Resolved - Support Tip: iOS 14 fails compliance check when passcode expires

Intune_Support_Team · ‎Nov 06 2020

Updated 12/18/20 - A fix for this issue has been rolled out with the latest release of iOS 14.3.

We recently received a customer support case around compliance check behavior in iOS 14. The customer had a compliance policy set with a value for “Password expiration (days)”. Prior to iOS 14, devices would prompt the end user to change the device passcode, and provided they changed it, then the policy condition was met and there was no break in resource access. In iOS 14 and higher, the devices are not prompting the user for the passcode change but are properly reporting the expiration to Intune. The device, per the policy setting, then becomes non-compliant and ultimately users are blocked from resources protected by conditional access requiring a complaint device.

~~Apple has acknowledged this change in behavior and plans to address it in an upcoming release, and we’ll update this post when new information is available.~~

Currently, there are two mitigation approaches:

Advise users to manually change the device passcode via Settings in iOS:
1. Open Settings applications
2. Scroll down to “Touch ID & Passcode” or “Face ID & Passcode select”
3. Complete passcode prompt with the current passcode
4. Scroll down and select Change Passcode then complete prompt.
5. Once change, user can open Company Portal, select device, then Check Status to have the compliance state updated.
Use Remove passcode to trigger user to set a new passcode:
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices >  iOS/iPadOS > Search for and select impacted user device .
3. Select Remove passcode, read and agree to the remove passcode by selecting “Yes”.
4. The passcode will be removed from the device, and the user will be prompted to set a new passcode per the requirements of your defined compliance policy.
5. Once the passcode is set, the user can open Company Portal, select device, then Check Status to have the compliance state updated.

Let us know if you have any additional questions on this by replying to this post or by tagging @IntuneSuppTeam out on Twitter.

Blog post updates:

12/18/20: We have confirmed reports that a fix for this issue has been resolved with the latest release of iOS 14.3.

Vadivelu B · ‎Nov 08 2020

Just want to be clear it's only for iOS 14 or iOS 14 and above?

Dheeraj Oswal · ‎Nov 09 2020

@Intune_Support_Team Do we have any method to identify the list of devices that are nearing the passcode expiry?

Intune_Support_Team · ‎Nov 09 2020

Hi @Vadivelu B, thanks for the question! We've seen this occur on devices on iOS 14.0 and up so far. We are expecting a future beta build that should have a fix to test, and that will then roll into an iOS release. No timing or versions to share yet, but we’ll update this post when new information is available.

Intune_Support_Team · ‎Nov 09 2020

Hi @Dheeraj Oswal, thanks for the question! Unfortunately, the current iOS Passcode MDM payload protocol setting does not provide any details on the current passcode age or lifecycle in maxAge. We only get a report when the age has been exceeded.

Dheeraj Oswal · ‎Dec 15 2020

@Intune_Support_Team Could you please confirm if this issue is resolved with iOS 14.3 update?

Intune_Support_Team · ‎Dec 18 2020

Hi @Dheeraj Oswal, confirming that a fix for this issue has been resolved with iOS 14.3.

Joel Gonzalez · ‎Jan 15 2021

I'm still having users running iOS 14.3 going into "Non compliance" because Company Portal does not alert them to update Passcode.

jloredo0918 · ‎Jan 19 2021

Same here. We are still experiencing issues. Just submitted a ticket to MS.

Intune_Support_Team · ‎Jan 20 2021

@Joel Gonzalez - Thanks for the comment. There may be a different issue occurring on the affected devices or within your tenant. We've sent you a private message to learn more about the scenario and to provide additional assistance.

@jloredo0918 - Thanks for the feedback. We've followed up with you over a private message to provide additional assistance on your support case.

omie1376 · ‎Jan 22 2021

Hi,

I can also confirm the issue is still present as well. I have both an iOS device compliance and device restriction policy that match. I can see users daily (with iOS 14.3) not being prompted to change their device passcodes. In my test configurations, if I change the passcode expiration to a lower value, I'm prompted to change it.

For others experiencing the issue, we have adjusted our policy to mark the device non compliant after 1 day, notifying the device owner, via email that instructs them to go to the Comp Portal app to check device status. We include an email to the Service Desk for active follow-up to minimize impact. All of our mobile access to O365 services are based on conditional access rules, which restricts access based on non compliance. Hope this helps.

jloredo0918 · ‎Jan 26 2021

I was told this is an issue with Apple. Nothing MS could do.

omie1376 · ‎Jan 27 2021

@jloredo0918 Completely agree its an Apple related issue, but to note its been resolved is not accurate.

iOS 14.4 has been released, so fingers crossed. :)

I did discover that if you reboot the device with an expired passcode (with device being marked as non compliant), it does prompt you to change it.

Joel Gonzalez · ‎Jan 27 2021

@omie1376 I have also changed the time before it gets marked as non-compliant to 3 days, because these issues often happen during the weekend.

@jloredo0918 I am also hoping that iOS 14.4 may fix the issue, although it seems like Apple turns on security with every update - we will see. Thank you for the suggestion to reboot phone.

omie1376 · ‎Jan 29 2021

After updating my test devices to iOS 14.4 and once the device passcodes expired, each device prompted me to change the device passcode. A good sign the issue may have been resolved.

Joel Gonzalez · ‎Jan 29 2021

That's great news! Thank you for sharing.

Sampathkumar_Kesur · ‎Feb 16 2021

From last week we noticed that some of the users device after updating OS version to 14.4 also marking devices as non-compliant. It will become compliant only after changing the passcode.

Joel Gonzalez · ‎Feb 18 2021

My supervised phone running 14.4 did ask me to change my passcode, like it used to. I have not heard of any other issues from any of my users.

sterkey25 · ‎Feb 25 2021

I have several users running into this problem still. They are not receiving prompts on their devices to update their passcodes. Users are on iOS 14.4

Michael_Budai · ‎Apr 07 2021

I have version 14.4.2 on my IPhone XR and still didn’t get any notification that my passcode expired today, while I got immediately disconnect from my company assets. I would appreciate if this issue gets addressed asap.

NicHu1805 · ‎May 11 2021

We also have had devices running 14.4.2 and experiencing the same issue , no passcode prompt.
Since the newest software is 14.5.1 - can we confirm if issue is resolved with running the latest software?

Intune_Support_Team · ‎May 24 2021

Hi @Michael_Budai and @NicHu1805, thank you both for the feedback! Confirming that this issue has been resolved with the public release of iOS 14.3 and higher. If you continue facing an issue with your device's passcode not prompting as expected, please open a support case via the Microsoft Endpoint Manager admin center's Help and Support blade or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Thanks!

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Resolved - Support Tip: iOS 14 fails compliance check when passcode expires