Device compliance policies in System Center Configuration Manager
Applies to: System Center Configuration Manager (Current Branch)
Compliance policies in System Center Configuration Manager define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. You can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access.
This article describes the compliance policies for devices managed by Microsoft Intune. The compliance policies for PCs managed by System Center Configuration Manager is described in Manage access to O365 services for PCs managed by System Center Configuration Manager.
These rules include requirements like:
PIN and passwords to access a device
Encryption of data stored on the device
Whether the device is jailbroken or rooted
Whether email on the device is managed by an Intune policy, or if the device is reported as unhealthy by the Windows device health attestation service.
- Apps that cannot be installed on the device.
You deploy compliance policies to user collections. When a compliance policy is deployed to a user, then all of the users devices are checked for compliance.
The following table lists the device types supported by compliance policies and how noncompliant settings are managed when the policy is used with a conditional access policy.
|Rule||Windows 8.1 and later||Windows Phone 8.1 and later||iOS 6.0 and later||Android 4.0 and later Samsung KNOX Standard 4.0 and later, Android for Work|
|PIN or password configuration||Remediated||Remediated||Remediated||Quarantined|
|Device encryption||N/A||Remediated||Remediated (by setting PIN)||Quarantined
(Android for Work always encrypted)
|Jailbroken or rooted device||N/A||N/A||Quarantined (not a setting)||Quarantined (not a setting)|
|Minimum OS version||Quarantined||Quarantined||Quarantined||Quarantined|
|Maximum OS version||Quarantined||Quarantined||Quarantined||Quarantined|
|Device Health Attestation (1602 update)||Setting is not applicable to Windows 8.1
Windows 10 and Windows 10 Mobile are Quarantined.
|Apps that cannot be installed||N/A||N/A||Quarantined||Quarantined|
Remediated = Compliance is enforced by the device operating system (for example, the user is forced to set a PIN). There is never a case when the setting will be noncompliant.
Quarantined = The device operating system does not enforce compliance (for example, Android devices do not force the user to encrypt the device). In this case:
The device will be blocked if the user is targeted by a conditional access policy.
The company portal or web portal will notify the user about any compliance issues.