Set rules on devices to allow access to resources in your organization using Intune

Is this page helpful?

Many mobile device management (MDM) solutions help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called "compliance policies". Compliance policies define the rules and settings that users and devices must meet to be compliant. When combined with Conditional Access, administrators can block users and devices that don't meet the rules.

For example, an Intune administrator can require:

  • End users use a password to access organizational data on mobile devices
  • The device isn't jail-broken or rooted
  • A minimum or maximum operating system version on the device
  • The device to be at, or under a threat level

You can also use this feature to monitor the compliance status on devices in your organization.

Important

Intune follows the device check-in schedule for all compliance evaluations on the device. Policy and profile refresh cycles lists the estimated refresh times.

Device compliance policies work with Azure AD

Intune uses Azure Active Directory (AD) Conditional Access (opens another docs web site) to help enforce compliance. When a device enrolls in Intune, the Azure AD registration process starts, and device information is updated in Azure AD. One key piece of information is the device compliance status. This compliance status is used by Conditional Access policies to block or allow access to e-mail and other organization resources.

Ways to use device compliance policies

With Conditional Access

For devices that comply to policy rules, you can give those devices access to email and other organization resources. If the devices don't comply to policy rules, then they don't get access to organization resources. This is Conditional Access.

Without Conditional Access

You can also use device compliance policies without any Conditional Access. When you use compliance policies independently, the targeted devices are evaluated and reported with their compliance status. For example, you can get a report on how many devices aren't encrypted, or which devices are jail-broken or rooted. When you use compliance policies without Conditional Access, there aren't any access restrictions to organization resources.

Ways to deploy device compliance policies

You can deploy compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all of the user's devices are checked for compliance. On Windows 10 version 1803 and newer devices, it's recommended to deploy to device groups if the primary user didn't enroll the device. Using device groups in this scenario helps with compliance reporting.

Intune also includes a set of built-in compliance policy settings. The following built-in policies get evaluated on all devices enrolled in Intune:

  • Mark devices with no compliance policy assigned as: This property has two values:

    • Compliant: security feature off
    • Not compliant (default): security feature on

    If a device doesn't have a compliance policy assigned, then this device is considered not compliant. By default, devices are marked as Not compliant. If you use Conditional Access, we recommended you change the setting to Not compliant. If an end user isn't compliant because a policy isn't assigned, then the Company Portal app shows No compliance policies have been assigned.

  • Enhanced jailbreak detection: When enabled, this setting causes iOS devices to check in with Intune more frequently. Enabling this property uses the device’s location services, and impacts battery usage. The user location data isn't stored by Intune.

    Enabling this setting requires devices to:

    • Enable location services at the OS level.
    • Allow the company portal to use location services.
    • Evaluate and report its jailbreak status to Intune at least once every 72 hours. Otherwise, the device is marked not compliant. Evaluation is triggered by opening the Company Portal app or physically moving the device 500 meters or more. If the device doesn't move 500 meters in 72 hours, the user needs to open the Company Portal app for enhanced jail break evaluation.
  • Compliance status validity period (days): Enter the time period that devices report the status for all received compliance policies. Devices that don't return the status within this time period are treated as noncompliant. The default value is 30 days.

You can use these built-in policies to monitor these settings. Intune also refreshes or checks for updates at different intervals, depending on the device platform. Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune is a good resource.

Compliance reports are a great way to check the status of devices. Monitor compliance policies includes some guidance.

Non-compliance and Conditional Access on the different platforms

The following table describes how noncompliant settings are managed when a compliance policy is used with a Conditional Access policy.


Policy setting Platform
PIN or password configuration - Android 4.0 and later: Quarantined
- Samsung Knox Standard 4.0 and later: Quarantined
- Android Enterprise: Quarantined
- iOS 8.0 and later: Remediated
- macOS 10.11 and later: Remediated
- Windows 8.1 and later: Remediated
- Windows Phone 8.1 and later: Remediated
Device encryption - Android 4.0 and later: Quarantined
- Samsung Knox Standard 4.0 and later: Quarantined
- Android Enterprise: Quarantined
- iOS 8.0 and later: Remediated (by setting PIN)
- macOS 10.11 and later: Remediated (by setting PIN)
- Windows 8.1 and later: Not applicable
- Windows Phone 8.1 and later: Remediated
Jailbroken or rooted device - Android 4.0 and later: Quarantined (not a setting)
- Samsung Knox Standard 4.0 and later: Quarantined (not a setting)
- Android Enterprise: Quarantined (not a setting)
- iOS 8.0 and later: Quarantined (not a setting)
- macOS 10.11 and later: Not applicable
- Windows 8.1 and later: Not applicable
- Windows Phone 8.1 and later: Not applicable
Email profile - Android 4.0 and later: Not applicable
- Samsung Knox Standard 4.0 and later: Not applicable
- Android Enterprise: Not applicable
- iOS 8.0 and later: Quarantined
- macOS 10.11 and later: Quarantined
- Windows 8.1 and later: Not applicable
- Windows Phone 8.1 and later: Not applicable
Minimum OS version - Android 4.0 and later: Quarantined
- Samsung Knox Standard 4.0 and later: Quarantined
- Android Enterprise: Quarantined
- iOS 8.0 and later: Quarantined
- macOS 10.11 and later: Quarantined
- Windows 8.1 and later: Quarantined
- Windows Phone 8.1 and later: Quarantined
Maximum OS version - Android 4.0 and later: Quarantined
- Samsung Knox Standard 4.0 and later: Quarantined
- Android Enterprise: Quarantined
- iOS 8.0 and later: Quarantined
- macOS 10.11 and later: Quarantined
- Windows 8.1 and later: Quarantined
- Windows Phone 8.1 and later: Quarantined
Windows health attestation - Android 4.0 and later: Not applicable
- Samsung Knox Standard 4.0 and later: Not applicable
- Android Enterprise: Not applicable
- iOS 8.0 and later: Not applicable
- macOS 10.11 and later: Not applicable
- Windows 10 and Windows 10 Mobile: Quarantined
- Windows 8.1 and later: Quarantined
- Windows Phone 8.1 and later: Not applicable

Remediated: The device operating system enforces compliance. For example, the user is forced to set a PIN.

Quarantined: The device operating system doesn't enforce compliance. For example, Android and Android Enterprise devices don't force the user to encrypt the device. When the device isn't compliant, the following actions take place:

  • If a Conditional Access policy applies to the user, the device is blocked.
  • The Company Portal app notifies the user about any compliance problems.

Azure classic portal vs. Azure portal

The main difference when using device compliance policies in the Azure portal:

  • In the Azure portal, the compliance policies are created separately for each supported platform
  • In the Azure classic portal, one device compliance policy is common to all supported platforms

Device compliance policies created in the classic portal don't appear in the Azure portal. However, they’re still targeted to users and manageable using the classic portal.

To use the device compliance-related features in the Azure portal, you must create new device compliance policies in the Azure portal. If you assign a device compliance policy in the Azure portal to a user who is also assigned a device compliance policy from the classic portal, then the device compliance policies from the Azure portal take precedence over the policies created in the classic portal.

Next steps