Cyber Essentials v3.3 and device unlock: what the scheme expects

Screen lock and device unlock fall under secure configuration in Cyber Essentials. v3.3 tightened the rules for what constitutes an acceptable unlock method. Most changes affect mobile devices, BYOD, and consumer Windows machines.

This article walks through the rules by platform.

Every device in scope must require authentication to unlock. The authentication must be:

• Non-default (factory passcode changed).
• Auto-engaged after a period of inactivity.
• Not trivially bypassable.

Different platforms meet this differently.

• Screen lock after 15 minutes of inactivity (Group Policy or Intune).
• Unlock requires password, PIN, Windows Hello biometric, or Windows Hello PIN.
• Windows Hello for Business PIN minimum 6 digits.
• Consumer-style "no password on consumer Windows" does not pass.

• Require password after sleep or screen saver: immediately or after 5 minutes.
• Password complexity: 8+ characters, mixed case, numbers.
• FileVault enabled.
• Touch ID acceptable for desktop unlock.

• Passcode required: yes.
• Passcode complexity: 6-digit numeric minimum, alphanumeric preferred.
• Auto-lock: 2 minutes or less.
• Face ID / Touch ID acceptable for unlock (backed by passcode).
• Device encryption: automatic on modern iOS.

v3.3 no longer accepts 4-digit passcodes on iOS for in-scope devices. Change the minimum to 6 digits via MDM (Intune, Jamf).

• Screen lock: PIN, pattern, password, or biometric.
• Pattern and 4-digit PIN are borderline - assessors may ask for 6-digit PIN minimum.
• Biometric acceptable (backed by PIN).
• Device encryption: required (automatic on Android 10+).
• Auto-lock: 2 minutes or less.

Some MDM policies enforce 6-digit PIN as a technical control. Recommended.

v3.3 (Danzell A2.5) is unambiguous: normal home routers used by remote workers are explicitly out of scope. The Danzell text is "Details of routers and firewalls in the home environment must not be included." The boundary follows the device that touches organisational data, not the home network.

What this means for device unlock and posture:

• The remote-worker laptop's software firewall must be enabled, default-deny on inbound, and configured so a standard user cannot disable it.
• The MDM posture (Intune, Jamf, Conditional Access) covers the device wherever it is.
• Home router admin passwords, firmware, and WAN configuration are not part of the assessment.

Where the firm supplies a corporate router as managed kit, that router is in scope as corporate equipment - but the typical home-worker scenario (worker uses their own ISP-provided router) is excluded.

For in-scope BYOD devices:

• Personal iOS / Android devices accessing organisational data must enrol in MDM.
• MDM enforces passcode complexity per the rules above.
• "We told users to use a passcode" without technical enforcement is a fail.

Shared devices (training rooms, point-of-sale terminals, reception kiosks) are allowed but must:

• Auto-lock between users.
• Clear session data between users.
• Have a unique per-user PIN or sign-in where practical.

During the self-assessment:

• Screenshots of MDM policies for iOS, Android, Windows.
• Screenshot of Group Policy or Intune showing screen lock after 15 minutes on Windows.
• Evidence that Face ID / Touch ID is enforced backed by 6-digit passcode.
• Evidence that remote-worker laptops have their software firewall enabled and configured (Defender Firewall settings, macOS Firewall pane, MDM-applied firewall policy). Home routers themselves are out of scope under Danzell A2.5; no router-side evidence is required.

For CE Plus, the assessor samples devices live - they will ask the user to show screen lock configuration directly.

• 4-digit PIN on iOS - upgrade to 6 digits via MDM.
• No screen-lock timer on personal Windows - deploy via Intune or Group Policy.
• Screen lock at 30 minutes or longer - reduce to 15 minutes.
• No auto-lock on Android in MDM - configure it.

Device unlock is a low-drama CE control if you have MDM. Configure 6-digit minimum PINs, biometric backed by passcode, 15-minute screen lock, and device encryption. v3.3 tightens the thresholds but the controls have not fundamentally changed.

Start Cyber Essentials | See the 14-day patching rule | See pricing