Common Mobile Settings

This topic provides detailed descriptions of the policy settings available under Policies > Endpoint Policies > Common Settings > Mobile Settings > Restrictions Settings.

Passcode Settings



Auto-Lock (minutes)

Require mobile devices to enforce passcode access.

Grace period for device lock

Require iOS devices and OS X computers to allow a grace period.

For iOS devices, the grace period is the amount of time that a locked device may be unlocked without entering the passcode.

In OS X, this will be translated to screensaver settings.

Maximum number of failed attempts

Specify the maximum number of failed attempts that are allowed before the device is wiped.

Maximum passcode age (days)

Specify the number of days a passcode can exist before it must be reset.

Minimum number of complex characters

Specify the minimum number of complex characters required for the passcode.

Minimum passcode length

Specify the minimum number of characters required for the passcode.

Passcode history

Specify the number of passcodes to store and compare against new passcodes.

New passcodes are not allowed to repeat a stored passcode.

Permit simple value

Allow a passcode with simple values (that is, values that use repeating, ascending, or descending character sequences).

Require alphanumeric value

Require alphanumeric values (that is, values with at least one letter and one integer).

Require passcode on device

Require mobile devices to enforce passcode access.

You must set this policy for the other passcode policies to be enforced.

Restrictions Settings



Permit camera use

Control whether user can use the camera and the FaceTime app on their devices.

Permit user to unenroll device

Control whether user can unenroll a device.

This policy is only available in the CyberArk Cloud Directory policy service.

Permit user to wipe device

Control whether user can wipe device.


  • This policy is only available in the CyberArk Cloud Directory policy service.
  • For iOS devices, this policy applies only to devices with iOS 8 or later that are configured as “supervised” in Apple Configurator.

Report mobile device location

Display device location in the user portal. If enabled, you have the option to enforce mandatory sharing of device location with systems administrators or allow users to control sharing of their device locations. See Configure device location reporting and tracking.

By default, this policy is enabled.

The user must also have device tracking turned on in the device and in the user portal the default setting).

This policy is not supported on OS X computers.

Report device details for SSO enrolled devices

This setting controls whether the following device details are sent to CyberArk Identity if the device is SSO-enrolled.

  • Model name and number

  • Battery level

These details might be considered personally identifiable information. Choose not to report these device details to comply with relevant privacy regulations, such as GDPR. If the device details are not reported to CyberArk Identity, the related rows are hidden in the User Portal and Identity Administration portal.

Select Yes to report selected device details. You can deselect individual device details for additional control over reported information.

Select No to not report any device details.

Select -- to leave the default value, which is to report all device details.

The device details are always reported for devices enrolled into CyberArk Identity MDM, regardless of this setting.

Some Android devices report model number, while iOS devices do not report it.