Manage password policies with TinyMDM

How to manage passwords using TinyMDM?

Passwords ensure the protection of data that are visible on a device, so strenghtening them is essential. With TinyMDM, you can force passwords to be set on devices, and even remotely change or remove passwords if necessary.

A. Setting up a password

To setup a password on the devices, you need to log in to your TinyMDM account:

  • Open the Policies tab. Create a new policy (via the Create a policy button) or modify an existing policy (via the Edit button).
  • Once the policy is open, go to the Device Policy sub-tab, where you’ll find two separate rows:
  • The first concerns all options for unlocking the device screen.
  • The second covers all options for unlocking the work (or professional) profile. This only applies to devices in BYOD or WPCO mode.

Android will soon deprecate the ability to define a password type and its minimum size for Android 12 and above versions. It will still be possible to choose a more or less secure password, but the options will be different and it will no longer be possible to choose the minimum size of the password. TinyMDM will implement this change in the next few months.

Among the new options, you will be able to define a password type with a complexity:

  • Low:  Pattern or PIN of at least 4 characters that can be ordered or repeated.
  • Medium: PIN of at least 4 non-ordered, non-repeating characters or password of at least 4 characters (alphabetic or alphanumeric).
  • High: PIN of at least 8 non-ordered, non-repeating characters or password of at least 6 characters (alphabetic or alphanumeric).

If you have devices running Android 12 or later, your password policy will remain as it is as long as no changes are made to it. However, as soon as the option for Android 12+ devices is released, we strongly recommend that you replace it with your current option to avoid potential errors. 

This depreciation does not apply to devices running Android 11 or lower versions.

1. In Fully Managed or Kiosk Mode

In Fully Managed or Kiosk mode, you can set various options that will apply directly to the screen unlock password. Here are the different options available:

  • Modify the password type
  • Modify the password minimum size
  • Enable or disable fingerprint and facial recognition authentication
  • Choose the password timeout
  • Define the number of time before an old password can be reused to access the device or the work profile
  • Define the maximum number of incorrect password entries before a factory reset

2. In BYOD (Work Profile) or WPCO mode

In BYOD or WPCO mode, it is possible to set a password to unlock the device screen, but it is also possible to set one to open the Work Profile (or Professional Profile).

a. Options for unlocking the device screen
  • Modify the password type
  • Modify the password minimum size
  • Enable or disable fingerprint and facial recognition authentication
  • Choose the password timeout
  • Define the number of time before an old password can be reused to access the device or the work profile
  • Define the maximum number of incorrect password entries before a factory reset
b. Options for unlocking the Work Profile (or Professional Profile)
  • Modify the password type
  • Modify the password minimum size
  • Enable or disable fingerprint and facial recognition authentication
  • Choose the password timeout
  • Define the number of time before an old password can be reused to access the device or the work profile
  • Define the maximum number of incorrect password entries before a factory reset

For info: devices configured in BYOD or WPCO mode include a feature called “One Lock“. This option allows you to unlock both the Work Profile and the device screen in a single action via a single password, provided that the screen unlock password respects the level of complexity required for unlocking the Work Profile. Access to this feature may differ depending on the device model:

  • Go to Settings, then Security menu.
  • Scroll down to the Work profile security section.
  • Enable the Use one lock option.
  • Ensure that your device password matches the complexity level required.

If you request a password change or deletion from TinyMDM (Steps B and C of this tutorial), only the Professional Profile password will be modified.

B. Changing the password

1. In Fully Managed or Kiosk Mode

In Fully Managed or Kiosk mode, it is possible to change a password remotely if required. To do this, a password policy must first be set up in the policy (by following the steps above), and then at the appropriate time:

  • Go to the Devices tab and click on the menu available on the device card.
  • Then click on Change password and enter a temporary password to unlock the device.

2. In WPCO mode

In WPCO mode, it is possible to remotely change the password used to unlock the professional profile. To do this, a password policy must first be set up in the policy, and then at the appropriate time:

  • Go to the Devices tab and click on the menu available on the device card.
  • Then click on Change password and enter a password to unlock the professional profile.

The unlock password will not change, but the password for accessing the Professional Profile will.

3. In BYOD (Work Profile) mode

In BYOD mode, since this directly affects the device settings, it is not possible to remotely change the password entered.

C. Delete the password

1. In Fully Managed or Kiosk Mode

In Fully Managed or Kiosk Mode, it is possible to remotely delete a password if required. To do this, a password policy must first be set up in the policy (following the steps above), and then at the appropriate time:

  • Go to the Devices tab and click on the menu available on the device card.
  • Then click on Delete password. A confirmation pop-up appears, click on Ok to confirm your request. If the password policy is still in effect on the device, the user will receive a pop-up message asking them to change their password in accordance with the password policy.

2. In WPCO mode

In WPCO mode, it is possible to remotely remove the unlock password from the professional profile. To do this, a password policy must first be set up in the security policy, and then at the appropriate time:

  • Go to the Devices tab and click on the menu available on the device card
  • Then click on Delete password. A confirmation pop-up appears, click on Ok to confirm your request. If the password policy is still in effect on the user’s device, the user will receive a pop-up asking him to change his password in accordance with the password policy.

3. In BYOD (Work Profile) mode

In BYOD mode, since this directly affects the device settings, it is not possible to remotely delete the password entered.

D. The meaning of the different options

Password quality

Any password, pattern or PIN

End user will be able to choose between a password, a pattern or a PIN code, compliant with the minimum size required

Only password or PIN

End user will have to choose between a password and a PIN code, compliant with the minimum size required

Only password or complex PIN

End user will have to choose between a password and a complex PIN code (no repeating or consecutive numbers), compliant with the minimum size required

Only password

End user will have to choose a password compliant with the minimum size required

Only complex password

End user will have to choose a password combining letters and numeric characters, compliant with the minimum size required

Only secure password

End user will have to choose a password combining letters, numeric and special characters, compliant with the minimum size required.

Password minimum size

No minimum size required

End user will be able to choose the password length (not recommended)

Minimum size

End user will have to setup a password with a minimum length: 6, 8, 10, 12, 14 or 16 characters, depending on the password quality.

Password timeout

Unlimited

End user won’t have to change their password in the future (except if the password quality or length is updated and their password is no longer compliant with the policy)

Limited

End user will have to renew their password after: 7 days, 1 month, 3 months, 6 months or 1 year.

Number of times before reuse is possible

Number

To ensure higher security, you can set the number of times before an old password can be reused on the same device (between 1 and 50 times).

Maximum number of incorrect password entries

Unlimited

The end-user will be able to try an unlimited number of times a wrong password and it will not impact their device.

Maximum size

The user will have 5, 10 or 15 attempts to enter the password. If he enters too many incorrect passwords, the device will be reset to the factory settings.