11-Set Rules On Devices To Allow Access To Resources in Your Organization Using Intune

05/09/2023 21:04 IntuneDocs/intune/protect/device-compliance-get-started.
md at main · MicrosoftDocs/IntuneDocs · GitHub
MicrosoftDocs / IntuneDocs Public
Code Issues 25 Pull requests 3 Actions Projects Security Ins
IntuneDocs / intune / protect / device-compliance-get-started.md
msft-jinayoon 3 years ago
155 lines (103 loc) · 12.8 KB
Preview Code Blame
title description keywords author ms.author manager
Get started
with use
device
compliance
policies,
overview of
Device status and
compliance severity
policies in levels, using
Microsoft the
brenduns brenduns dougeby
Intune - InGracePeriod
Azure | status,
Microsoft working with
Docs Conditional
Access, and
handling
devices
without an
assigned
policy.
Set rules on devices to allow access to

resources in your organization using
https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/protect/device-compliance-get-started.md 1/7
05/09/2023 21:04 IntuneDocs/intune/protect/device-compliance-get-started.md at main · MicrosoftDocs/IntuneDocs · GitHub
Intune
Many mobile device management (MDM) solutions help protect organizational data by
requiring users and devices to meet some requirements. In Intune, this feature is called
"compliance policies". Compliance policies define the rules and settings that users and
devices must meet to be compliant. When combined with Conditional Access,
administrators can block users and devices that don't meet the rules.
For example, an Intune administrator can require:
End users use a password to access organizational data on mobile devices

The device isn't jail-broken or rooted
A minimum or maximum operating system version on the device
The device to be at, or under a threat level
You can also use this feature to monitor the compliance status on devices in your
organization.
Important
Intune follows the device check-in schedule for all compliance evaluations on the
device. Policy and profile refresh cycles lists the estimated refresh times.
Device compliance policies work with Azure AD

Intune uses Azure Active Directory (AD) Conditional Access (opens another docs web
site) to help enforce compliance. When a device enrolls in Intune, the Azure AD
registration process starts, and device information is updated in Azure AD. One key
piece of information is the device compliance status. This compliance status is used by
Conditional Access policies to block or allow access to e-mail and other organization
resources.
What is device management in Azure Active Directory is a great resource on why

and how devices are registered in Azure AD.
Conditional Access and common ways to use Conditional Access describe this
feature as it relates to Intune.
Ways to use device compliance policies
With Conditional Access
For devices that comply to policy rules, you can give those devices access to email and
other organization resources. If the devices don't comply to policy rules, then they
don't get access to organization resources. This is Conditional Access.
Without Conditional Access

You can also use device compliance policies without any Conditional Access. When you
use compliance policies independently, the targeted devices are evaluated and
reported with their compliance status. For example, you can get a report on how many
devices aren't encrypted, or which devices are jail-broken or rooted. When you use
compliance policies without Conditional Access, there aren't any access restrictions to
organization resources.
Ways to deploy device compliance policies

You can deploy compliance policy to users in user groups or devices in device groups.
When a compliance policy is deployed to a user, all of the user's devices are checked
for compliance. On Windows 10 version 1803 and newer devices, it's recommended to
deploy to device groups if the primary user didn't enroll the device. Using device
groups in this scenario helps with compliance reporting.
Intune also includes a set of built-in compliance policy settings. The following built-in
policies get evaluated on all devices enrolled in Intune:
Mark devices with no compliance policy assigned as: This property has two
values:
Compliant (default): security feature off

Not compliant: security feature on
If a device doesn't have a compliance policy assigned, then this device is

considered compliant by default. If you use Conditional Access with compliance
policies, we recommended you change the default setting to Not compliant. If an
end user isn't compliant because a policy isn't assigned, then the Company Portal
app shows No compliance policies have been assigned .
Enhanced jailbreak detection: When enabled, this setting causes jailbroken device
status to happen more frequently on iOS/iPadOS devices. This setting only affects
devices that are targeted with a compliance policy that blocks jailbroken devices.
Enabling this property uses the device’s location services and may impact battery
usage. The user location data isn't stored by Intune and is only used to trigger
jailbreak detection more frequently in the background.
Enabling this setting requires devices to:
Enable location services at the OS level.

Always allow the Company Portal to use location services.
Evaluation is triggered by opening the Company Portal app or physically moving

the device a significant distance of approximately 500 meters or more. On iOS 13
and up, this feature will require users to select Always Allow whenever the device
prompts them to continue allowing Company Portal to use their location in the
background. If users do not always allow location access and have a policy with
this setting configured, their device will be marked noncompliant. Note that Intune
cannot guarantee that each significant location change will ensure a jailbreak
detection check as this depends on a device's network connection at the time.
Compliance status validity period (days): Enter the time period that devices report
the status for all received compliance policies. Devices that don't return the status
within this time period are treated as noncompliant. The default value is 30 days.
The minimum value is 1 day.
This setting shows as the Is active default compliance policy (Devices > Monitor >
Setting compliance). The background task for this policy runs once a day.
You can use these built-in policies to monitor these settings. Intune also refreshes or
checks for updates at different intervals, depending on the device platform. Common
questions, issues, and resolutions with device policies and profiles in Microsoft Intune is
a good resource.
Compliance reports are a great way to check the status of devices. Monitor compliance
policies includes some guidance.
Non-compliance and Conditional Access on the different

platforms
The following table describes how noncompliant settings are managed when a
compliance policy is used with a Conditional Access policy.
Policy setting Platform
PIN or password - Android 4.0 and later: Quarantined

configuration - Samsung Knox Standard 4.0 and later:
Quarantined
- Android Enterprise: Quarantined
- iOS 8.0 and later: Remediated

- macOS 10.11 and later: Remediated
- Windows 8.1 and later: Remediated

- Windows Phone 8.1 and later: Remediated
- Android 4.0 and later: Quarantined

- Samsung Knox Standard 4.0 and later:
Quarantined
Device encryption
- iOS 8.0 and later: Remediated (by setting PIN)
- macOS 10.11 and later: Remediated (by setting PIN)
- Windows 8.1 and later: Not applicable

- Windows Phone 8.1 and later: Remediated
- Android 4.0 and later: Quarantined (not a setting)

Quarantined (not a setting)
- Android Enterprise: Quarantined (not a setting)
Jailbroken or rooted
device - iOS 8.0 and later: Quarantined (not a setting)
- macOS 10.11 and later: Not applicable

- Windows Phone 8.1 and later: Not applicable
- Android 4.0 and later: Not applicable

- Samsung Knox Standard 4.0 and later: Not
applicable
- Android Enterprise: Not applicable
Email profile
- iOS 8.0 and later: Quarantined
- macOS 10.11 and later: Quarantined

Minimum OS version - Android 4.0 and later: Quarantined

Quarantined

- Windows 8.1 and later: Quarantined

- Windows Phone 8.1 and later: Quarantined
- Android 4.0 and later: Quarantined

Quarantined
Maximum OS version

- Windows Phone 8.1 and later: Quarantined
- Android 4.0 and later: Not applicable

- Samsung Knox Standard 4.0 and later: Not
applicable
- Android Enterprise: Not applicable
Windows health
- iOS 8.0 and later: Not applicable
attestation
- macOS 10.11 and later: Not applicable
- Windows 10 and Windows 10 Mobile: Quarantined

Remediated: The device operating system enforces compliance. For example, the user
is forced to set a PIN.
Quarantined: The device operating system doesn't enforce compliance. For example,
Android and Android Enterprise devices don't force the user to encrypt the device.
When the device isn't compliant, the following actions take place:
If a Conditional Access policy applies to the user, the device is blocked.

The Company Portal app notifies the user about any compliance problems.
Next steps
Create a policy and view the prerequisites.
See the compliance settings for the different device platforms:
Android
Android Enterprise
iOS
macOS
Windows Holographic for Business
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
Reference for policy entities has information about the Intune Data Warehouse
policy entities.

11-Set Rules On Devices To Allow Access To Resources in Your Organization Using Intune

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

11-Set Rules On Devices To Allow Access To Resources in Your Organization Using Intune

Uploaded by

Copyright:

Available Formats

05/09/2023 21:04 IntuneDocs/intune/protect/device-compliance-get-started.

md at main · MicrosoftDocs/IntuneDocs · GitHub

MicrosoftDocs / IntuneDocs Public

Code Issues 25 Pull requests 3 Actions Projects Security Ins

IntuneDocs / intune / protect / device-compliance-get-started.md

msft-jinayoon 3 years ago

155 lines (103 loc) · 12.8 KB

Preview Code Blame

title description keywords author ms.author manager

Set rules on devices to allow access to

For example, an Intune administrator can require:

End users use a password to access organizational data on mobile devices

Device compliance policies work with Azure AD

What is device management in Azure Active Directory is a great resource on why

Ways to use device compliance policies

With Conditional Access

Without Conditional Access

Ways to deploy device compliance policies

Compliant (default): security feature off

If a device doesn't have a compliance policy assigned, then this device is

Enabling this setting requires devices to:

Enable location services at the OS level.

Evaluation is triggered by opening the Company Portal app or physically moving

Non-compliance and Conditional Access on the different

Policy setting Platform

PIN or password - Android 4.0 and later: Quarantined

- iOS 8.0 and later: Remediated

Policy setting Platform

- Windows 8.1 and later: Remediated

- Android 4.0 and later: Quarantined

- Windows 8.1 and later: Not applicable

- Android 4.0 and later: Quarantined (not a setting)

- Windows 8.1 and later: Not applicable

- Android 4.0 and later: Not applicable

- Windows 8.1 and later: Not applicable

Minimum OS version - Android 4.0 and later: Quarantined

- iOS 8.0 and later: Quarantined

Policy setting Platform

- Windows 8.1 and later: Quarantined

- Android 4.0 and later: Quarantined

- Windows 8.1 and later: Quarantined

- Android 4.0 and later: Not applicable

- Windows 10 and Windows 10 Mobile: Quarantined

If a Conditional Access policy applies to the user, the device is blocked.

See the compliance settings for the different device platforms:

You might also like