets the complexity requirements for the work profile. Depending on the device model, access to this feature may vary:
- Go to Settings, then Security menu.
- Scroll down to the Work profile security section.
- Enable the Use one lock option.
- Ensure that your device password matches the complexity level required.
If you request a password change or removal from TinyMDM:
- In WPCO mode, only the work profile password will be changed or removed.
- In BYOD mode, it’s not possible to change or remove the password remotely.
B. Changing the password
1. In Fully Managed or Kiosk Mode
In Fully Managed Mode or Kiosk Mode, you can remotely change the password if needed, as long as the device is connected to the internet. To do this:
- Go to the Devices tab and click on the menu available on the device card.
- Then click on Change password and enter a temporary password to unlock the device.
2. In WPCO mode
In WPCO mode, it is possible to remotely change the password used to unlock the professional profile, as long as the device is connected to the internet. To do this:
- Go to the Devices tab and click on the menu available on the device card.
- Then click on Change password and enter a password to unlock the professional profile.
The password to unlock the device will not change, but the password for accessing the Professional Profile will.
In BYOD mode, since this directly affects the device settings, it is not possible to remotely change the password entered.
C. Delete the password
1. In Fully Managed or Kiosk Mode
In Fully Managed Mode or Kiosk Mode, you can remotely delete the password if needed, as long as the device is connected to the internet. To do this:
- Go to the Devices tab and click on the menu available on the device card.
- Next, click on Delete password. A confirmation pop-up will appear: click Ok to confirm your request. If the password policy is still applied to the device, the user will then receive a pop-up to change their password in accordance with the password policy.
If the password isn’t removed immediately, feel free to simply restart the device so the deletion request is resend to it.
2. In WPCO mode
In WPCO mode, it is possible to remotely delete the password used to unlock the professional profile, as long as the device is connected to the internet. To do this:
- Go to the Devices tab and click on the menu available on the device card
- Then click on Delete password. A confirmation pop-up appears, click on Ok to confirm your request.
If the password isn’t removed immediately, do not hesitate to restart the device so the deletion request can be resent to it.
If the password policy is still in effect on the device, the work profile will lock until a new password is set. Go to the device’s notification center to change your password.
In BYOD mode, since this directly affects the device settings, it is not possible to remotely delete the password entered.
D. In case of password non-compliance
1. In Fully Managed or Kiosk mode
If the device unlock password doesn’t comply with the password policy configured in the policy, a pop-up to change the password will appear on the device.
2. In WPCO mode
In WPCO mode, if the unlock password or the work profile password doesn’t comply with the password policy, the work profile will be temporarily inaccessible. You’ll need to open the device’s notification center and click on the ‘The work profile is locked’ notification. You can then change your password and regain access to the work profile.
3. In BYOD mode
In BYOD mode, if the work profile password doesn’t comply with the password policy configured in the policy, the work profile will become temporarily inaccessible. You’ll then need to open the device’s notification center and click on the ‘The work profile is locked’ notification. From there, you can change your password and regain access to the work profile.