Set rules on devices to allow access to resources in your organization using Intune

Many mobile device management (MDM) solutions help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called "compliance policies". Compliance policies define the rules and settings that users and devices must meet to be compliant. When combined with conditional access, administrators can block users and devices that don't meet the rules.

For example, an Intune administrator can require:

  • End users use a password to access organizational data on mobile devices
  • The device isn't jail-broken or rooted
  • A minimum or maximum operating system version on the device
  • The device to be at, or under a threat level

You can also use this feature to monitor the compliance status on devices in your organization.


Intune follows the device check-in schedule for all compliance evaluations on the device. Learn more about the device check-in schedule.


To use device compliance policies, be sure you:

  • Use the following subscriptions:

    • Intune
    • Azure Active Directory (AD) Premium
  • Use a supported platform:

    • Android
    • iOS
    • macOS (preview)
    • Windows 8.1
    • Windows Phone 8.1
    • Windows 10
  • Enroll devices in Intune to see the compliance status

  • Enroll devices to one user, or enroll without a primary user. Devices enrolled to multiple users aren't supported.

How device compliance policies work with Azure AD

When a device is enrolled in Intune, the Azure AD registration process starts, and updates the device attributes into Azure AD. One key piece of information is the device compliance status. This compliance status is used by conditional access policies to block or allow access to e-mail and other corporate resources.

Azure AD registration process provides more information.

Refresh cycle times

When checking for compliance, Intune uses the same refresh cycle as configuration profiles. In general, the times are:

Platform Refresh cycle
iOS Every 6 hours
macOS Every 6 hours
Android Every 8 hours
Windows 10 PCs enrolled as devices Every 8 hours
Windows Phone Every 8 hours
Windows 8.1 Every 8 hours

If the device recently enrolled, the compliance check-in runs more frequently:

Platform Frequency
iOS Every 15 minutes for 6 hours, and then every 6 hours
macOS Every 15 minutes for 6 hours, and then every 6 hours
Android Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours
Windows 10 PCs enrolled as devices Every 3 minutes for 30 minutes, and then every 8 hours
Windows Phone Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours
Windows 8.1 Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours

At anytime, users can open the Company Portal app, and sync the device to immediately check for a policy.

Assign an InGracePeriod status

The InGracePeriod status for a compliance policy is a value. This value is determined by the combination of a device’s grace period, and a device’s actual status for that compliance policy.

Specifically, if a device has a NonCompliant status for an assigned compliance policy, and:

  • the device has no grace period assigned to it, then the assigned value for the compliance policy is NonCompliant
  • the device has a grace period that is expired, then the assigned value for the compliance policy is NonCompliant
  • the device has a grace period that is in the future, then the assigned value for the compliance policy is InGracePeriod

The following table summarizes these points:

Actual compliance status Value of assigned grace period Effective compliance status
NonCompliant No grace period assigned NonCompliant
NonCompliant Yesterday’s date NonCompliant
NonCompliant Tomorrow’s date InGracePeriod

For more information about monitoring device compliance policies, see Monitor Intune Device compliance policies.

Assign a resulting compliance policy status

If a device has multiple compliance policies, and the device has different compliance statuses for two or more of the assigned compliance policies, then a single resulting compliance status is assigned. This assignment is based on a conceptual severity level assigned to each compliance status. Each compliance status has the following severity level:

Status Severity
Unknown 1
NotApplicable 2
Compliant 3
InGracePeriod 4
NonCompliant 5
Error 6

When a device has multiple compliance policies, then the highest severity level of all the policies is assigned to that device.

For example, say a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). The InGracePeriod status has the highest severity level, so all three policies have the InGracePeriod compliance status.

Ways to use device compliance policies

With conditional access

For devices that comply to policy rules, you can give those devices access to email and other corporate resources. If the devices don't comply to policy rules, then they don't get access to corporate resources. This is conditional access.

Without conditional access

You can also use device compliance policies without any conditional access. When you use compliance policies independently, the targeted devices are evaluated and reported with their compliance status. For example, you can get a report on how many devices aren't encrypted, or which devices are jail-broken or rooted. When you use compliance policies without conditional access, there aren't any access restrictions to organization resources.

Ways to deploy device compliance policies

You can deploy compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all of the user's devices are checked for compliance. On Windows 10 version 1803 and newer devices, it's recommended to deploy to device groups if the primary user didn't enroll the device. Using device groups in this scenario helps with compliance reporting.

A set of built-in compliance policy settings (Intune > Device compliance) gets evaluated on all Intune-enrolled devices. These include:

  • Mark devices with no compliance policy assigned as: This property has two values:

    • Compliant: security feature off
    • Not compliant (default): security feature on

    If a device doesn't have a compliance policy assigned, then this device is considered not compliant. By default, devices are marked as Not compliant. If you use conditional access, we recommended you change the setting to Not compliant. If an end user isn't compliant because a policy isn't assigned, then Company Portal shows No compliance policies have been assigned.

  • Enhanced jailbreak detection: When enabled, this setting causes iOS devices to check in with Intune more frequently. Enabling this property uses the device’s location services, and impacts battery usage. The user location data is not stored by Intune.

    Enabling this setting requires devices to:

    • Enable location services at the OS level
    • Allow the company portal to use location services
    • Evaluate and report its jailbreak status to Intune at least once every 72 hours. Otherwise, the device is marked not compliant. Evaluation is triggered by either opening the Company Portal app or physically moving the device 500 meters or more. If the device doesn't move 500 meters in 72 hours, the user needs to open the Company Portal app for enhanced jail break evaluation.
  • Compliance status validity period (days): Enter the time period that devices report the status for all received compliance policies. Devices that don't return the status within this time period are treated as noncompliant. The default value is 30 days.

All devices have a Built-in Device Compliance Policy (Azure portal > Device compliance > Policy compliance). Use this built-in policy to monitor these settings.

To learn the time it takes for mobile devices to get a policy after the policy is deployed, see Troubleshooting device profiles.

Compliance reports are a great way to check the status of devices. See Monitor compliance policies for guidance.

Actions for noncompliance

You can configure a time-ordered sequence of actions that apply to devices that don't meet the compliance policy criteria. These actions for noncompliance can be automated, as described in Automate actions for noncompliance.

Azure classic portal vs. Azure portal

The main difference when using device compliance policies in the Azure portal:

  • In the Azure portal, the compliance policies are created separately for each supported platform
  • In the Azure classic portal, one device compliance policy is common to all supported platforms

Device compliance policies in the classic portal and Azure portal

Device compliance policies created in the classic portal don't appear in the Azure portal. However, they’re still targeted to users and manageable using the classic portal.

To use the device compliance-related features in the Azure portal, you must create new device compliance policies in the Azure portal. If you assign a device compliance policy in the Azure portal to a user who is also assigned a device compliance policy from the classic portal, then the device compliance policies from the Azure portal take precedence over the policies created in the classic portal.

Next steps