We are trying to setup some of our field iPads to have a passcode, but then restrict the user from being able to change the passcode. We have a payload that requires a 6 digit passcode on all our iOS devices. I tried a couple things and have not had the results we are looking for.
First tried to set the Restriction->Functionality->Modifying Passcode to Restricted but when new devices enrolled they bypassed the prompt to set a passcode and the won't let the user go into settings to set one.
Then I turned that restriction off and had someone put the passcode on one of those devices and then turned the restriction to restricted and they couldn't change it, but that's too manual for each device.
Second thing we tried was to setup a smart device group for any device where the passcode compliance with profile was compliant hoping that a new device being enrolled wouldn't pop into this smart group until the passcode was set; set the Restriction->Functionality->Modifying Passcode to allow on the payload going to all devices; then setup another payload for Restriction->Functionality->Modifying Passcode set to Restricted but scoped that to anything in the new passcode compliance smart group. When we wiped a test device to force it to go through the enrollment again it skipped the passcode prompt but was immediately placed in the passcode compliance smart group even though it doesn't comply with the passcode payload. And since the restriction is set for devices in that smart group we can't set the passcode.
Any ideas on how we can get a passcode set on enrollment but then not let the user change it?
