iOS 14 fails compliance check when passcode expires
Some customers raised several support cases around compliance check behavior in iOS 14.
The customer had a compliance policy set with a value for “Password expiration (days)”.
Prior to iOS 14, devices would prompt the end user to change the device passcode, and provided they changed it, then the policy condition was met and there was no break in resource access.
In iOS 14 and higher, the devices are not prompting the user for the passcode change but are properly reporting the expiration to Intune. The device, per the policy setting, then becomes non-compliant and ultimately users are blocked from resources protected by conditional access requiring a complaint device.
Currently, there are two mitigation approaches:
- Advise users to manually change the device passcode via Settings in iOS:
- Open Settings applications
- Scroll down to “Touch ID & Passcode” or “Face ID & Passcode select”
- Complete passcode prompt with the current passcode
- Scroll down and select Change Passcode then complete prompt.
- Once change, user can open Company Portal, select device, then Check Status to have the compliance state updated.
- Use Remove passcode to trigger user to set a new passcode:
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Devices > iOS/iPadOS > Search for and select impacted user device .
- Select Remove passcode, read and agree to the remove passcode by selecting “Yes”.
- The passcode will be removed from the device, and the user will be prompted to set a new passcode per the requirements of your defined compliance policy.
- Once the passcode is set, the user can open Company Portal, select device, then Check Status to have the compliance state updated.
Update the version of your iOS device !
A fix has been rolled out for this issue has been resolved with the latest release of iOS 14.3.