2.4.5 Ensure 'Maximum grace period for device lock' is set to 'Immediately'

Information

This recommendation pertains to the amount of time a device may be unlocked without entering a passcode after that device has been locked. Devices with TouchID enabled do not allow a grace period.

Rationale:

Configuring the Maximum grace period for device lock to Immediately precludes unauthenticated access when waking the device.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Passcode tab.

In the right window pane, set the Maximum grace period for device lock to Immediately.

Deploy the Configuration Profile.

See Also

https://workbench.cisecurity.org/benchmarks/15548