How to Create Intune Device Compliance Policies for Android, iOS and Windows.

How to Create Intune Device Compliance Policies for Android, iOS and Windows.

Bring Your Own Device (BYOD) has always been a huge risk to your business. However, 2020 was the year that many people worked from home. The has blurred the lines between work and home life – and personal and corporate data. 

After months of working from home, your employees may have more confidential company information stored on their personal devices than ever before. 

Do you feel like you’re losing control over your data? 

In this tutorial, we’ll show you how to ensure employees aren’t accessing your data on unsecure devices. We’ll use Microsoft’s device compliance policies to ensure each device meets your security standards, before accessing your data. 

We’ll even define some actions that Microsoft 365 can take automatically, if a device doesn’t meet your standards. This includes locking the non-compliant device, or deleting it from your system entirely. 

​​​​What are Microsoft’s compliance policies?

Compliance policies are rules that a device must adhere to, in order to be deemed compliant. If a device or user doesn’t fulfill these rules, Microsoft 365 can perform a range of actions, including sending the employee a push notification, or even locking their device. 

By protecting your corporate apps with compliance policies, you can ensure your confidential data is only accessed on devices that meet your security standards. For example, you might prevent employees from accessing company data on a device that isn’t password-protected. 

You can define two types of device compliance policies using Microsoft Intune: compliance policy settings, and device compliance policies. In this article, we’ll be exploring both compliance options. 

Compliance policy settings: Creating a baseline

Device compliance policies are designed to provide a baseline. By applying these settings across your tenant, you’ll have a strong foundation for deploying more specific compliance rules. This includes policies related to specific operating systems, user groups, or even individual users. 

Let’s create a compliance policy baseline. To start, head over to the Microsoft Endpoint Manager admin center and then select “Endpoint security” from the left-hand menu.

You can now navigate to “Device compliance > Compliance policy settings.” To define your compliance policy settings, you’ll need to complete the following sections:

1. Mark devices with no compliance policy assigned as…  

Here, you can choose how Intune should handle a device that doesn’t have an assigned compliance policy. Intune can either mark these devices as “Compliant” or “Not compliant.” 

Unless you have a specific reason not to, we recommend opting for “not compliant.” This ensures that only compliant devices will have access to your data and applications. Devices that don’t have a compliance policy, will be deemed non-compliant, and will be unable to access your company resources. 

2. Enhanced jailbreak detection

This setting can be useful for blocking insecure, jailbroken iOS devices. The “Enhanced jailbreak detection” feature does use the device’s Location Services in order to perform jailbreak evaluation. However, Intune doesn’t actually store any of this location data.

Enhanced jailbreak detection will perform an evaluation whenever the user opens the Company Portal application, or the device moves a “significant distance,” which is defined as approximately 500 meters or more.

3. Compliance status validity period (days)

This is the period of time in which devices must report on all their received compliance policies. If a device doesn’t report their compliance status within this period of time, that device will be deemed non compliant. 

By default, the validity period is set to 30 days. However, you can enter any value from 1 day, right through to 120 days. 

Getting specific: Creating a device compliance policy

After defining your compliance policy settings, you can move onto Microsoft’s device compliance policies. These allow you to set device-specific and user-specific rules. For example, you might specify a minimum operating system for all users within a specific group. Devices must meet all applicable device compliance policies, in order to be deemed compliant. 

When creating these rules, you can also define how Microsoft 365 handles non compliance. For example, you might remotely lock all devices that are jailbroken, or issue a push notification warning an employee about accessing confidential data on their rooted smartphone. 

Different platforms support different settings, and each operating system requires its own device compliance policy. The exact steps may vary, but in the following sections we’ll provide a high-level overview of how to create a basic device compliance policy. 

Before we begin: Create a notification message template

When creating a device compliance policy, you’ll have the option to email non-compliant employees. This can be useful for giving employees a warning, before taking more extreme action such as blocking their device. You might also email non-compliant employees detailed instructions, regarding the steps they can take to achieve compliance. 

If you want to use emails in your device compliance policies, you’ll need to create this messaging in advance. To create an email template: 

  1. Sign into the Microsoft Endpoint Manager admin center
  2. In the left-hand menu, select “Endpoint Security.” 
  3. Navigate to “Device compliance > Notifications.” 
  1. Select “Create notification.” 
  2. Give this notification a descriptive name.
  1. You can now configure your notification. For example, you might choose to include your company logo, contact information, and a link to your website. 
  2. When you’re happy with the information you’ve entered, click “Next.” 
  3. You can now create your email, by entering a subject and typing the body text.
  1. When you’re happy with your email, click “Next.” 
  2. Review your email, and then click “Create.” 

You can repeat the above steps, to create multiple email templates. When it’s time to create your device compliance policy, these templates will all appear in Microsoft Endpoint. 

Create a compliance policy for iOS, macOS, Android, or Windows

Now it’s time to create our first device compliance policy: 

  1. Sign into the Microsoft Endpoint Manager admin center. 
  2. In the left-hand menu, select “Devices.” 
  3. Navigate to “Compliance policies > Policies.” 
  1. Select “Create Policy.” 
  2. Open the “Platform” dropdown and select the platform this policy should apply to.
  3. Select “Create.” This will open the compliance settings for your chosen platform; the following screenshot shows the iOS compliance policy settings. 
  1. To start, give your policy a descriptive name and enter a description. Click “Next.”
  2. In the “Compliance settings” tab, click to expand each section and complete the different categories. The options you see will vary depending on your chosen platform. Most of these options are fairly self-explanatory, but Microsoft has published a detailed breakdown for each platform (Android device administrator, Android Enterprise, iOS/iPadOS, macOS, Windows 8.1 and later, and Windows 10 and later).
  1. After completing all the sections in this tab, click “Next.” 
  2. In the “Actions for noncompliance tab,” specify how Microsoft 365 should handle non-compliant devices. Available options include: Send email to end user; send push notification to end user; remotely lock the noncompliant device; or retire the noncompliant device. Retiring a device removes all company data from the device and deletes that device from Intune’s management services. 
  3. You can specify multiple actions that Intune should take, and assign a timescale to each event. This allows you to create a chain of escalating actions, for example you might start by emailing the employee, warning them about their device’s non-compliant status. After 48 hours, you might escalate to blocking their device. If they remain non-compliant for another 48 hours, the final stage might be retiring their device. 
  1. If you created any messaging for this compliance policy, select “Message template.” You should now see a list of all the templates you created in the previous step. Choose the template that you want to use.
  1. When you’re happy with the information you’ve entered, click “Next.” 
  2. On the “Assignments” tab, you can assign this policy to a specific group.
  1. Alternatively, you can exclude groups from this device compliance policy, using “Select groups to exclude.” 
  2. You can now review all the information you’ve entered for this policy.

You’ve successfully created your first compliance policy! Rinse and repeat to create multiple device compliance policies, and remember that you’ll need to create a separate policy for each platform. 

Monitoring your device compliance policies

After you’ve created your device compliance policies, you can monitor these policies in the Intune Device compliance dashboard. You can also use this dashboard to identify and resolve compliance-related issues. 

To access the Intune Device compliance dashboard: 

  1. Head over to the Microsoft Endpoint Manager admin center
  2. In the left-hand menu, select “Devices > Overview.”
  1. Select the “Compliance status” tab. 

This dashboard reveals a wealth of information, including overall device compliance, threat agent status, and device protection status. You can use this dashboard to monitor the overall compliance status of your employees’ devices. It’s even possible to drill down into individual devices to view the specific settings and policies that affect this particular device.

Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog…

We will only use your email to send you new blog posts.