Kaspersky Secure Mobility Management
5.0
English

Contents

Configuring the device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

In this section

Configuring a strong unlock password for an Android device

Configuring a strong unlock password for an iOS MDM device
Page top
[Topic 274768]

Configuring a strong unlock password for an Android device

Expand all | Collapse all

To keep an Android device secure, you need to configure the use of a password that the user is prompted to enter when unlocking the device.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, by locking the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password doesn't comply with security requirements criterion.

On certain Samsung devices running Android 7 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: removal protection is enabled for Kaspersky Endpoint Security for Android and strength requirements are set for the screen unlock password. To unlock the device, you must send a special command to the device.

Configuring unlock password settings

To configure the use of an unlock password:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Security controls section.
  4. On the Screen unlock settings card, click Settings.

    The Screen unlock settings window opens.

  5. Enable the settings using the Screen unlock settings toggle switch, if you want the app to check whether an unlock password has been set.

    The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

    If the app detects that no system password has been set on the device, it prompts the user to set one. The password is set according to the parameters defined by the administrator.

  6. Specify the following options, if required:
    • Minimum password length

      The minimum number of characters in the user password. Possible values: 4 to 16 characters.

      The user's password is 4 characters long by default.

      The following applies only to the user's personal space and the corporate container:

      • In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
      • In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.

      The values are determined using the following rules:

      • If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
      • If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
    • Minimum password complexity requirements

      Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

      • Numeric

        The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).

        This option is selected by default.

      • Alphabetic

        The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).

      • Alphanumeric

        The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

      • No requirements

        The user can set any password.

      • Complex

        The user must set a complex password according to the specified password properties:

        • Minimum number of letters
        • Minimum number of digits
        • Minimum number of special characters
        • Minimum number of lowercase letters
        • Minimum number of uppercase letters
        • Minimum number of non-alphabetic characters
      • Complex numeric

        The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

    • Maximum password lifetime (days)

      Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

      The default value is 0. This means that the password won't expire.

    • Number of days to send a notification before a required password change

      Specifies the number of days to notify the user before the password expires.

      The default value is 0. This means that the user won't be notified about an expiring password.

    • Number of recent passwords that cannot be set as a new password

      Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.

      The default value is 0. This means that the new user password can match any previous password except the current one.

    • Period of inactivity before the screen locks (sec)

      Specifies the period of inactivity before the device locks.

      The default value is 0. This means that the device won't lock after a certain period.

    • Period after biometric unlock before password must be entered (min)

      Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

      The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

    • Allow biometric unlock methods

      If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

      This check box is selected by default.

    • Allow fingerprint unlock

      Specifies whether fingerprints can be used to unlock the screen.

      This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

      If the check box is selected, the use of fingerprints on the mobile device is allowed.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.

      This check box is available only if the Allow biometric unlock methods check box is selected.

      This check box is selected by default.

      On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.

    • Allow face unlock

      If the check box is selected, the use of face scanning is allowed on the mobile device.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

      This check box is available only if the Allow biometric unlock methods check box is selected.

      This check box is selected by default.

    • Allow iris scanning

      If the check box is selected, the use of iris scanning is allowed on the mobile device.

      If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

      This check box is available only if the Allow biometric unlock methods check box is selected.

      This check box is selected by default.

    • Reset to factory settings after failed attempts to enter password

      Allows limiting the number of attempts to enter the screen unlock password.

      If the check box is selected, the app wipes all device data if the user fails to enter the correct password after the specified number of attempts.

      If the check box is cleared, the number of attempts is not limited.

      The check box is cleared by default.

    • Maximum number of failed password attempts

      Specifies the number of password entry attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.

      The field is available if the Reset to factory settings after failed attempts to enter password check box is selected.

    • Set new password

      This option lets you set the password on the user corporate device.

      Click this button to open the New screen unlock password window and enter a new password.

      The complexity of the entered password must comply with requirements configured earlier in the Screen unlock settings card of the policy.

      Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.

      • If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
      • If the device is protected with the password or is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

      If you leave this option empty, no changes are applied to the device.

  7. Click OK.
  8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Setting a new unlock password

To set a new password on a user's corporate device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Restrictions section.
  4. On the New screen unlock password card, click Settings.

    The New screen unlock password window opens.

  5. Enable the settings using the New screen unlock password toggle switch.
  6. Enter a new password that will be used to unlock the user's mobile device. This password must comply with current screen unlock password settings.
  7. If you want to edit the current unlock password settings, click the Configure screen unlock settings button.

    In the Screen unlock settings window that opens, configure screen unlock password settings, if required.

  8. Click OK.

    If the device is not protected with a password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately. If the device is protected with the password or is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

  9. Click Save to save the changes you have made.

The new password is set on user's mobile device. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Setting a PIN code on HUAWEI devices

Some HUAWEI devices display a message about screen unlocking method being too simple.

To set an acceptable PIN code on a HUAWEI device, the user must do the following:

  1. In the message about the issue, tap the Edit button.
  2. Enter the current PIN code.
  3. In the Set new password window, tap the Change unlock method button.
  4. Select the Custom PIN unlock method.
  5. Set the new PIN code.

    The PIN code must be compliant with policy requirements.

An acceptable PIN code is set on the device.

Page top
[Topic 274769]

Configuring a strong unlock password for an iOS MDM device

These settings apply to supervised devices and devices operating in basic control mode.

To protect iOS MDM device data, configure the unlock password strength settings.

By default, the user can use a simple password. A simple password is a password that contains sequential or repeated characters such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.

To configure the unlock password strength settings for an iOS MDM device:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Security controls section.
  4. On the Screen unlock settings card, click Settings.

    The Screen unlock settings window opens.

  5. Enable the settings using the Screen unlock settings toggle switch.

    The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

  6. Configure the unlock password strength settings:
    • To allow the user to use a simple password, select the Allow simple password check box. Even if this check box is cleared, the user can set a password with less than 6 characters.

      If only the Allow simple password check box is selected, no password will be requested. To prompt the user to set a password, select both the Allow simple password check box and the Force use of password check box.

    • To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
    • To require use of a password, select the Force use of password check box. If the check box is cleared, the mobile device can be used without a password.

      If the Prompt for alphanumeric value, Minimum password length, or Minimum number of special characters options are enabled, a password is requested even if the Force use of password check box is cleared.

    • In the Minimum password length list, select the minimum password length in characters.
    • In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").

      On some iOS MDM devices, if the Minimum number of special characters value is specified and the Allow simple password check box is selected, the device displays information about setting a password of 6 or more characters even though it is possible to set a password of 4 or more characters.

    • In the Maximum password lifetime (days) field, specify the period of time in days during which the password will stay current. When this period expires, the iOS MDM Server prompts the user to change the password.
    • In the Auto-Lock list, select the amount of time after which Auto-Lock should be enabled on the iOS MDM device. If the mobile device remains idle for this time period, it switches to sleep mode.

      On different iOS MDM devices, the actual time of the device's automatic locking may differ from the value that you have specified:

      On iPhone devices: if you set Auto-Lock in 10 or 15 minutes, the device will be locked in 5 minutes.

      On iPad devices: if you set Auto-Lock in 1 – 4 minutes, the device will be locked in 2 minutes.

      For other values the actual time of the device's automatic locking matches the specified time.

    • In the Reuse of previous passwords field, specify the number of used passwords (including the current password) that the iOS MDM Server will compare with the new password when the user changes the current password. If the passwords match, the new password is rejected.
    • In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
    • In the Maximum number of failed password attempts, select the number of attempts that the user can make to enter the unlock password on the iOS MDM device.
  7. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the iOS MDM Server checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not comply with the policy, the user is prompted to change the password.

Page top
[Topic 274770]