question

GregT8 avatar image
0 Votes"
GregT8 asked Crystal-MSFT edited

Guidance on compliance policy configuration for BYOD vs company devices

We would like to apply a compliance policy to all users in the org. In our company, each user has their own device. Users do not share devices. In this case, we've been advised that it is best practice to deploy compliance policies only to users and not to devices. We have different security requirements for BYOD devices vs company devices.

Given that we have been advised to deploy compliance policies only to users, what guidance do you have for maintaining separate compliance policies for users' BYOD devices and users' company devices?

mem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@GregT8, From your description, I know we want to deploy compliance policies to users. And we have different security requirements for BYOD devices and company devices.

Here we would like to confirm if a user will only use one kind of the devices. For example, only use BYOD devices, or only use company devices. If so, we can add these users to different groups to apply the policies. However, if the users have both BYOD devices and company devices, when the compliance policy apply to this user, both BYOD and company devices will apply the same policy. To separate them, it seems the new feature "filters (preview)" can accomplish what you want. Currently, the feature is still in preview stage. But we can try.
1.Enable filters public preview. Select Tenant administration > Filters (preview) > Try out the filters (preview) feature. Set Filters (preview) to On:
98114-image.png
2.Create a filter, we can create a filter with a rule set deviceownership as Personal or Corporate
98115-image.png
3.Go to the compliance policy and edit the filter for our policy to only apply to Personal devices for the users in that group.
98085-image.png

We can see more details in the following link:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GregT8 avatar image
0 Votes"
GregT8 answered Crystal-MSFT commented

Thanks for getting back to me Crystal.

Our scenario is that users have both a BYOD device and a company device.

In this case, is the only recommended method to deploy compliance policies to device groups instead of user groups?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GregT8, Thanks for your confirmation. I notice that users have both BYOD and company devices. For this scenario, if we want to set different security requirements for BYOD devices and company devices. I would like to recommend to deploy compliance policies to device group instead of user group.

If there's anything else we can help, feel free to let us know.

0 Votes 0 ·
GregT8 avatar image
0 Votes"
GregT8 answered

Thanks again Crystal.

BTW...it looks like Microsoft will soon introduce a new feature to better accommodate this scenario:

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/use-microsoft-endpoint-manager-filters-to-target-apps-and/ba-p/2333342

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@GregT8, Good sharing. After reviewing the feature in preview, it seems the new feature can accomplish what you want. Currently, the feature is still in preview stage. But we can try.
1.Enable filters public preview. Select Tenant administration > Filters (preview) > Try out the filters (preview) feature. Set Filters (preview) to On:
98114-image.png
2.Create a filter, we can create a filter with a rule set deviceownership as Personal or Corporate
98115-image.png
3.Go to the compliance policy and edit the filter for our policy to only apply to Personal devices for the users in that group.
98085-image.png

We can see more details in the following link:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters

Hope it can help.



image.png (65.2 KiB)
image.png (24.4 KiB)
image.png (63.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.