Password Management
You can configure Shield Guard security policies to monitor, and automatically generate, device admin passwords for devices assigned to the policy. Use the Admin Password Configuration section of the Policies page. The following illustration shows the page as it appears when the setting is toggled on, displaying some of the configuration options on the page:
Note: Any changes you make to security settings in an existing security policy are applied at the next server heartbeat sync.
Using the Device Admin Password Configuration Feature
Toggling On the Admin Password Configuration setting provides access to powerful features that enable you to remotely control the password management of devices in the policy. Note the following device requirements for this feature:
-
The device’s Password Change Permission setting must be set to “Allow”.
-
The device’s admin password must be currently verified with Marketplace.
-
The verified password must match the Shield Guard policy’s admin password.
Note: The passwords do not need to match for the initial sync of the policy with the devices in the policy. This is required only for assessments that occur after the initial sync.
If at any time Shield Guard assesses a device that fails to meet any of the above requirements, Shield Guard will assess the device as Not Secure and suspend password management and/or remediation for the device until all requirements are met.
Note: A device’s Password Rules setting can affect Shield Guard’s ability to update the device’s admin password. See the Password Options section below.
Matching a Device’s Admin Password with the Shield Guard Policy’s Password
For Shield Guard to manage and/or remediate a device’s admin password, the password must be currently verified with Marketplace. A device’s password becomes unverified if it is changed manually at the device and then not re-verified. Shield Guard assesses such devices as Not Secure and generates a log in which the Device Value column gives a value of “Password unknown”.
To rectify a mismatched password, you have the following options. Note that for both of these options, you must provide the device’s current admin password:
-
Change the device’s admin password to match the policy’s password. Do the following:
-
Access the policy in the Shield Guard Portal and note the password currently stored in the policy.
-
At the device, manually change the admin password to match the policy’s password. For more information on this process, refer to the device’s user guide.
-
Verify the password with MarketPlace. Do one of the following:
- At the device panel, click on the App Manager button and, if prompted, provide the device’s admin password.
- In MarketPlace, on the Devices page, verify (or re-verify ) the device’s admin password.
-
-
Change the policy’s password to match the device’s admin password.
-
Access the policy in the Shield Guard Portal.
-
Use the Manual Password option to change the policy’s password to the match device’s current password.
-
Verify the password with MarketPlace. Do one of the following:
- At the device panel, click on the App Manager button and, if prompted, provide the device’s admin password.
- In MarketPlace, on the Devices page, verify (or re-verify ) the device’s admin password.
-
Once rectified, and an assessment occurs for the device, the passwords will match and the Admin Password Configuration setting will no longer cause Shield Guard to assess the device as Not Secure.
Configuring Device Admin Passwords
If you enable the Admin Password Configuration setting, the following options appear:
-
Password Security Duration - To specify a password security duration for the admin password for each device assigned to the policy, check the box at this field. The Duration field appears. Click on the drop-down and select a time period from the list that appears.
If you enable this setting, then all devices whose admin password has not been updated within the specified time period (for example, 1 day) will be assessed as Not Secure. Note the following:
-
The password security duration includes a grace period of up to 10 minutes. For example, if you set the password duration to 1 day, then if the password is not changed within one day plus the grace period, the policy will fail assessment. The grace period provides extra time in the event the device is delayed in receiving the password changes, for example, the device is in Sleep mode.
-
The password duration you specify must be greater than the heartbeat sync frequency.
-
You can automatically update admin passwords based on the duration you specify. On the Random Password tab at the Admin Password Generation field, enable the Automatically update password based on password security duration setting (described below). This option is available only for random password generation.
-
-
Default Admin Password Remediation - To automatically update the device’s password whenever it is changed back to the device default password outside of Shield Guard (e.g., at the device), check the box at this field. The password updates based on the settings in the Admin Password Generation section.
Note: To remediate admin passwords, the Default Admin Password Check setting must also be toggled on. Thus, if you attempt to enable this setting while the Default Admin Password Check setting is not toggled on, a warning message appears with the option to automatically enable that setting. To enable both settings, click on OK. To preserve the Toggled Off status for both settings, click on Cancel. If the Default Admin Password Check setting is already toggled on, or if you are attempting to toggle off this setting (Default Admin Password Remediation), no warning message appears.
-
Password Block List - To specify one or more passwords you want to prevent users from using as the admin password for devices in the tenant, check the box and specify the passwords you want to block. This option is toggled on by default, but you can toggle it off.
If you check the box at this field, the Enter a password to block field appears, and below that the default device admin password appears. This password is automatically included in the blocked password list, and it cannot be removed.
To add a password to the blocked list, enter it into the field. The Plus button activates. Click on the button to add the password to the list. Repeat the process for any additional passwords you want to add to the blocked list.
When finished, click on the Save button to update the policy. Note that if you disable the Password Block List feature (leave the check box blank), any user-defined passwords in the policy are removed from the block list.
Generating Device Admin Passwords
We strongly recommend you replace the default admin password with your own password for each device in your fleet, and we recommend you update your passwords regularly. Shield Guard provides the following methods of updating device admin passwords:
Using the Random Password Generator
To generate a random password for each device in the tenant, click on the Random Password button. See the following illustration:
When you save the policy, Shield Guard:
-
Generates the password based on the requirements specified in the Password Options section.
-
Applies the password to each device at the next server heartbeat sync.
You can then view the password at the View Admin Password action button on the Devices page.
Generating Random Passwords Automatically
In addition to the initial password described above, you can generate random passwords automatically at a specified interval. Use the following field:
-
Update passwords automatically based on the Password Security Duration setting - If you enable the Password Security Duration setting above, this field activates and, if you also enable this setting, you can schedule automatic updates for your device admin passwords based on the duration specified. For example, if you:
-
Enable the Password Security Duration setting
-
Specify 1 day as the password security duration period
-
Toggle on the Update passwords automatically based on the Password Security Duration setting
Then, at the next server heartbeat sync that occurs after the password security duration period expires, the device will not pass compliance. However, Shield Guard will generate a new password and, at the next server heartbeat sync, the new password will enable the device to meet compliance.
Note: If the server heartbeat sync is set to a period longer than the password security duration, Shield Guard will always assess the device as Not Secure. That is, because applying the new password occurs during a second assessment of the device, that assessment will never occur in time to update the password so that the device complies with the Password Security Duration setting.
-
Using the Manual Password Generator
To manually generate a custom password for each device in the tenant, click on the Manual Password button. See the following illustration:
Do the following:
-
Specify one or more password requirements in the Password Options panel. Your password string must meet the requirements before you can save the policy. If you do not specify any password requirements, Shield Guard still applies a minimum requirement of at least four characters in the string.
-
Enter your password string.
-
Click on the Save button when done. The Save button activates once the string meets all password requirements and no other issues exist for any settings in the policy.
When you save the policy, Shield Guard generates the password and applies it to each device in the policy at the next server heartbeat sync. You can then view the password at the View Admin Password action button on the Devices page.
Password Options
This panel in the Admin Password Configuration section contains options for imposing password requirements (for example, a minimum length) on passwords generated by Shield Guard.
Note: The Shield Guard Password Options setting does not override the device’s Password Rules setting. Instead, it only imposes restrictions on the passwords generated by Shield Guard before they are actually sent to the device. Shield Guard will not generate a password that does not meet all restrictions imposed by the Password Options setting. However, a password generated by Shield Guard may still fail the requirements imposed by the device’s Password Rules setting. For example, if Shield Guard generates a 16-character password based on a minimum length requirement and sends it to a device whose minimum length requirement is set to 20 characters, the update will fail and the password will not be updated.
For random password generation, Shield Guard applies the requirements you specify to all passwords generated.
For manual password generation, Shield Guard displays descriptive text in the Please use a password that: section for each password requirement you activate. The descriptive text displays in red until the password string meets the requirement, at which time the text turns to black. For example, if you activate the Require Symbols option, the descriptive text “Includes at least 1 symbol” will display in red, unless the password string contains one or more symbol characters. See the illustration above.
The following options are available:
-
Minimum Password Length - This field appears only for manual password generation. To require manual passwords to meet a minimum length, check the box. The Length field activates.
- Length - For random passwords, specify the password length. For manual passwords, specify a minimum length. Click on the dropdown and select a number from the list that appears. Note that a password length of 16 or more characters is considered “strong” while 15 or less characters is considered “weak”.
-
Password Complexity Rules - Check the box next to the rules you want to apply for device admin password generation.
-
Require uppercase characters (A-Z) - Require the password to contain at least one uppercase character.
-
Require lowercase characters (a-z) - Require the password to contain at least one lowercase character.
-
Require numbers - Require the password to contain at least one numeric character.
-
Require symbols - Require the password to contain at least one symbol character.
-