Documentation Index

Fetch the complete documentation index at: https://kb.northerndatasolutions.com/llms.txt

Use this file to discover all available pages before exploring further.

CIS-8.1.4.1 — Enforce Automatic Device Lockout on Portable End-User Devices

  • Published on May 3, 2026
  • 4 minute(s) read
  • CT
 Prev Next
CIS-8.1.4.1 — Enforce Automatic Device Lockout on Portable End-User Devices

CIS-8.1.4.1 — Enforce Automatic Device Lockout on Portable End-User Devices

Executive Summary

Portable devices like laptops, tablets, and smartphones are frequently lost or stolen. An attacker with physical access to an unprotected device can compromise sensitive data, install malware, or use the device as a pivot point for further network attacks. Automatic device lockout—where a device locks its screen after a period of inactivity—is a fundamental control that prevents unauthorized physical access even when a device is temporarily left unattended.

Asset Class: Devices

Security Function: Protect

Implementation Groups: IG1, IG2, IG3

Overview and Rationale

Portable end-user devices (laptops, tablets, smartphones) are critical assets in modern organizations. When a user steps away from their device without locking it, an attacker with physical proximity can:

  • Access sensitive files and data
  • Install keyloggers or spyware
  • Send messages or emails impersonating the user
  • Establish persistence mechanisms for remote access
  • Exfiltrate credentials from cached sessions
  • Modify system configurations or install backdoors

Automatic lockout mitigates these risks by ensuring that even if a user forgets to manually lock their device, the operating system will automatically secure it after a configurable inactivity timeout.

Technical Requirements and Implementation

Core Requirements

  • Portable Laptops: Configure automatic screen lock after a maximum of 15 minutes of inactivity (or faster for IG3)
  • Tablets and Smartphones: Configure automatic screen lock after a maximum of 5 minutes of inactivity (or faster for IG3)
  • Authentication Thresholds: After lockout, users must re-authenticate. Failed login attempts should be limited:  
       
    • Laptops: no more than 20 failed attempts
      •  
    • Tablets/Smartphones: no more than 10 failed attempts
      •  
  • Consistency: Policy must be applied organization-wide via Mobile Device Management (MDM) or Device Configuration Management

Implementation Steps

For Windows Laptops

  1. Open Group Policy Editor (gpedit.msc) or use Mobile Device Management (Intune)
  2. Navigate to: Computer Configuration > Administrative Templates > Control Panel > Personalization > Screen saver timeout
  3. Enable the policy and set to 15 minutes (900 seconds) or less
  4. Ensure "On resume, prompt for password" is enabled
  5. Deploy via Group Policy or Intune

For macOS Laptops

  1. Use System Preferences > Security & Privacy > General
  2. Set "Require password immediately after sleep or screen saver begins" or use Configuration Profiles
  3. Configure screensaver timeout via /Library/Preferences/com.apple.screensaver.plist or Mobile Device Management
  4. Set IdleTime to 900 seconds (15 minutes) or less

For iOS/iPadOS Devices

  1. Use Apple Business Manager (ABM) or Mobile Device Management solution
  2. Configure: Settings > Display & Brightness > Auto-Lock to 5 minutes or less
  3. Deploy via Configuration Profile with restrictedUI payload
  4. Restrict users from changing these settings

For Android Devices

  1. Use Mobile Device Management (e.g., Microsoft Intune, Google Workspace, Samsung Knox)
  2. Configure: Settings > Security > Screen Lock timeout to 5 minutes or less
  3. Enforce via MDM policy to prevent user override
  4. Consider enabling Knox Real-time Monitoring for Samsung devices

Example Policy Configurations

Microsoft Intune Device Lock Policy (Windows)


{
  "@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
  "id": "device-lock-policy-001",
  "displayName": "Portable Device Automatic Lockout",
  "description": "Enforce automatic screen lockout after 15 minutes of inactivity",
  "startScreenTimeout": "15",
  "screenTimeoutInMinutes": 15,
  "passwordExpirationDays": 90,
  "passwordMinimumLength": 14,
  "passwordMinimumCharacterSetCount": 4,
  "passwordPreviousPasswordBlockCount": 24,
  "passwordRequired": true,
  "passwordRequiredType": "complexAlphanumeric"
}

Apple Configuration Profile (macOS/iOS)


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadDisplayName</key>
  <string>Automatic Device Lockout Policy</string>
  <key>PayloadIdentifier</key>
  <string>com.org.device-lockout</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Passcode Policy</string>
      <key>PayloadType</key>
      <string>com.apple.mobiledevice.passwordpolicy</string>
      <key>maxInactivity</key>
      <integer>900</integer>
      <key>requireAlphanumeric</key>
      <true/>
      <key>minLength</key>
      <integer>14</integer>
    </dict>
  </array>
</dict>
</plist>

Evidence and Audit Trail

To verify compliance with CIS-8.1.4.1:

  • Device Inventory: Maintain a list of all portable devices with model, OS, and lockout policy version
  • Policy Audit Reports: Generate reports from MDM/management systems showing which devices are compliant
  • Configuration Baselines: Document the approved lock timeout settings for each device class
  • Exception Management: Track any devices with deviations and documented business justifications
  • User Training Records: Evidence that users have been trained on device security and lockout procedures
  • Incident Logs: Document any incidents related to unattended or unlocked devices

Mapping to Other Frameworks

Framework Control ID Description
NIST SP 800-53 Rev. 5 AC-11 Session Lock and Termination
NIST SP 800-171 3.1.10 Session Lock
ISO/IEC 27001:2022 A.9.2.1 User Registration and Access Management
PCI DSS v3.2.1 8.1.4 Require User Account Lockout After Invalid Login Attempts

Real-World Scenario

Scenario: A consultant working at a client site steps away from their laptop for a 10-minute coffee break without locking the device. An attacker with physical access exploits this window to:

  1. Access unencrypted files containing customer data
  2. Install a persistence mechanism via a USB drive
  3. Extract stored credentials from the browser cache
  4. Establish a remote shell for later access

Mitigation: With automatic lockout configured for 5 minutes, the device locks after the consultant steps away. When the attacker attempts to access the device, they face a locked screen requiring authentication. Without valid credentials, the device denies access, preventing the attack chain.

Readiness Checklist

  • [ ] Identified all portable devices in the organization (laptops, tablets, smartphones)
  • [ ] Determined appropriate lock timeout values per device class (15 min for laptops, 5 min for mobile)
  • [ ] Deployed MDM solution (Intune, ABM, Google Workspace, Knox, etc.)
  • [ ] Created and tested device lock policies for each OS platform
  • [ ] Configured failed authentication attempt limits (20 for laptops, 10 for mobile)
  • [ ] Rolled out policies to all portable devices in phases
  • [ ] Established audit process to verify compliance
  • [ ] Trained users on device lockout expectations and procedures
  • [ ] Documented exceptions and business justifications
  • [ ] Set up monitoring/alerting for non-compliant devices
  • [ ] Scheduled periodic reviews and policy updates
Related articles