Support Tip: iOS 14 fails compliance check when passcode expires

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

We recently received a customer support case around compliance check behavior in iOS 14. The customer had a compliance policy set with a value for “Password expiration (days)”. Prior to iOS 14, devices would prompt the end user to change the device passcode, and provided they changed it, then the policy condition was met and there was no break in resource access. In iOS 14 and higher, the devices are not prompting the user for the passcode change but are properly reporting the expiration to Intune. The device, per the policy setting, then becomes non-compliant and ultimately users are blocked from resources protected by conditional access requiring a complaint device.

 

Apple has acknowledged this change in behavior and plans to address it in an upcoming release, and we’ll update this post when new information is available.

 

Currently, there are two mitigation approaches:

  1. Advise users to manually change the device passcode via Settings in iOS:
    1. Open Settings applications
    2. Scroll down to “Touch ID & Passcode” or “Face ID & Passcode select”
    3. Complete passcode prompt with the current passcode
    4. Scroll down and select Change Passcode then complete prompt.
    5. Once change, user can open Company Portal, select device, then Check Status to have the compliance state updated.
  2. Use Remove passcode to trigger user to set a new passcode:

    1. Sign in to the Microsoft Endpoint Manager admin center.

    2. Select Devices >  iOS/iPadOS > Search for and select impacted user device .

    3. Select Remove passcode, read and agree to the remove passcode by selecting “Yes”.

    4. The passcode will be removed from the device, and the user will be prompted to set a new passcode per the requirements of your defined compliance policy.

    5. Once the passcode is set, the user can open Company Portal, select device, then Check Status to have the compliance state updated.

 

Let us know if you have any additional questions on this by replying to this post or by tagging @IntuneSuppTeam out on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.