Overview
The Android Password Policy lets administrators define password and unlock requirements for managed Android devices and work profiles.
Use this policy to:
Require a minimum password strength
Set minimum password length
Require letters, numbers, uppercase characters, lowercase characters, or symbols
Prevent password reuse
Require periodic password changes
Limit failed unlock attempts before a device wipe
Apply requirements to the entire device or only the work profile
Require a separate work profile password
Control when users must re-enter a strong password instead of using biometrics
This policy supports both company-owned and BYOD Android devices running Android 9 or later.
Supported Platforms
Platform | Minimum Supported Version |
Android | Android 9+ |
The Require Password Unlock setting is supported on Android 8.0 and later.
Before You Begin
Before deploying this policy:
Confirm the Android device is enrolled in Swif.
Decide whether the password requirement should apply to the entire device or only the work profile.
Select the appropriate password quality before configuring detailed composition requirements.
Review the device-wipe threshold carefully.
Test the policy on a small device group before broad deployment.
Notify users before enforcing stricter password requirements.
Steps
In Swif, go to Device Management.
Open Policies.
Create or edit a policy.
Select Android Password Policy.
Configure the password requirements.
Choose whether the requirements apply to the device or work profile.
Assign the policy to the appropriate Android device group.
Save and deploy the policy.
After the policy reaches the device, users may be prompted to update their password or screen lock if the current configuration does not meet the new requirements.
Recommended Baseline Configuration
For most managed Android environments, consider the following baseline:
Setting | Recommended Value |
Password Quality |
|
Password Scope |
|
Password Scope |
|
Password Minimum Length | 8 or greater when using a compatible password quality |
Password History Length | 5 |
Maximum Failed Passwords For Wipe | 10 |
Password Expiration Timeout |
|
Require Password Unlock |
|
Unified Lock Settings | Based on device ownership and security requirements |
Organizations with stricter security requirements may choose COMPLEXITY_HIGH or use COMPLEX with explicit character requirements.
Important: A low failed-password wipe threshold can cause accidental data loss. Test this setting carefully before deployment.
Password Requirements
Password Quality
The Password Quality setting defines the minimum strength and composition of the device or work profile password.
Value | Behavior |
| No explicit password quality is defined |
| Allows a weak biometric unlock method |
| Requires some form of screen lock |
| Requires a numeric PIN |
| Requires a numeric PIN without simple or repetitive sequences |
| Requires alphabetic characters |
| Requires letters and numbers |
| Uses explicit character composition requirements |
| Applies Android's low password-complexity level |
| Applies Android's medium password-complexity level |
| Applies Android's high password-complexity level |
Choosing a Password Quality
Use:
NUMERIC_COMPLEXwhen a stronger PIN is acceptableALPHANUMERICwhen letters and numbers are requiredCOMPLEXwhen you need to define exact character requirementsCOMPLEXITY_MEDIUMorCOMPLEXITY_HIGHwhen you prefer Android-managed complexity levels
The detailed minimum letter, number, uppercase, lowercase, and symbol settings are only enforced when Password Quality is set to COMPLEX.
Password Scope
The Password Scope determines where the requirements apply.
Value | Behavior |
| No explicit scope is defined |
| Applies the password requirement to the entire device |
| Applies the requirement only to the managed work profile |
Recommended Use
Use
SCOPE_DEVICEfor fully managed company-owned devices.Use
SCOPE_PROFILEfor BYOD devices when the organization should control only the work profile.
Using profile scope helps preserve separation between business controls and the user's personal device experience.
Password Minimum Length
Sets the minimum number of characters required.
A value of:
0
means no minimum-length restriction is applied.
This setting is enforced only when Password Quality is one of the following:
NUMERICNUMERIC_COMPLEXALPHABETICALPHANUMERICCOMPLEX
Example:
8
This requires a password or PIN with at least eight characters, provided the selected password quality supports minimum-length enforcement.
Complex Password Composition
The following settings apply only when Password Quality is set to:
COMPLEX
Password Minimum Letters
Sets the minimum number of alphabetic characters required.
Example:
2
Password Minimum Lower Case
Sets the minimum number of lowercase letters required.
Example:
1
Password Minimum Upper Case
Sets the minimum number of uppercase letters required.
Example:
1
Password Minimum Numeric
Sets the minimum number of numeric digits required.
Example:
1
Password Minimum Symbols
Sets the minimum number of symbols required.
Example:
1
Password Minimum Non-Letter
Sets the minimum number of non-letter characters required.
Non-letter characters include:
Numbers
Symbols
Example:
2
This requirement may overlap with the minimum numeric and minimum symbol settings. Avoid creating conflicting or unnecessarily restrictive combinations.
Password Reuse and Expiration
Password History Length
Sets how many previous passwords the user cannot reuse.
A value of:
0
means password history is not enforced.
Example:
5
The user cannot reuse any of the previous five passwords.
Password Expiration Timeout
Sets the number of days before the password expires and must be changed.
Allowed range:
0–365 days
A value of:
0
means the password does not expire.
Recommendation
Use password expiration only when required by your organization or compliance framework. Frequent forced password changes may lead users to choose weaker or predictable passwords.
Failed Password Attempts and Device Wipe
Maximum Failed Passwords For Wipe
Sets the number of incorrect unlock attempts allowed before the device is wiped.
A value of:
0
means no wipe threshold is enforced.
Example:
10
After the configured number of failed attempts, Android may wipe the device or managed profile depending on the enrollment and password scope.
Warning: This is a high-impact setting. A low value can cause accidental data loss if a user, child, or unauthorized person repeatedly enters the wrong password.
Before enabling this setting:
Confirm the device ownership model
Confirm whether the wipe affects the whole device or work profile
Inform users about the wipe threshold
Test the behavior on a non-production device
Strong Authentication Requirements
Require Password Unlock
This setting controls how long a user can continue using biometrics or other non-password authentication after successfully unlocking with a strong credential.
Strong authentication includes:
Password
PIN
Pattern
Other authentication methods may include:
Fingerprint
Face unlock
Trust agents
Value | Behavior |
| Uses unspecified or platform-default behavior |
| Uses the device's default strong-authentication timeout |
| Requires a strong password, PIN, or pattern at least once per day |
Use REQUIRE_EVERY_DAY when users may use biometrics but must periodically re-enter the device password.
Work Profile Lock Behavior
Unified Lock Settings
This setting controls whether the device and work profile may share the same lock credential.
Value | Behavior |
| Uses unspecified or platform-default behavior |
| Allows one lock credential for both the device and work profile |
| Requires a separate password for the work profile |
Recommended Use
Use ALLOW_UNIFIED_WORK_AND_PERSONAL_LOCK when:
User convenience is a priority
A shared credential meets your security requirements
The device is company-owned
Use REQUIRE_SEPARATE_WORK_LOCK when:
Work data requires stronger isolation
The device is personally owned
Your organization requires a separate credential for business data
Requiring a separate work lock may increase user friction, so communicate the requirement before deployment.
Example Configurations
Standard Company-Owned Device
Password Quality: COMPLEXITY_MEDIUM
Password Scope: SCOPE_DEVICE
Password History Length: 5
Maximum Failed Passwords For Wipe: 10
Require Password Unlock: REQUIRE_EVERY_DAY
Password Expiration Timeout: 0
This provides a balanced baseline for fully managed devices.
High-Security Company-Owned Device
Password Quality: COMPLEX
Password Scope: SCOPE_DEVICE
Password Minimum Length: 12
Password Minimum Upper Case: 1
Password Minimum Lower Case: 1
Password Minimum Numeric: 1
Password Minimum Symbols: 1
Password History Length: 10
Maximum Failed Passwords For Wipe: 10
Require Password Unlock: REQUIRE_EVERY_DAY
Use this only when your organization requires explicit password composition rules.
BYOD Work Profile
Password Quality: COMPLEXITY_MEDIUM
Password Scope: SCOPE_PROFILE
Unified Lock Settings: REQUIRE_SEPARATE_WORK_LOCK
Password History Length: 5
Maximum Failed Passwords For Wipe: 10
Require Password Unlock: REQUIRE_EVERY_DAY
This applies the password requirement to the managed work profile instead of the user's entire personal device.
Notes
A value of
0usually means the related restriction is disabled.Character composition settings are enforced only when Password Quality is
COMPLEX.Minimum password length is enforced only for supported password-quality values.
Password scope affects whether requirements apply to the entire device or only the work profile.
Wipe behavior may differ depending on enrollment type and Android management mode.
Users may be prompted to change their password after the policy is applied.
Conflicting or overly strict settings may prevent users from creating an acceptable password.
Test the policy on a small group before organization-wide deployment.
Troubleshooting
The User Is Not Prompted to Change the Password
Check:
The device is online and checking in with Swif
The policy is assigned to the correct device group
The device runs Android 9 or later
Password Scope is configured correctly
Password Quality is not blank or unspecified
The current password already satisfies the policy
The prompt may appear when the user next unlocks the device or opens the managed work profile.
Minimum Character Requirements Are Not Enforced
Check that Password Quality is set to:
COMPLEX
The following settings are ignored for other password-quality values:
Password Minimum Letters
Password Minimum Lower Case
Password Minimum Upper Case
Password Minimum Numeric
Password Minimum Symbols
Password Minimum Non-Letter
Password Minimum Length Is Not Enforced
Confirm that Password Quality is one of:
NUMERICNUMERIC_COMPLEXALPHABETICALPHANUMERICCOMPLEX
Minimum length may not be enforced when using Android complexity levels such as COMPLEXITY_MEDIUM or COMPLEXITY_HIGH.
Biometrics Still Work
This may be expected.
The password policy can allow biometric authentication while periodically requiring the user to enter a strong password, PIN, or pattern.
To require strong authentication each day, set:
Require Password Unlock: REQUIRE_EVERY_DAY
The Work Profile Uses the Personal Device Password
Check Unified Lock Settings.
To require a separate work profile password, set:
REQUIRE_SEPARATE_WORK_LOCK
The Device or Work Profile Was Wiped
Check the configured value for:
Maximum Failed Passwords For Wipe
A wipe may occur after the configured number of failed unlock attempts.
Review the policy before re-enrolling the device, and consider increasing the threshold if it was too restrictive.
The Policy Is Too Restrictive to Satisfy
Review:
Password minimum length
Minimum uppercase letters
Minimum lowercase letters
Minimum numbers
Minimum symbols
Minimum non-letter characters
Make sure the combined requirements are logically possible.
For example, a minimum length of eight cannot support composition requirements totaling more than eight required characters.
Security and Compliance Impact
The Android Password Policy helps organizations:
Prevent weak device credentials
Reduce unauthorized access to work data
Require periodic strong authentication
Protect managed profiles on personally owned devices
Limit repeated password-guessing attempts
Prevent immediate password reuse
Support consistent password controls across managed Android devices
These controls can help support endpoint-access requirements associated with frameworks such as SOC 2, ISO 27001, HIPAA, NIST, NIS2, and CMMC.
Summary
Use the Android Password Policy to define password strength, composition, scope, history, expiration, strong-authentication, and failed-attempt requirements on Android 9+ devices.
For most environments:
Use
COMPLEXITY_MEDIUMas a practical baseline.Apply
SCOPE_DEVICEto company-owned devices.Apply
SCOPE_PROFILEto BYOD work profiles.Require strong authentication at least once per day.
Use a cautious wipe threshold, such as 10 failed attempts.
Test the policy before broad deployment.
