Skip to main content

Android Password Policy

Overview

The Android Password Policy lets administrators define password and unlock requirements for managed Android devices and work profiles.

Use this policy to:

  • Require a minimum password strength

  • Set minimum password length

  • Require letters, numbers, uppercase characters, lowercase characters, or symbols

  • Prevent password reuse

  • Require periodic password changes

  • Limit failed unlock attempts before a device wipe

  • Apply requirements to the entire device or only the work profile

  • Require a separate work profile password

  • Control when users must re-enter a strong password instead of using biometrics

This policy supports both company-owned and BYOD Android devices running Android 9 or later.


Supported Platforms

Platform

Minimum Supported Version

Android

Android 9+

The Require Password Unlock setting is supported on Android 8.0 and later.


Before You Begin

Before deploying this policy:

  1. Confirm the Android device is enrolled in Swif.

  2. Decide whether the password requirement should apply to the entire device or only the work profile.

  3. Select the appropriate password quality before configuring detailed composition requirements.

  4. Review the device-wipe threshold carefully.

  5. Test the policy on a small device group before broad deployment.

  6. Notify users before enforcing stricter password requirements.


Steps

  1. In Swif, go to Device Management.

  2. Open Policies.

  3. Create or edit a policy.

  4. Select Android Password Policy.

  5. Configure the password requirements.

  6. Choose whether the requirements apply to the device or work profile.

  7. Assign the policy to the appropriate Android device group.

  8. Save and deploy the policy.

After the policy reaches the device, users may be prompted to update their password or screen lock if the current configuration does not meet the new requirements.


Recommended Baseline Configuration

For most managed Android environments, consider the following baseline:

Setting

Recommended Value

Password Quality

COMPLEXITY_MEDIUM

Password Scope

SCOPE_DEVICE for company-owned devices

Password Scope

SCOPE_PROFILE for BYOD work profiles

Password Minimum Length

8 or greater when using a compatible password quality

Password History Length

5

Maximum Failed Passwords For Wipe

10

Password Expiration Timeout

0, unless required by policy

Require Password Unlock

REQUIRE_EVERY_DAY

Unified Lock Settings

Based on device ownership and security requirements

Organizations with stricter security requirements may choose COMPLEXITY_HIGH or use COMPLEX with explicit character requirements.

Important: A low failed-password wipe threshold can cause accidental data loss. Test this setting carefully before deployment.


Password Requirements

Password Quality

The Password Quality setting defines the minimum strength and composition of the device or work profile password.

Value

Behavior

PASSWORD_QUALITY_UNSPECIFIED

No explicit password quality is defined

BIOMETRIC_WEAK

Allows a weak biometric unlock method

SOMETHING

Requires some form of screen lock

NUMERIC

Requires a numeric PIN

NUMERIC_COMPLEX

Requires a numeric PIN without simple or repetitive sequences

ALPHABETIC

Requires alphabetic characters

ALPHANUMERIC

Requires letters and numbers

COMPLEX

Uses explicit character composition requirements

COMPLEXITY_LOW

Applies Android's low password-complexity level

COMPLEXITY_MEDIUM

Applies Android's medium password-complexity level

COMPLEXITY_HIGH

Applies Android's high password-complexity level

Choosing a Password Quality

Use:

  • NUMERIC_COMPLEX when a stronger PIN is acceptable

  • ALPHANUMERIC when letters and numbers are required

  • COMPLEX when you need to define exact character requirements

  • COMPLEXITY_MEDIUM or COMPLEXITY_HIGH when you prefer Android-managed complexity levels

The detailed minimum letter, number, uppercase, lowercase, and symbol settings are only enforced when Password Quality is set to COMPLEX.


Password Scope

The Password Scope determines where the requirements apply.

Value

Behavior

SCOPE_UNSPECIFIED

No explicit scope is defined

SCOPE_DEVICE

Applies the password requirement to the entire device

SCOPE_PROFILE

Applies the requirement only to the managed work profile

Recommended Use

  • Use SCOPE_DEVICE for fully managed company-owned devices.

  • Use SCOPE_PROFILE for BYOD devices when the organization should control only the work profile.

Using profile scope helps preserve separation between business controls and the user's personal device experience.


Password Minimum Length

Sets the minimum number of characters required.

A value of:

0

means no minimum-length restriction is applied.

This setting is enforced only when Password Quality is one of the following:

  • NUMERIC

  • NUMERIC_COMPLEX

  • ALPHABETIC

  • ALPHANUMERIC

  • COMPLEX

Example:

8

This requires a password or PIN with at least eight characters, provided the selected password quality supports minimum-length enforcement.


Complex Password Composition

The following settings apply only when Password Quality is set to:

COMPLEX

Password Minimum Letters

Sets the minimum number of alphabetic characters required.

Example:

2

Password Minimum Lower Case

Sets the minimum number of lowercase letters required.

Example:

1

Password Minimum Upper Case

Sets the minimum number of uppercase letters required.

Example:

1

Password Minimum Numeric

Sets the minimum number of numeric digits required.

Example:

1

Password Minimum Symbols

Sets the minimum number of symbols required.

Example:

1

Password Minimum Non-Letter

Sets the minimum number of non-letter characters required.

Non-letter characters include:

  • Numbers

  • Symbols

Example:

2

This requirement may overlap with the minimum numeric and minimum symbol settings. Avoid creating conflicting or unnecessarily restrictive combinations.


Password Reuse and Expiration

Password History Length

Sets how many previous passwords the user cannot reuse.

A value of:

0

means password history is not enforced.

Example:

5

The user cannot reuse any of the previous five passwords.


Password Expiration Timeout

Sets the number of days before the password expires and must be changed.

Allowed range:

0–365 days

A value of:

0

means the password does not expire.

Recommendation

Use password expiration only when required by your organization or compliance framework. Frequent forced password changes may lead users to choose weaker or predictable passwords.


Failed Password Attempts and Device Wipe

Maximum Failed Passwords For Wipe

Sets the number of incorrect unlock attempts allowed before the device is wiped.

A value of:

0

means no wipe threshold is enforced.

Example:

10

After the configured number of failed attempts, Android may wipe the device or managed profile depending on the enrollment and password scope.

Warning: This is a high-impact setting. A low value can cause accidental data loss if a user, child, or unauthorized person repeatedly enters the wrong password.

Before enabling this setting:

  • Confirm the device ownership model

  • Confirm whether the wipe affects the whole device or work profile

  • Inform users about the wipe threshold

  • Test the behavior on a non-production device


Strong Authentication Requirements

Require Password Unlock

This setting controls how long a user can continue using biometrics or other non-password authentication after successfully unlocking with a strong credential.

Strong authentication includes:

  • Password

  • PIN

  • Pattern

Other authentication methods may include:

  • Fingerprint

  • Face unlock

  • Trust agents

Value

Behavior

REQUIRE_PASSWORD_UNLOCK_UNSPECIFIED

Uses unspecified or platform-default behavior

USE_DEFAULT_DEVICE_TIMEOUT

Uses the device's default strong-authentication timeout

REQUIRE_EVERY_DAY

Requires a strong password, PIN, or pattern at least once per day

Use REQUIRE_EVERY_DAY when users may use biometrics but must periodically re-enter the device password.


Work Profile Lock Behavior

Unified Lock Settings

This setting controls whether the device and work profile may share the same lock credential.

Value

Behavior

UNIFIED_LOCK_SETTINGS_UNSPECIFIED

Uses unspecified or platform-default behavior

ALLOW_UNIFIED_WORK_AND_PERSONAL_LOCK

Allows one lock credential for both the device and work profile

REQUIRE_SEPARATE_WORK_LOCK

Requires a separate password for the work profile

Recommended Use

Use ALLOW_UNIFIED_WORK_AND_PERSONAL_LOCK when:

  • User convenience is a priority

  • A shared credential meets your security requirements

  • The device is company-owned

Use REQUIRE_SEPARATE_WORK_LOCK when:

  • Work data requires stronger isolation

  • The device is personally owned

  • Your organization requires a separate credential for business data

Requiring a separate work lock may increase user friction, so communicate the requirement before deployment.


Example Configurations

Standard Company-Owned Device

Password Quality: COMPLEXITY_MEDIUM 
Password Scope: SCOPE_DEVICE
Password History Length: 5
Maximum Failed Passwords For Wipe: 10
Require Password Unlock: REQUIRE_EVERY_DAY
Password Expiration Timeout: 0

This provides a balanced baseline for fully managed devices.


High-Security Company-Owned Device

Password Quality: COMPLEX 
Password Scope: SCOPE_DEVICE
Password Minimum Length: 12
Password Minimum Upper Case: 1
Password Minimum Lower Case: 1
Password Minimum Numeric: 1
Password Minimum Symbols: 1
Password History Length: 10
Maximum Failed Passwords For Wipe: 10
Require Password Unlock: REQUIRE_EVERY_DAY

Use this only when your organization requires explicit password composition rules.


BYOD Work Profile

Password Quality: COMPLEXITY_MEDIUM 
Password Scope: SCOPE_PROFILE
Unified Lock Settings: REQUIRE_SEPARATE_WORK_LOCK
Password History Length: 5
Maximum Failed Passwords For Wipe: 10
Require Password Unlock: REQUIRE_EVERY_DAY

This applies the password requirement to the managed work profile instead of the user's entire personal device.


Notes

  • A value of 0 usually means the related restriction is disabled.

  • Character composition settings are enforced only when Password Quality is COMPLEX.

  • Minimum password length is enforced only for supported password-quality values.

  • Password scope affects whether requirements apply to the entire device or only the work profile.

  • Wipe behavior may differ depending on enrollment type and Android management mode.

  • Users may be prompted to change their password after the policy is applied.

  • Conflicting or overly strict settings may prevent users from creating an acceptable password.

  • Test the policy on a small group before organization-wide deployment.


Troubleshooting

The User Is Not Prompted to Change the Password

Check:

  • The device is online and checking in with Swif

  • The policy is assigned to the correct device group

  • The device runs Android 9 or later

  • Password Scope is configured correctly

  • Password Quality is not blank or unspecified

  • The current password already satisfies the policy

The prompt may appear when the user next unlocks the device or opens the managed work profile.


Minimum Character Requirements Are Not Enforced

Check that Password Quality is set to:

COMPLEX

The following settings are ignored for other password-quality values:

  • Password Minimum Letters

  • Password Minimum Lower Case

  • Password Minimum Upper Case

  • Password Minimum Numeric

  • Password Minimum Symbols

  • Password Minimum Non-Letter


Password Minimum Length Is Not Enforced

Confirm that Password Quality is one of:

  • NUMERIC

  • NUMERIC_COMPLEX

  • ALPHABETIC

  • ALPHANUMERIC

  • COMPLEX

Minimum length may not be enforced when using Android complexity levels such as COMPLEXITY_MEDIUM or COMPLEXITY_HIGH.


Biometrics Still Work

This may be expected.

The password policy can allow biometric authentication while periodically requiring the user to enter a strong password, PIN, or pattern.

To require strong authentication each day, set:

Require Password Unlock: REQUIRE_EVERY_DAY

The Work Profile Uses the Personal Device Password

Check Unified Lock Settings.

To require a separate work profile password, set:

REQUIRE_SEPARATE_WORK_LOCK

The Device or Work Profile Was Wiped

Check the configured value for:

Maximum Failed Passwords For Wipe

A wipe may occur after the configured number of failed unlock attempts.

Review the policy before re-enrolling the device, and consider increasing the threshold if it was too restrictive.


The Policy Is Too Restrictive to Satisfy

Review:

  • Password minimum length

  • Minimum uppercase letters

  • Minimum lowercase letters

  • Minimum numbers

  • Minimum symbols

  • Minimum non-letter characters

Make sure the combined requirements are logically possible.

For example, a minimum length of eight cannot support composition requirements totaling more than eight required characters.


Security and Compliance Impact

The Android Password Policy helps organizations:

  • Prevent weak device credentials

  • Reduce unauthorized access to work data

  • Require periodic strong authentication

  • Protect managed profiles on personally owned devices

  • Limit repeated password-guessing attempts

  • Prevent immediate password reuse

  • Support consistent password controls across managed Android devices

These controls can help support endpoint-access requirements associated with frameworks such as SOC 2, ISO 27001, HIPAA, NIST, NIS2, and CMMC.


Summary

Use the Android Password Policy to define password strength, composition, scope, history, expiration, strong-authentication, and failed-attempt requirements on Android 9+ devices.

For most environments:

  1. Use COMPLEXITY_MEDIUM as a practical baseline.

  2. Apply SCOPE_DEVICE to company-owned devices.

  3. Apply SCOPE_PROFILE to BYOD work profiles.

  4. Require strong authentication at least once per day.

  5. Use a cautious wipe threshold, such as 10 failed attempts.

  6. Test the policy before broad deployment.

Did this answer your question?