Remote password and session locking

A remote password and session locking policy can be configured for Windows and macOS devices. This policy enables you to configure rules for security features that help protect endpoint device user accounts from unauthorized access.

In this policy, you can configure:

  • Password : Set rules and requirements for user passwords within the device operating system. These rules aim to enhance security by ensuring that passwords meet minimum strictness standards:
    • strength/complexity
    • a limited lifespan
    • not reusable within a defined number of resets
  • Screen lock-out : Automatically lock the user's device after a specified number of failed password attempts during login (or screen unlock). This can help prevent unauthorized access from a brute force attack on a user's account. Admin users can configure the policy to allow a maximum number of attempts and the duration of the lock-out period.

Configuring password and session locking policies

To configure a new password and session locking policy:

  1. From the Device Posture tab, select + ADD .

    Add new device posture policy

  2. Select the device operating system to which the new policy will be added ( Add to macOS or Add to Windows ).

    The Add new device policy dialog is displayed.

  3. Select Remote Password & Session Locking from the Select policy type dropdown.

    Password and session locking policy attributes

  4. Configure the following Password attributes:
    • Minimum length : The minimum password length (maximum value 14.)
    • Minimum age (days) : Specifies the minimum number of days a user must keep their password before they are allowed to change it (maximum value 365.)
    • Maximum age (days) : Specifies the maximum number of days a user must keep their password before they are allowed to change it (maximum value 365.)
    • Enforce password history : Specifies the number of unique passwords a user must use before they can reuse a previous password (maximum value 8.)
    • Password must meet complexity : When enabled, the following password complexity requirements are enforced:

      The password must contain characters from three of the following categories:

      • Uppercase letters (A-Z)
      • Lowercase letters (a-z)
      • Numbers (0-9)
      • Symbols or special characters (!, @, #, $, %, etc.)
  5. Configure the following Screen lockout attributes:
    • Lockout duration : How long a user's screen remains locked after the lockout is activated (maximum value 3 hours.)
    • Lockout threshold (attempts) : The number of consecutive failed login attempts that triggers a screen lockout. (maximum value 10.)

    Password and session locking policy Screen lockout attributes

    note

    You must set both parameters to configure a screen lock.

  6. Enter label names (predefined or custom) to the Labels field listed under Apply policy to devices with these labels to apply the new policy to specific groups of devices.

    Apply the device posture policy to groups of devices

  7. Select SAVE to save your new policy with the configured settings.

    The policy is created.

To view the policy, select the dropdown arrow indicator next to Remote Password & Session Locking on the Device Posture tab. See Device posture.

The following policy details are displayed:

  • Device labels applicable to the policy.

    View assword and session locking policy policy

Policy enforcement

A Screen lockout policy is applied immediately.

A new Password policy is applied when:

  • The user logs off the device.
  • The device restarts.
  • The device enters screen lock.
note

All policy enforcement information is presented through your operating system's user interface.