iOS 18.5 MDM Screen Lock

Question

KendraB1 OP

Created Jul ’25

Replies 1

Boosts 0

Participants 2

Hello,

I am running into a bit of an issue with the Screen Timeout/Screen Lock setting and would like some clarification on.

First for a bit of context, I am enrolling personal iOS devices 18.0+ into the company MDM (Intune) with Account Driven User Enrollment. We are trying to set a screen timeout of 5 minutes and immediately after it asks for the passcode on the device, though this setting is not being applied and the device timeout setting can be set as "Never" on the user's end. This is a big security risk for the company I work for and and the issue with being HIPAA compliant.

According to the Microsoft Intune Support, "In iOS 18, when using Account-Driven User Enrollment for BYOD (Bring Your Own Device) scenarios, the screen lock timeout setting is indeed marked as “Not Applicable”. This is because Apple’s privacy-preserving model for personal devices restricts administrative control over system-level settings like screen lock or idle timeout."

I am needing clarification on the item mentioned from Microsoft Intune Support and if this setting is no longer able to be applied from the MDM with devices enrolled with Account Driven User Enrollment?

Boost

Answer 1

Device Management Engineer OP

Apple

2w

When a non-Mac device is managed using Account Driven User Enrollment, the device management server has limited capabilities related to the passcode. When User Enrollment was first introduced, installing a configuration profile containing a passcode payload would ignore all the keys in the payload and instead require a minimum of a non-simple 6 digit PIN.

Starting in iOS 17 and aligned releases of other platforms, if the payload contains a maxInactivity key its value is ignored, however it removes the "Never" option from Settings > Display & Brightness > Auto-Lock. It's still possible for the user to select a shorter duration for Auto-Lock.

The Apple documentation for the Passcode payload does not currently explain this. We're working on updating that documentation. Thank you for raising this issue, which helped us discover the omission.

I don't know whether Microsoft Intune supports this maxInactivity key in this scenario. It's possible that Microsoft did not add support for this key for User Enrollments when Apple added this new capability in iOS 17. Most device management servers allow administrators to upload and install custom configuration profiles, so even if Intune does not support this, you may still be able to work around it by crafting your own configuration profile that specifies the maxInactivity key.

0