Intune Compliance Policy
The compliance policy in Intune is an important point because it makes it possible to verify that mobile device complies with security constraints. Several parameters can be configured in the compliance policy.
- Using a password to access devices
- Encryption of the device
- Prohibit jailbroken or root device
- Minimum operating system version required
- Maximum allowed version of the operating system
- Require the device to be at or below the level of defense against mobile threats
The compliance rule makes it possible to monitor the state of its device and intervene if necessary. When you enroll equipment up in Intune, the attributes of the device are updated. Among a set of attributes is the compliance status of the device.
This status is very useful to define if an equipment respects technical characteristic (jailbreak, password, …). It’s thus possible to implement conditional access based on this compliance strategy.
For use compliance Policy, you must have Intune or Azure AD Premium subscription. These rules are compatible with different platforms :
- Windows 8.1 / 10
Create Compliance Policy for IOS
From the Intune console (azure.microsoft.com), click Device Compliant to create a compliant policy.
Click Policies and Create Policy.
Enter the name of the Policy and choose the desired platform into the scrolling list. Click to Settings to display the parameters.
Several parameters can be configured :
Require a managed email profile for mobile devices: With Requige value configured, any device that does not have an email profile managed by Intune is considered non-compliant.In the following cases, the device is considered to be non-compliant.
- Email profile is deployed to a user group other than the one targeted by the compliance strategy.
- Email profile has been configured manually on the device and Intune cannot replace the configured profile. So email profile is not managed.
Several parameters can be configured:
Jailbreak device : In case of Jailbreak of an Device, this device is considered as not compliant. Require the device to be at or under the Device Threat Level : Select the maximum threat level, to consider device as non-compliant. Several levels are available:
- Secured : this option is the most secure, there must not be a single threat for the device to be considered compliant. If any other level of threat is detected, it is assessed as non-compliant.
- Low : The device is rated as compliant only when a low level threat is detected. The detection of higher level threats makes the device non-compliant.
- Medium : The device is considered compliant if the detected threats have a low or medium level only. The presence of high level threats makes the device non-compliant.
- High : This option is the least secure. It allows all levels of threat. It can be used if the solution is used for reporting purposes.
Minimum OS version : A device is considered non-compliant when it does not meet the minimum operating system version requirement. A link appears giving the user information about the upgrade. The user can thus choose to upgrade his device. He then has access to the company’s resources.
Maximum OS version : A device is considered non-compliant when it does not meet the maximum operating system version requirement. The user is invited to contact his IT department. The device does not have the ability to access resources as long as the rule to allow the operating system version remains unchanged.
Require a password to unlock mobile devices : This setting requires the use of a password to access the device.
- Simple passwords : Blocks the use of simple passwords (1234, 1111, …)
- Minimum password length : Indicates the minimum number of digits or characters of the password.
- Required password type : Specify whether the password should only contain numeric characters, or a combination of numbers and other characters (alphanumeric).
- Number of non-alphanumeric characters in password : Specifies the minimum number of special characters (&, #, %, !, …) that the password must include.
- Maximum minutes of inactivity before password is required : Duration of inactivity after which the user must enter his password
- Password expiration (days) : Specifies the number of days before the user’s password expires. This forces the creation of a new one.
- Number of previous passwords to prevent reuse
Actions for noncompliance
When device does not compliant, Microsoft Intune immediately marks the device as non-compliant. Two types of action are possible :
- Mark device noncompliant : Consists of creating a schedule, indicating a number of days at the end of which the device is marked as non-compliant. It is possible to execute the action immediately (by default) or grant the user a grace period to comply.
- Send email to end user : Allows you to customize an email notification before sending it to the end user. It’s possible to personalize the recipients, the subject and the body of the message (company logo, contact information, etc.). Microsoft Intune adds information about the non-compliant device to the notification email.
After creating the policy, it is necessary to assign the compliance policy to a user group. Click on Assignments then on Select groups to include. Select the desired group and click Select.