20.2 Mobile Security Policy

This policy configures the password restrictions, encryption settings, and device inactivity settings.

20.2.1 Creating a Mobile Security Policy

  1. On the Getting Started with Mobile Management page, navigate to the Mobile Security and Control section and click Create New Policies. Alternatively, from the left hand side navigation pane of ZCC, navigate to Policies > New > Policies.

  2. On the Select Platform page, select Mobile and then click Next.

  3. On the Select Policy Category page, select General Mobile Policies and then click Next.

  4. On the Select Policy Type page, select Mobile Security Policy and then click Next.

  5. On the Define Details page, specify a name for the policy, select the folder in which to place the policy, then click Next.

  6. On the Select Security Levels page you can assign different security levels to corporate-owned devices and personally-owned devices. There are five security levels. Each security level provides pre-configured defaults for the password, encryption, and device inactivity settings. After the policy is created, you can edit the policy to customize individual settings, if needed.

    Select from the following security levels and click Next:

    • None: All settings are inherited from other Mobile Security policies applied to the device. If no other policies are applied to the device, the device’s default settings are used.

      The None security level is useful for creating exceptions for devices. For example, you might have a corporate Mobile Security policy that applies a Moderate security level to all devices. However, you have a few devices on which you want to enforce storage card encryption, which is not enforced by the Moderate security level. You create a policy with the None security level, edit the policy to turn on storage card encryption, and then assign the policy to the appropriate devices.

      The None security level is also useful for overriding a few default settings on devices. For example, you might want to retain all of the default settings of the device with the exception that you want to enable the Require Encryption setting. In this scenario, you need to create a policy with the None security level, edit the policy to turn on device encryption, and then assign the policy to the appropriate devices. The devices will retain all default settings except for the device encryption setting enforced through the policy.

    • Low: Enforces a password on the device. The password can be a simple password with a minimum of 4 characters.

    • Moderate: Enforces a password and inactivity lockout restrictions. The password must be an alphanumeric password with a minimum of 6 characters. A 30 day password expiration is enforced, and the last 5 passwords cannot be reused. After 5 minutes of inactivity, the device is locked; after 10 failed attempts to unlock the device, it is wiped.

    • Strict: Enforces a password, encryption, and inactivity lockout restrictions. The password must be a complex password with a minimum of 8 characters. A 30 day password expiration is enforced, and the last 7 passwords cannot be reused. The device and its storage card are encrypted. After 1 minute of inactivity, the device is locked; after 7 failed attempts to unlock the device, it is wiped.

    • High: Same as the Strict security level with higher restrictions for each complex password setting. The password must be a strong complex password with a minimum of 8 characters. A 30 day password expiration is enforced, and the last 10 passwords cannot be reused. The device and its storage card are encrypted. After 1 minute of inactivity, the device is locked; after 5 failed attempts to unlock the device, it is wiped.

  7. On the Summary page.

    • Create as Sandbox: Creates a Sandbox-only version of the policy. A Sandbox version of a policy enables you to test it on your device before actually deploying it

    • Define Additional Properties: Enables you to edit the default security settings configured in the policy. For more information, see Editing a Mobile Security Policy Setting.

    Click Finish to complete the policy.

20.2.2 Editing a Mobile Security Policy Setting

Based on the security level selected while creating a Mobile Security policy, the settings as predefined by ZENworks can be viewed or edited by performing the steps elaborated in this section.

  1. In ZENworks Control Center, navigate to the Policies section.

  2. Click the Mobile Security Policy whose content you want to edit.

  3. Click the Details tab, and edit the settings.

    Corporate/Personal: The settings in the Corporate column are applied to devices whose ownership is defined as Corporate. The settings in the Personal column are applied to devices whose ownership is defined as Personal. The settings use the following values:

    • Yes: Enables the setting.

    • No: Disables the setting.

    • Inherit: Inherits the setting value from other Mobile Security Policies assigned higher in the policy hierarchy. For example, if you assign this policy to a device, the setting value is inherited from any Mobile Security Policy assigned to groups and folders of which the device is a member. If a setting value is not inherited from another Mobile Security Policy, the device’s default value is used.

    • Numeric value: Configures the setting with the numeric value provided by you.

    Platform Support: The platform columns show support for a setting. The platforms are:

    • Android

    • iOS/iPadOS

    • ActiveSync

    The Password, Device Inactivity and Encryption tabs are applicable for the following devices:

    • iOS and iPadOS devices

    • Android devices enrolled in the work-managed device.

    • ActiveSync Only devices

    The Profile Security tab is for Android devices enrolled in the work profile mode.

  4. Click Apply.

  5. Click Publish to display the Publish Option page. In this page you can publish the modified policy as a new version of the same policy or as a new policy.

Password

The Password settings are listed in increasing order of complexity (strictness). If more than one setting applies to a device, the more complex (strict) setting is enforced. The platform for which these restrictions apply are mentioned in the Platform Support column. For Android devices (fully managed) these restrictions are applicable for work-managed devices only. To set password restrictions for the work profile, see Profile Security.

Setting

Description

Platform Support

Require password

Requires a password to unlock the device.

Android, iOS, iPadOS ActiveSync

Require biometric weak password

Requires at least low-security biometric recognition technology that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1,000).

Android

Require simple password

Allows the password to include repeating characters such as (0000) or sequential characters such as (abcd).

This setting behaves differently on Android and iOS devices. For Android devices, the strictest rule gets applied. However, for iOS devices, the rule that is applied is cumulative of all the set rules.

Android, iOS, iPadOS ActiveSync

Minimum password length

Specifies the minimum number of characters required for the password.

Android, iOS, iPadOS ActiveSync

Require numeric password

Requires the password to contain numbers. Other characters (letters and symbols) are optional.

Android

Require numeric complex password

Requires the password to contain numbers, with no repeating numbers (4444) or sequential numbers (1234). Other characters (letters and symbols) are optional.

Android

Require alphabetic password

Requires the password to contain letters (or symbols). Other characters (numbers) are optional.

Android

Require alphanumeric password

Requires the password to contain letters (or symbols) and numbers.

Android, iOS, iPadOS ActiveSync

Require complex password

Requires the password to contain letters, numbers, and symbols.

Android, iOS, iPadOS ActiveSync

Minimum complex character types

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of character types the complex password must contain. Character types are defined as:

  • Lowercase alphabetical characters

  • Uppercase alphabetical characters

  • Numbers

  • Non-alphanumeric characters

ActiveSync

Minimum complex characters required

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of characters required for the complex password.

Android, iOS, iPadOS

Minimum letters required

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of letters that must be included in the complex password.

Android

Minimum numbers required

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of numbers that must be included in the complex password.

Android

Minimum lowercase letters required

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of lowercase letters (abcd) that must be included in the complex password.

Android

Minimum uppercase letters required

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of uppercase letters (ABCD) that must be included in the complex password.

Android

Minimum nonletters required

Applies only if Require complex password is set to Yes or Inherit.

Specifies the minimum number of numbers or symbols that must be included in the complex password.

Android

Require password expiration

Requires the password to expire within a specified number of days.

Android, iOS, iPadOS ActiveSync

Password expiration (days)

Applies only if Require device password expiration is set to Yes.

Specifies the number of days after which the password expires and must be changed. For example, if set to 30, the password expires after 30 days and must be changed.

Android, iOS, iPadOS ActiveSync

Require password history

Requires a history of used passwords to be stored in order to prevent immediate reuse of passwords.

Android, iOS, iPadOS ActiveSync

Number of passwords stored

Applies only if Require device password history is set to Yes.

Specifies the number of passwords stored in the history. For example, if set to 5, the last 5 passwords cannot be reused.

Android, iOS, iPadOS ActiveSync

NOTE:In this policy, even when you specify the minimum password length as a value that is less than 6, an iOS device (version 11 or newer), to which this policy is assigned, prompts for a password length of minimum 6 characters. However, the device accepts a password length that is less than 6 characters, as specified in the policy.

Encryption

Not all Encryption settings apply to all device platforms. In addition, the setting support can vary from version to version within a platform. For Android devices (fully managed) these restrictions are applicable for work-managed devices only. Encryption settings for the work profile cannot be set.

Setting

Description

Platform Support

Require encryption on the device

Requires content stored on the device to be encrypted.

Android, ActiveSync

Require encryption on the storage card

Requires content on the storage card to be encrypted.

ActiveSync

Device Inactivity

Not all Device Inactivity settings apply to all device platforms. In addition, setting support can vary from version to version within a platform. For Android devices (fully managed) these restrictions are applicable for work-managed devices only. To set inactivity restrictions for the work profile, see Profile Security.

Setting

Description

Platform Support

Require inactivity lock

Requires the device to be locked after it has been inactive for a specified period of time.

Android, iOS, iPadOS ActiveSync

Maximum inactivity timeout (minutes)

Applies only if Require inactivity lock is set to Yes.

Specifies the maximum number of minutes the user can set for the inactivity lock. For example, if set to 5, the user can set the inactivity timeout up to 5 minutes.

Android, iOS, iPadOS ActiveSync

Wipe device on failed number of unlock attempts

Wipes the device data after a specified number of failed attempts to unlock the device.

Android, iOS, iPadOS ActiveSync

Maximum number of unlock attempts

Applies only if Wipe device on failed number of unlock attempts is set to Yes.

Specifies the number of failed attempts to unlock the device that is allowed before the device data is wiped. For example, if set to 10, the device is wiped after the 10th failed attempt.

Android, iOS, iPadOS ActiveSync

Configure time period after which passcode is required

Enables you to define when a passcode is required after a period of inactivity.

iOS, iPadOS

Display the passcode screen on unlock

Displays the passcode at the specified time period, after a period of inactivity. For example, if set to After 5 minutes, the passcode is displayed after 5 minutes of inactivity.

iOS, iPadOS

Profile Security

This setting is applicable for Android devices enrolled in the work profile mode. To enable the Profile Security settings, select Yes from the Secure Work Profile drop-down list for the ownership type with which the devices are enrolled (Corporate or Personal).

NOTE:If you have assigned the profile security password settings to a device and the Use one lock feature is enabled on the same device (under Settings > Security), then the password setting with a stricter restriction is applied both on the device as well as the work profile. For example, if the configured work profile password is more complex than the configured device password, then the work profile password is used to unlock the device as well.

Section

Setting

Description

Password

Require password

Requires a password to unlock the device.

Require biometric weak password

Requires at least low-security biometric recognition technology that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1,000).

Require simple password

Allows the password to include repeating characters such as (0000) or sequential characters such as (abcd).

Minimum password length

Specify the minimum number of characters required for the password.

Require numeric password

Requires the password to contain numbers. Other characters (letters and symbols) are optional.

Require numeric complex password

Requires the password to contain numbers, with no repeating numbers (4444) or sequential numbers (1234). Other characters (letters and symbols) are optional.

Require alphabetic password

Requires the password to contain letters (or symbols). Other characters (numbers) are optional.

Require alphanumeric password

Requires the password to contain letters (or symbols) and numbers.

Require complex password

Requires the password to contain letters, numbers, and symbols.

Minimum complex characters required

Applies only if Require complex password is set to Yes or Inherit.

Specify the minimum number of characters required for the complex password.

Minimum letters required

Applies only if Require complex password is set to Yes or Inherit.

Specify the minimum number of letters that must be included in the complex password.

Minimum numbers required

Applies only if Require complex password is set to Yes or Inherit.

Specify the minimum number of numbers that must be included in the complex password.

Minimum lowercase letters required

Applies only if Require complex password is set to Yes or Inherit.

Specify the minimum number of lowercase letters (abcd) that must be included in the complex password.

Minimum uppercase letters required

Applies only if Require complex password is set to Yes or Inherit.

Specify the minimum number of uppercase letters (ABCD) that must be included in the complex password.

Minimum non-letters required

Applies only if Require complex password is set to Yes or Inherit.

Specify the minimum number of numbers or symbols that must be included in the complex password.

Require password expiration

Requires the password to expire within a specified number of days.

Password expiration (days)

Applies only if Require device password expiration is set to Yes.

Specifies the number of days after which the password expires and must be changed. For example, if set to 30, the password expires after 30 days and must be changed.

Require password history

Requires a history of used passwords to be stored in order to prevent immediate reuse of passwords.

Number of passwords stored

Applies only if Require device password history is set to Yes.

Specifies the number of passwords stored in the history. For example, if set to 5, the last 5 passwords cannot be reused.

Profile Inactivity

Require inactivity lock

Confirms that the device should be locked if the work profile has been inactive for a specified period of time.

Maximum inactivity timeout (minutes)

Applies only if Require inactivity lock is set to Yes.

Specifies the maximum number of minutes the user can set for the inactivity lock. For example, if set to 5, the user can set the inactivity timeout up to 5 minutes.

Wipe profile on failed number of unlock attempts

Wipes the work profile after the specified number of failed attempts to unlock the device.

Maximum number of unlock attempts

Applies only if Wipe profile on failed number of unlock attempts is set to Yes.

Specifies the number of failed attempts to unlock the work managed app that is allowed before the work profile is wiped. For example, if set to 10, the profile is removed after the 10th failed attempt.

20.2.3 Assigning a Mobile Security Policy

A Mobile Security Policy can be assigned to users or devices. User-assigned policies apply to all devices that the user enrolls. Device-assigned policies apply only to the assigned device.

In addition to assigning policies directly to users and devices, you can assign this policy to user groups, user folders, device groups, and device folders. Each member of the group or folder receives the assignment.

  1. To assign the policy to users, from the Policies list, select the check box in front of the policy, then click Action > Assign to User. To assign the policy to devices from the Policies list, select the check box in front of the policy, then click Action > Assign to Device.

  2. In the Select Object dialog box, browse for and select the users or devices to whom you want to assign the policy, click OK to add them to the list and then click Next.

  3. If the policy is assigned to a device, then the Policy Conflict Resolution page is displayed. In this page, you can set the precedence for device-associated policies and user-associated policies for resolving conflicts that arise when policies of the same type are associated to both devices and users. Define any of the following and click Next:

    • User Precedence: The user-associated policy will override the device-associated policy. Select this option to apply policies that are associated to the users first, and then to the devices.

    • Device Precedence: The device-associated policy will override the user-associated policy. Select this option to apply policies that are associated to the devices first, and then to the users.

    • Device Only: Select this option to apply policies that are associated to devices alone.

    • User Only: Select this option to apply policies that are associated to users alone.

  4. Review the summary page and click Finish to complete the assignment.

    For more information on the existing Policies section of ZENworks, see ZENworks Configuration Policies Reference.