Navigating Mobile Device Management (MDM) password policies for small businesses is a balancing act between robust security and user sanity. This guide offers practical, tiered approaches to setting policies that actually work, from a bare-minimum baseline to a compliance-ready setup.

So, You’re Setting an MDM Password Policy. Don’t Be ‘That’ Admin.

I still remember the pager alert at 2 AM. It wasn’t a server down, it was our lead accountant, locked out of her work phone during a critical end-of-quarter close in a different time zone. Why? The brand-new, iron-clad MDM password policy we just rolled out decided she was due for a change. She couldn’t remember the last 10 passwords she’d used, couldn’t reuse them, and the new one needed a capital letter, a number, a special character from a specific subset, and couldn’t contain any dictionary words. The result? She was dead in the water, and I spent the next hour walking her through a recovery process that felt more like defusing a bomb. We secured the device, sure, but we completely killed productivity. That’s the tightrope we walk.

The Real Problem: Security Theater vs. Actual Security

I was browsing Reddit the other day and saw a thread asking, “What password policies do you set in your mdm for your small business?”. The answers were all over the place, and it highlights a fundamental misunderstanding. The goal isn’t to create a password so complex that even a supercomputer would shrug. The goal is to create a policy that reduces risk without inspiring your users to write their password on a sticky note and slap it on their monitor. We’re fighting against human nature. A policy that’s too annoying will be circumvented. A policy that’s too weak is a welcome mat for attackers. The key is finding the pragmatic middle ground.

So, let’s break this down into three tiers. No jargon, just what I’d tell a junior engineer on my team.

Tier 1: The “Bare Minimum” Baseline

This is for the company that currently has zero policy. It’s not perfect, but it’s a massive leap forward from letting users set their passcode to “1234”. This is about stopping the most opportunistic, low-effort attacks.

• Minimum Length: 8 characters. Anything less is trivial to brute-force these days.
• Require Alphanumeric: At least one letter and one number. This simple step exponentially increases the complexity over numbers-only.
• Screen Lock Timer: 5 minutes max. An unlocked phone on a table at a coffee shop is a lost phone.
• Wipe After Failed Attempts: 10 failed attempts and the device auto-wipes. This prevents offline brute-force attacks if the device is stolen.

Darian’s Take: Look, I’m not thrilled with this tier, but I get it. If you’re a 10-person shop just starting with an MDM, this is your starting line. It’s easy to communicate and won’t cause a user rebellion. Just promise me you won’t stay here for long.

Tier 2: The “Sensible Standard” (My Recommendation)

This is where I believe most small to medium-sized businesses should live. It balances modern security principles with user experience. The core philosophy here is that passphrase length and Multi-Factor Authentication (MFA) are more important than forced complexity and rotation.

Here’s how I’d configure this in a tool like Microsoft Intune or Jamf Pro.

Here’s a pseudo-JSON config for what this might look like in an MDM profile:

{
  "policyName": "SMB-Sensible-Standard-iOS",
  "platform": "iOS",
  "settings": {
    "passcode": {
      "required": true,
      "minLength": 12,
      "allowSimple": false,
      "alphanumeric": true,
      "history": 5,
      "maxGracePeriod": "5m",
      "maxFailedAttempts": 10
    },
    "mfa": {
      "enforceOnLogin": true,
      "provider": "MicrosoftAuthenticator"
    }
  }
}

Tier 3: The “Fort Knox” Approach (Compliance-Driven)

Sometimes, your hands are tied. You have to be PCI-DSS, HIPAA, or CMMC compliant, and the auditor doesn’t care about my opinion on password rotation. This is the “check the box” tier. Be warned: user friction will be high, and you’ll need to invest in user training and IT support.

• Minimum Length: 15+ characters.
• High Complexity: Enforce uppercase, lowercase, numbers, AND special characters.
• Password History: Remember the last 24 passwords.
• Max Password Age: 90 days. Yes, I hate it, but the auditor’s checklist demands it.
• MFA: Still mandatory. No excuses.
• Account Lockout: 5 failed attempts leads to a 30-minute lockout. This slows down online guessing attacks.

Warning: Only use this tier if you are legally or contractually obligated to do so. It will increase your helpdesk ticket volume for lockouts and password resets. The security benefit over Tier 2 is marginal in the real world, but it satisfies the auditors. Your job here is to automate the heck out of the user unlock/reset process to keep the business moving.

Final Thoughts

Choosing a password policy isn’t a one-time set-and-forget task. It’s a conversation about risk. Don’t just copy a template from the internet. Start with the “Sensible Standard,” talk to your users, explain why you’re doing it, and make MFA your non-negotiable hill to die on. A good policy is one that people actually follow, and that’s the part that no MDM configuration screen can solve for you.

Darian Vance

Lead Cloud Architect & DevOps Strategist

With over 12 years in system architecture and automation, Darian specializes in simplifying complex cloud infrastructures. An advocate for open-source solutions, he founded TechResolve to provide engineers with actionable, battle-tested troubleshooting guides and robust software alternatives.

🤖 Frequently Asked Questions