Cyber Essentials v3.3 and device unlock: what the scheme expects

Cyber Essentials v3.3 and device unlock: what the scheme expects

Screen lock and device unlock fall under secure configuration in Cyber Essentials. v3.3 tightened the rules for what constitutes an acceptable unlock method. Most changes affect mobile devices, BYOD, and consumer Windows machines.

This article walks through the rules by platform.

The general rule

Every device in scope must require authentication to unlock. The authentication must be:

• Non-default (factory passcode changed).
• Auto-engaged after a period of inactivity.
• Not trivially bypassable.

Different platforms meet this differently.

Windows

• Screen lock after 15 minutes of inactivity (Group Policy or Intune).
• Unlock requires password, PIN, Windows Hello biometric, or Windows Hello PIN.
• Windows Hello for Business PIN minimum 6 digits.
• Consumer-style "no password on consumer Windows" does not pass.

macOS

• Require password after sleep or screen saver: immediately or after 5 minutes.
• Password complexity: 8+ characters, mixed case, numbers.
• FileVault enabled.
• Touch ID acceptable for desktop unlock.

iOS

• Passcode required: yes.
• Passcode complexity: 6-digit numeric minimum, alphanumeric preferred.
• Auto-lock: 2 minutes or less.
• Face ID / Touch ID acceptable for unlock (backed by passcode).
• Device encryption: automatic on modern iOS.

v3.3 no longer accepts 4-digit passcodes on iOS for in-scope devices. Change the minimum to 6 digits via MDM (Intune, Jamf).

Android

• Screen lock: PIN, pattern, password, or biometric.
• Pattern and 4-digit PIN are borderline - assessors may ask for 6-digit PIN minimum.
• Biometric acceptable (backed by PIN).
• Device encryption: required (automatic on Android 10+).
• Auto-lock: 2 minutes or less.

Some MDM policies enforce 6-digit PIN as a technical control. Recommended.

Home routers (under v3.3)

v3.3 added home routers to scope for remote workers. The admin interface must:

• Require a non-default admin password (not factory).
• Firmware up-to-date.
• No remote management from the WAN interface.

This is a separate control from user-facing unlock.

BYOD devices

For BYOD in scope:

• Personal iOS / Android devices accessing organisational data must enrol in MDM.
• MDM enforces passcode complexity per the rules above.
• "We told users to use a passcode" without technical enforcement is a fail.

Kiosk / shared devices

Shared devices (training rooms, point-of-sale terminals, reception kiosks) are allowed but must:

• Auto-lock between users.
• Clear session data between users.
• Have a unique per-user PIN or sign-in where practical.

What the assessor checks

During the self-assessment:

• Screenshots of MDM policies for iOS, Android, Windows.
• Screenshot of Group Policy or Intune showing screen lock after 15 minutes on Windows.
• Evidence that Face ID / Touch ID is enforced backed by 6-digit passcode.
• Evidence that home routers for remote workers have passwords changed (typically a signed attestation from each remote worker).

For CE Plus, the assessor samples devices live - they will ask the user to show screen lock configuration directly.

Common failures

• 4-digit PIN on iOS - upgrade to 6 digits via MDM.
• No screen-lock timer on personal Windows - deploy via Intune or Group Policy.
• Screen lock at 30 minutes or longer - reduce to 15 minutes.
• No auto-lock on Android in MDM - configure it.

Bottom line

Device unlock is a low-drama CE control if you have MDM. Configure 6-digit minimum PINs, biometric backed by passcode, 15-minute screen lock, and device encryption. v3.3 tightens the thresholds but the controls have not fundamentally changed.

Start Cyber Essentials | See the 14-day patching rule | See pricing