Require passcode" (maxGracePeriod) policy should be enforced or just be set to 0 by default
iOS password grace period should be set to 0 by default. Currently, setting an auto-lock policy for iOS devices doesn't work properly as the device is locked after the set period of time but it can be postponed by the user for up to 4 hours:
On the device, go to Settings -> Passcode -> Require Passcode -> you can change this setting to up to 4 hours which shouldn’t be possible. The policy only changes settings in Settings -> General -> Auto-lock to the set amount of minutes determined by the MDM policy.
This behaviour is set by the "Maxpasswordgraceperiod" in the MDM policy (which isn't set to any value by default - it should be set to 0). However, it is impossible to change. According to Technet documentation here https://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicysupporteddevice.aspx, there is a PowerShell cmd Get-DevicePolicy, however, Set-DevicePolicy is missing....
This is a huge compliance issue for us. The devices are reported as compliant but in fact they can stay unlocked for up to 4hours no matter what device lock requirements we set in Office 365 MDM polciies.
I’m moving this to the ideas forum and changing the title to be the first line of the reply to Kieran, since it’s a request for different behavior than we currently have.
Cathy Moya: Whatever. if you think it's OK for a policy called "Max minutes of inactivity" to be completely ineffectvie on iOS devices and allow them to stay unlocked for 4 hours because of this, then yes you can call it "request for different behavior". I'd call it a big bug myself. If I set 5 minutes, I then expect 5 minutes, not 4 hours.
Kieran Gupta: Exactly, the Require passcode" (maxGracePeriod) policy should be enforced as well or just be set to 0 by default.
Now, Office 365 MDM managed iOS devices can stay unlocked for up to 4 hours no matter what you set in "Minutes of inactivity before device is locked" - I would expect better from an enterprise solution.
Kieran Gupta, Microsoft Intune commented
Hi there - thanks for reporting this issue. I've looked into this, and it appears the setting you mention "Minutes of inactivity before device is locked" corresponds to the following iOS MDM setting:
maxInactivity | Optional. Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered.
This setting does *not* impact the device "Require passcode" (maxGracePeriod) policy (that's a different setting which is currently not available in O365 MDM). Since the maxGracePeriod is not being set/enforced by O365 MDM, the user is allowed to change it. The setting may be influenced by other device management factors on the device (ex: EAS policies for email, enabling TouchID).