To control this policy, the device admin must have an "expire-password" tag in the "uses-policies" section of its meta-data.