This policy configures the password restrictions, encryption settings, and device inactivity settings.
On the Getting Started with Mobile Management page, navigate to the Mobile Security and Control section and click Create New Policies. Alternatively, from the left hand side navigation pane of ZCC, navigate to Policies > New > Policies.
On the Select Platform page, select Mobile and then click Next.
On the Select Policy Category page, select General Mobile Policies and then click Next.
On the Select Policy Type page, select Mobile Security Policy and then click Next.
On the Define Details page, specify a name for the policy, select the folder in which to place the policy, then click Next.
On the Select Security Levels page you can assign different security levels to corporate-owned devices and personally-owned devices. There are five security levels. Each security level provides pre-configured defaults for the password, encryption, and device inactivity settings. After the policy is created, you can edit the policy to customize individual settings, if needed.
Select from the following security levels and click Next:
None: All settings are inherited from other Mobile Security policies applied to the device. If no other policies are applied to the device, the device’s default settings are used.
The None security level is useful for creating exceptions for devices. For example, you might have a corporate Mobile Security policy that applies a Moderate security level to all devices. However, you have a few devices on which you want to enforce storage card encryption, which is not enforced by the Moderate security level. You create a policy with the None security level, edit the policy to turn on storage card encryption, and then assign the policy to the appropriate devices.
The None security level is also useful for overriding a few default settings on devices. For example, you might want to retain all of the default settings of the device with the exception that you want to enable the Require Encryption setting. In this scenario, you need to create a policy with the None security level, edit the policy to turn on device encryption, and then assign the policy to the appropriate devices. The devices will retain all default settings except for the device encryption setting enforced through the policy.
Low: Enforces a password on the device. The password can be a simple password with a minimum of 4 characters.
Moderate: Enforces a password and inactivity lockout restrictions. The password must be an alphanumeric password with a minimum of 6 characters. A 30 day password expiration is enforced, and the last 5 passwords cannot be reused. After 5 minutes of inactivity, the device is locked; after 10 failed attempts to unlock the device, it is wiped.
Strict: Enforces a password, encryption, and inactivity lockout restrictions. The password must be a complex password with a minimum of 8 characters. A 30 day password expiration is enforced, and the last 7 passwords cannot be reused. The device and its storage card are encrypted. After 1 minute of inactivity, the device is locked; after 7 failed attempts to unlock the device, it is wiped.
High: Same as the Strict security level with higher restrictions for each complex password setting. The password must be a strong complex password with a minimum of 8 characters. A 30 day password expiration is enforced, and the last 10 passwords cannot be reused. The device and its storage card are encrypted. After 1 minute of inactivity, the device is locked; after 5 failed attempts to unlock the device, it is wiped.
On the Summary page.
Create as Sandbox: Creates a Sandbox-only version of the policy. A Sandbox version of a policy enables you to test it on your device before actually deploying it
Define Additional Properties: Enables you to edit the default security settings configured in the policy. For more information, see Editing a Mobile Security Policy Setting.
Click Finish to complete the policy.
Based on the security level selected while creating a Mobile Security policy, the settings as predefined by ZENworks can be viewed or edited by performing the steps elaborated in this section.
In ZENworks Control Center, navigate to the Policies section.
Click the Mobile Security Policy whose content you want to edit.
Click the Details tab, and edit the settings.
Corporate/Personal: The settings in the Corporate column are applied to devices whose ownership is defined as Corporate. The settings in the Personal column are applied to devices whose ownership is defined as Personal. The settings use the following values:
Yes: Enables the setting.
No: Disables the setting.
Inherit: Inherits the setting value from other Mobile Security Policies assigned higher in the policy hierarchy. For example, if you assign this policy to a device, the setting value is inherited from any Mobile Security Policy assigned to groups and folders of which the device is a member. If a setting value is not inherited from another Mobile Security Policy, the device’s default value is used.
Numeric value: Configures the setting with the numeric value provided by you.
None, Low, Medium, High: These values apply only to the Password Quality setting for Android 12 or higher only.
Platform Support: The platform columns show support for a setting. The platforms are:
Android 12 or higher
Android 11 or lower
iOS
ActiveSync
The Password, Device Inactivity and Encryption tabs are applicable for the following devices:
iOS devices
Android devices enrolled in the work-managed device.
ActiveSync Only devices
The Profile Security tab is for Android devices enrolled in the work profile mode.
Click Apply.
Click Publish to display the Publish Option page. In this page you can publish the modified policy as a new version of the same policy or as a new policy.
NOTE:
After updating to ZENworks 2020 Update 3, by default, for the existing policies, the value for Password Quality will be set as Inherit. Ensure to set the password for the Android 12 devices.
For Android 12 devices, the existing mobile password requirements are not supported. Existing password requirements of both the Device and Profile side will be mapped to the complexity levels that Android 12 supports. Password mapping will be done as below:
Table 20-1
Existing Password Requirements |
Mapped Value |
---|---|
Require Simple Password |
Low |
Require Numeric Password |
Medium |
Require Numeric Complex Password |
Medium |
Require Complex Password |
High |
Require BioMetric Weak Password |
Low |
Require Alphanumeric Password |
High |
Require Alphabetic Password |
High |
The Password settings are listed in increasing order of complexity (strictness). If more than one setting applies to a device, the more complex (strict) setting is enforced. The platform for which these restrictions apply are mentioned in the Platform Support column. For Android devices (fully managed) these restrictions are applicable for work-managed devices only. To set password restrictions for the work profile, see Profile Security.
Setting |
Description |
Platform Support |
|
---|---|---|---|
Require password |
Requires a password to unlock the device. |
Android 12 or higher, Android 11 or lower, iOS, ActiveSync |
|
Password Quality |
Requires setting the password complexity for Android 12 devices.
|
Android 12 or higher |
|
Require biometric weak password |
Requires at least low-security biometric recognition technology that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). |
Android 11 or lower |
|
Require simple password |
Allows the password to include repeating characters such as (0000) or sequential characters such as (abcd). This setting behaves differently on Android and iOS devices. For Android devices, the strictest rule gets applied. However, for iOS devices, the rule that is applied is cumulative of all the set rules. |
Android 11 or lower, iOS, ActiveSync |
|
Minimum password length |
Specifies the minimum number of characters required for the password. |
Android 11 or lower, iOS, ActiveSync |
|
Require numeric password |
Requires the password to contain numbers. Other characters (letters and symbols) are optional. |
Android 11 or lower |
|
Require numeric complex password |
Requires the password to contain numbers, with no repeating numbers (4444) or sequential numbers (1234). Other characters (letters and symbols) are optional. |
Android 11 or lower |
|
Require alphabetic password |
Requires the password to contain letters (or symbols). Other characters (numbers) are optional. |
Android 11 or lower |
|
Require alphanumeric password |
Requires the password to contain letters (or symbols) and numbers. |
Android 11 or lower, iOS, ActiveSync |
|
Require complex password |
Requires the password to contain letters, numbers, and symbols. |
Android 11 or lower, iOS, ActiveSync |
|
Minimum complex character types |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of character types the complex password must contain. Character types are defined as:
|
ActiveSync |
|
Minimum complex characters required |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of characters required for the complex password. |
Android 11 or lower, iOS, |
|
Minimum letters required |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of letters that must be included in the complex password. |
Android 11 or lower |
|
Minimum numbers required |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of numbers that must be included in the complex password. |
Android 11 or lower |
|
Minimum lowercase letters required |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of lowercase letters (abcd) that must be included in the complex password. |
Android 11 or lower |
|
Minimum uppercase letters required |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of uppercase letters (ABCD) that must be included in the complex password. |
Android 11 or lower |
|
Minimum nonletters required |
Applies only if Require complex password is set to Yes or Inherit. Specifies the minimum number of numbers or symbols that must be included in the complex password. |
Android 11 or lower |
|
Require password expiration |
Requires the password to expire within a specified number of days. |
Android 12 or higher, Android 11 or lower, iOS, ActiveSync |
|
Password expiration (days) |
Applies only if Require device password expiration is set to Yes. Specifies the number of days after which the password expires and must be changed. For example, if set to 30, the password expires after 30 days and must be changed. |
Android 12 or higher, Android 11 or lower, iOS, ActiveSync |
|
Require password history |
Requires a history of used passwords to be stored in order to prevent immediate reuse of passwords. |
Android 12 or higher, Android 11 or lower, iOS, ActiveSync |
|
Number of passwords stored |
Applies only if Require device password history is set to Yes. Specifies the number of passwords stored in the history. For example, if set to 5, the last 5 passwords cannot be reused. |
Android 12 or higher, Android 11 or lower, iOS, ActiveSync |
NOTE:In this policy, even when you specify the minimum password length as a value that is less than 6, an iOS device (version 11 or newer), to which this policy is assigned, prompts for a password length of minimum 6 characters. However, the device accepts a password length that is less than 6 characters, as specified in the policy.
Not all Encryption settings apply to all device platforms. In addition, the setting support can vary from version to version within a platform. For Android devices (fully managed) these restrictions are applicable for work-managed devices only. Encryption settings for the work profile cannot be set.
Setting |
Description |
Platform Support |
|
---|---|---|---|
Require encryption on the device |
Requires content stored on the device to be encrypted. |
Android, ActiveSync |
|
Require encryption on the storage card |
Requires content on the storage card to be encrypted. |
ActiveSync |
Not all Device Inactivity settings apply to all device platforms. In addition, setting support can vary from version to version within a platform. For Android devices (fully managed) these restrictions are applicable for work-managed devices only. To set inactivity restrictions for the work profile, see Profile Security.
Setting |
Description |
Platform Support |
|
---|---|---|---|
Require inactivity lock |
Requires the device to be locked after it has been inactive for a specified period of time. |
Android, iOS, ActiveSync |
|
Maximum inactivity timeout (minutes) |
Applies only if Require inactivity lock is set to Yes. Specifies the maximum number of minutes the user can set for the inactivity lock. For example, if set to 5, the user can set the inactivity timeout up to 5 minutes. |
Android, iOS, ActiveSync |
|
Wipe device on failed number of unlock attempts |
Wipes the device data after a specified number of failed attempts to unlock the device. |
Android, iOS, ActiveSync |
|
Maximum number of unlock attempts |
Applies only if Wipe device on failed number of unlock attempts is set to Yes. Specifies the number of failed attempts to unlock the device that is allowed before the device data is wiped. For example, if set to 10, the device is wiped after the 10th failed attempt. |
Android, iOS, ActiveSync |
|
Configure time period after which passcode is required |
Enables you to define when a passcode is required after a period of inactivity. |
iOS |
|
Display the passcode screen on unlock |
Displays the passcode at the specified time period, after a period of inactivity. For example, if set to After 5 minutes, the passcode is displayed after 5 minutes of inactivity. |
iOS |
This setting is applicable for Android devices enrolled in the work profile mode. To enable the Profile Security settings, select Yes from the Secure Work Profile drop-down list for the ownership type with which the devices are enrolled (Corporate or Personal).
NOTE:If you have assigned the profile security password settings to a device and the Use one lock feature is enabled on the same device (under Settings > Security), then the password setting with a stricter restriction is applied both on the device as well as the work profile. For example, if the configured work profile password is more complex than the configured device password, then the work profile password is used to unlock the device as well.
Section |
Setting |
Description |
Platform Support |
---|---|---|---|
Password |
Require password |
Requires a password to unlock the device. |
Android 12 or higher, Android 11 or lower |
|
Password Quality |
Requires setting the password complexity for Android 12 devices.
|
Android 12 |
|
Require biometric weak password |
Requires at least low-security biometric recognition technology that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). |
Android 11 or lower |
|
Require simple password |
Allows the password to include repeating characters such as (0000) or sequential characters such as (abcd). |
Android 11 or lower |
|
Minimum password length |
Specify the minimum number of characters required for the password. |
Android 11 or lower |
|
Require numeric password |
Requires the password to contain numbers. Other characters (letters and symbols) are optional. |
Android 11 or lower |
|
Require numeric complex password |
Requires the password to contain numbers, with no repeating numbers (4444) or sequential numbers (1234). Other characters (letters and symbols) are optional. |
Android 11 or lower |
|
Require alphabetic password |
Requires the password to contain letters (or symbols). Other characters (numbers) are optional. |
Android 11 or lower |
|
Require alphanumeric password |
Requires the password to contain letters (or symbols) and numbers. |
Android 11 or lower |
|
Require complex password |
Requires the password to contain letters, numbers, and symbols. |
Android 11 or lower |
|
Minimum complex characters required |
Applies only if Require complex password is set to Yes or Inherit. Specify the minimum number of characters required for the complex password. |
Android 11 or lower |
|
Minimum letters required |
Applies only if Require complex password is set to Yes or Inherit. Specify the minimum number of letters that must be included in the complex password. |
Android 11 or lower |
|
Minimum numbers required |
Applies only if Require complex password is set to Yes or Inherit. Specify the minimum number of numbers that must be included in the complex password. |
Android 11 or lower |
|
Minimum lowercase letters required |
Applies only if Require complex password is set to Yes or Inherit. Specify the minimum number of lowercase letters (abcd) that must be included in the complex password. |
Android 11 or lower |
|
Minimum uppercase letters required |
Applies only if Require complex password is set to Yes or Inherit. Specify the minimum number of uppercase letters (ABCD) that must be included in the complex password. |
Android 11 or lower |
|
Minimum non-letters required |
Applies only if Require complex password is set to Yes or Inherit. Specify the minimum number of numbers or symbols that must be included in the complex password. |
Android 11 or lower |
|
Require password expiration |
Requires the password to expire within a specified number of days. |
Android 12 or higher, Android 11 or lower |
|
Password expiration (days) |
Applies only if Require device password expiration is set to Yes. Specifies the number of days after which the password expires and must be changed. For example, if set to 30, the password expires after 30 days and must be changed. |
Android 12 or higher, Android 11 or lower |
|
Require password history |
Requires a history of used passwords to be stored in order to prevent immediate reuse of passwords. |
Android 12 or higher, Android 11 or lower |
|
Number of passwords stored |
Applies only if Require device password history is set to Yes. Specifies the number of passwords stored in the history. For example, if set to 5, the last 5 passwords cannot be reused. |
Android 12 or higher, Android 11 or lower |
Profile Inactivity |
Require inactivity lock |
Confirms that the device should be locked if the work profile has been inactive for a specified period of time. |
Android 12 or higher, Android 11 or lower |
Maximum inactivity timeout (minutes) |
Applies only if Require inactivity lock is set to Yes. Specifies the maximum number of minutes the user can set for the inactivity lock. For example, if set to 5, the user can set the inactivity timeout up to 5 minutes. |
Android 12 or higher, Android 11 or lower |
|
Wipe profile on failed number of unlock attempts |
Wipes the work profile after the specified number of failed attempts to unlock the device. |
Android 12 or higher, Android 11 or lower |
|
Maximum number of unlock attempts |
Applies only if Wipe profile on failed number of unlock attempts is set to Yes. Specifies the number of failed attempts to unlock the work managed app that is allowed before the work profile is wiped. For example, if set to 10, the profile is removed after the 10th failed attempt. |
Android 12 or higher, Android 11 or lower |
A Mobile Security Policy can be assigned to users or devices. User-assigned policies apply to all devices that the user enrolls. Device-assigned policies apply only to the assigned device.
In addition to assigning policies directly to users and devices, you can assign this policy to user groups, user folders, device groups, and device folders. Each member of the group or folder receives the assignment.
To assign the policy to users, from the Policies list, select the check box in front of the policy, then click Action > Assign to User. To assign the policy to devices from the Policies list, select the check box in front of the policy, then click Action > Assign to Device.
In the Select Object dialog box, browse for and select the users or devices to whom you want to assign the policy, click OK to add them to the list and then click Next.
If the policy is assigned to a device, then the Policy Conflict Resolution page is displayed. In this page, you can set the precedence for device-associated policies and user-associated policies for resolving conflicts that arise when policies of the same type are associated to both devices and users. Define any of the following and click Next:
User Precedence: The user-associated policy will override the device-associated policy. Select this option to apply policies that are associated to the users first, and then to the devices.
Device Precedence: The device-associated policy will override the user-associated policy. Select this option to apply policies that are associated to the devices first, and then to the users.
Device Only: Select this option to apply policies that are associated to devices alone.
User Only: Select this option to apply policies that are associated to users alone.
Review the summary page and click Finish to complete the assignment.
For more information on the existing Policies section of ZENworks, see ZENworks Configuration Policies Reference.