Device Compliance Rules | Help Center

Overview

Swif.ai enforces a set of device compliance rules to help your organization maintain a strong security posture across all managed devices. These rules define baseline security requirements — such as software updates, disk encryption, screen lock, and password policies — that every enrolled device must meet.

Compliance rules are evaluated continuously and in real time. When a device falls out of compliance, Swif flags the issue and provides actionable remediation hints so administrators and end users can resolve problems quickly.

This article explains each compliance rule category, what is checked on each operating system, and how to customize these settings for your organization.

Compliance Rule Categories

Every managed device is evaluated against four core compliance categories:

Category	What It Checks	Why It Matters
Software Update Policy	Whether automatic OS and app updates are enabled	Ensures critical security patches are applied promptly
Disk Encryption	Whether full-disk encryption (FileVault, BitLocker, etc.) is active	Protects data at rest if a device is lost or stolen
Screen Lock	Whether a screen saver/lock activates after a period of inactivity	Prevents unauthorized access to unattended devices
Password Policy	Whether password requirements meet minimum complexity and length standards	Reduces the risk of weak or easily guessed credentials

Rules by Operating System

macOS

Software Update Policy
The following settings must all be enabled:

Automatically install App Store app updates — automaticallyInstallAppUpdates: true
Automatically install macOS updates — automaticallyInstallMacOSUpdates: true
Install security updates automatically — criticalUpdateInstall: true

Disk Encryption (FileVault)

Encryption Enable must be true
A device is compliant if either the FileVault policy has encryption enabled or the device reports its encryption status as "encrypted."

Note: encryptionStatus participates in the overall device compliance calculation, but not in the individual policy compliance check.

Screen Lock (Screen Saver Policy)

Require password to unlock screen — askForPassword: true
Idle time — must be ≤ 900 seconds (15 minutes)

Password Policy

Require passcode on device — forcePIN: true
Minimum passcode length — ≥ 8

Windows

Software Update Policy

Allow Auto Update must not be set to 5 (disabled). Recommended: "Auto install and restart."

Disk Encryption (BitLocker)

BitLocker Auto Policy must be assigned, covering the system drive (C: or internal).
Compliant if BitLocker covers required drives or the device reports encryption status as "encrypted."

Screen Lock (Power Policy)

Screen Saver Logon Screen — screenSaverIsSecure: true
Screen Saver Wait Time — ≤ 900 seconds

Password Policy

Force a user to have a password — forcePassword: true
Minimum Password Length — ≥ 8

Linux

Software Update Policy

Automatic Update — automaticUpdateEnabled: true

Disk Encryption

Compliance is determined directly from the device-reported encryptionStatus (must be "encrypted"). There is no separate encryption policy toggle for Linux.

Screen Lock (Screen Saver Policy)
All four conditions must be met:

Idle Activation — idleActivationEnabled: true
Idle Delay — ≤ 900 seconds
Screen Lock — lockEnabled: true
Lock Delay — ≤ 900 seconds

Password Policy
Linux enforces the most comprehensive password requirements:

Requirement	Setting	Minimum Value
Minimum Password Length	`minimumLength`	8
Minimum Digits	`minDigits`	1
Minimum Uppercase Letters	`minUpperCase`	1
Minimum Lowercase Letters	`minLowerCase`	1
Minimum Special Characters	`minOtherChars`	1
Maximum Password Age	`maximumDays`	180 days

Android

Software Update Policy

System Update type — AUTOMATIC or WINDOWED
App Auto-Update Policy — ALWAYS or WIFI_ONLY

Disk Encryption (Security Policy)

Compliant if encryptionStatus is ENABLED_WITH_PASSWORD or the device reports "encrypted."

Screen Lock

Maximum time to lock — ≤ 900,000 milliseconds (15 minutes)

Password Policy

Minimum password length — ≥ 8

iOS / iPadOS

Software Update Policy
Shares the same update checks as macOS:

automaticallyInstallAppUpdates: true
automaticallyInstallMacOSUpdates: true
criticalUpdateInstall: true

Password Policy

Require passcode on device — forcePIN: true
Minimum passcode length — ≥ 6

Note: iOS/iPadOS requires a minimum passcode length of 6 (compared to 8 on macOS and Windows).

Default Compliance Settings Summary

Rule	macOS	Windows	Linux	Android	iOS/iPadOS
Auto Updates	Enabled	Auto install & restart	Enabled	Automatic or Windowed	Enabled
Disk Encryption	FileVault on	BitLocker on (C: drive)	Device-reported	Password-based encryption	N/A
Screen Lock Timeout	≤ 900 sec	≤ 900 sec	≤ 900 sec	≤ 900,000 ms	N/A
Min Password Length	8	8	8	8	6
Password Required	Yes	Yes	Yes	Yes	Yes

How Compliance Is Calculated

Swif evaluates compliance at two levels:

Policy compliance — Does the assigned policy configuration meet the required thresholds?
Device compliance — Does the device itself meet the required state? For encryption, Swif checks both the policy setting and the device-reported encryption status.

A device is marked compliant only when all applicable policies pass their checks.

Important: For encryption rules, the device-reported encryptionStatus participates in the device-level compliance calculation, but does not affect the individual policy compliance check. This means a device can be compliant overall (because it is encrypted) even if the encryption policy is not explicitly assigned — but the policy itself will not show as "compliant."

Customizing Compliance Rules

You can tailor compliance rules to match your organization's specific security requirements:

In the Swif console, go to Settings → Compliance.
Under General Compliance Requirements, adjust individual controls — including thresholds like idle time, password length, and update behavior.
Use Reset Default Settings to revert to Swif's recommended defaults at any time.
Configure Qualified Applications to allow or deny specific apps.
Use the Blocklist Devices section to exclude specific devices from compliance checks.

For a detailed walkthrough, see How to Customize General Compliance Requirements.

Compliance Center

The Compliance Center is your centralized dashboard for monitoring and managing device compliance across frameworks like SOC 2, ISO 27001, NIST, HIPAA, NIS2, and CIS Benchmarks.

Key capabilities:

Frameworks Snapshot — See completion percentages and risk status across all supported frameworks at a glance.
Compliance Controls — View and manage device-level controls organized by category (Access & Authentication, Data Protection, Endpoint Security, and more).
Continuous Monitoring — Swif evaluates device state and flags compliance drift in real time.
Automated Remediation — Apply recommended policy fixes with a single click.
Audit Readiness — Real-time reporting and integrations with Vanta, Drata, and Secureframe.

For more details, see Compliance Center Overview.

Frequently Asked Questions

What happens when a device is non-compliant?
Swif flags the device and provides specific remediation hints — for example, "Enable Automatically install macOS Updates" or "Increase the Minimum Password Length to 8 or greater." Administrators can also configure automated enforcement.

Can I set different rules for different device groups?
Yes. Compliance controls can be applied at the organization level or scoped to specific device groups from the Compliance Center.

Are compliance checks continuous?
Yes. Swif continuously monitors device state and updates compliance status in real time — no manual audits or periodic scans needed.

What frameworks are supported?
Swif maps compliance controls to SOC 2, ISO 27001, NIST, HIPAA, NIS2, and CIS Benchmarks (Level 1 and Level 2).

How to Reset a Device Password

Apple FileVault Policy

How to Customize General Compliance Requirements for Your Organization

Swif Admin User Behavior on Managed Devices

Custom Compliance Controls in Swif