Intune Compliance Policy

Intune Compliance Policy

Intune Compliance Policy

Intune Compliance Policy

The compliance policy in Intune is an important point because it makes it possible to verify that mobile device complies with security constraints. Several parameters can be configured in the compliance policy.

  • Using a password to access devices
  • Encryption of the device
  • Prohibit jailbroken or root device
  • Minimum operating system version required
  • Maximum allowed version of the operating system
  • Require the device to be at or below the level of defense against mobile threats

The compliance rule makes it possible to monitor the state of its device and intervene if necessary. When you enroll equipment up in Intune, the attributes of the device are updated. Among a set of attributes is the compliance status of the device.
This status is very useful to define if an equipment respects technical characteristic (jailbreak, password, …). It’s thus possible to implement conditional access based on this compliance strategy.

Prerequisites

For use compliance Policy, you must have Intune or Azure AD Premium subscription. These rules are compatible with different platforms :

  • Android
  • IOS
  • MacOS
  • Windows 8.1 / 10

Create Compliance Policy for IOS

From the Intune console (azure.microsoft.com), click Device Compliant to create a compliant policy.

Select Compliance Policy

Click Policies and Create Policy.

Create Compliance Policy

Enter the name of the Policy and choose the desired platform into the scrolling list. Click to Settings to display the parameters.

Configure Compliance Policy

Several parameters can be configured : Email

Require a managed email profile for mobile devices: With Requige value configured, any device that does not have an email profile managed by Intune is considered non-compliant.In the following cases, the device is considered to be non-compliant.

  • Email profile is deployed to a user group other than the one targeted by the compliance strategy.
  • Email profile has been configured manually on the device and Intune cannot replace the configured profile. So email profile is not managed.
Require email on Policy

Device health
Several parameters can be configured.

Jailbreak device : In case of Jailbreak of an Device, this device is considered as not compliant. Require the device to be at or under the Device Threat Level : Select the maximum threat level, to consider device as non-compliant. Several levels are available:

  • Secured : this option is the most secure, there must not be a single threat for the device to be considered compliant. If any other level of threat is detected, it is assessed as non-compliant.
  • Low : The device is rated as compliant only when a low level threat is detected. The detection of higher level threats makes the device non-compliant.
  • Medium : The device is considered compliant if the detected threats have a low or medium level only. The presence of high level threats makes the device non-compliant.
  • High : This option is the least secure. It allows all levels of threat. It can be used if the solution is used for reporting purposes.
Jailbroken Compliance Policy

Device properties

Minimum OS version : A device is considered non-compliant when it does not meet the minimum operating system version requirement. A link appears giving the user information about the upgrade. The user can thus choose to upgrade his device. He then has access to the company’s resources.

Maximum OS version : A device is considered non-compliant when it does not meet the maximum operating system version requirement. The user is invited to contact his IT department. The device does not have the ability to access resources as long as the rule to allow the operating system version remains unchanged.

Operating system min and max

System Security

Require a password to unlock mobile devices : This setting requires the use of a password to access the device.

  • Simple passwords : Blocks the use of simple passwords (1234, 1111, …)
  • Minimum password length : Indicates the minimum number of digits or characters of the password.
  • Required password type : Specify whether the password should only contain numeric characters, or a combination of numbers and other characters (alphanumeric).
  • Number of non-alphanumeric characters in password : Specifies the minimum number of special characters (&, #, %, !, …) that the password must include.
  • Maximum minutes of inactivity before password is required : Duration of inactivity after which the user must enter his password
  • Password expiration (days) : Specifies the number of days before the user’s password expires. This forces the creation of a new one.
  • Number of previous passwords to prevent reuse
Select compliance password

Actions for noncompliance

When device does not compliant, Microsoft Intune immediately marks the device as non-compliant. Two types of action are possible :

  • Mark device noncompliant : Consists of creating a schedule, indicating a number of days at the end of which the device is marked as non-compliant. It is possible to execute the action immediately (by default) or grant the user a grace period to comply.
  • Send email to end user : Allows you to customize an email notification before sending it to the end user. It’s possible to personalize the recipients, the subject and the body of the message (company logo, contact information, etc.). Microsoft Intune adds information about the non-compliant device to the notification email.
Intune Compliance Policy

Assignments

After creating the policy, it is necessary to assign the compliance policy to a user group. Click on Assignments then on Select groups to include. Select the desired group and click Select.

Assign Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.