| title | description | keywords | author | ms.author | manager | ms.date | ms.topic | ms.service | ms.localizationpriority | ms.technology | ms.reviewer | ms.suite | search.appverid | ms.custom | ms.collection |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Device compliance policies in Microsoft Intune - Azure | Microsoft Docs |
Get started with use device compliance policies, overview of status and severity levels, using the InGracePeriod status, working with Conditional Access, handling devices without an assigned policy, and the differences in compliance in the Azure portal and classic portal in Microsoft Intune |
MandiOhlinger |
mandia |
dougeby |
05/22/2019 |
conceptual |
microsoft-intune |
high |
joglocke |
ems |
MET150 |
intune-azure |
M365-identity-device-management |
[!INCLUDE azure_portal]
Many mobile device management (MDM) solutions help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called "compliance policies". Compliance policies define the rules and settings that users and devices must meet to be compliant. When combined with Conditional Access, administrators can block users and devices that don't meet the rules.
For example, an Intune administrator can require:
- End users use a password to access organizational data on mobile devices
- The device isn't jail-broken or rooted
- A minimum or maximum operating system version on the device
- The device to be at, or under a threat level
You can also use this feature to monitor the compliance status on devices in your organization.
Important
Intune follows the device check-in schedule for all compliance evaluations on the device. Policy and profile refresh cycles lists the estimated refresh times.
Intune uses Azure Active Directory (AD) Conditional Access (opens another docs web site) to help enforce compliance. When a device enrolls in Intune, the Azure AD registration process starts, and device information is updated in Azure AD. One key piece of information is the device compliance status. This compliance status is used by Conditional Access policies to block or allow access to e-mail and other organization resources.
-
What is device management in Azure Active Directory is a great resource on why and how devices are registered in Azure AD.
-
Conditional Access and common ways to use Conditional Access describe this feature as it relates to Intune.
For devices that comply to policy rules, you can give those devices access to email and other organization resources. If the devices don't comply to policy rules, then they don't get access to organization resources. This is Conditional Access.
You can also use device compliance policies without any Conditional Access. When you use compliance policies independently, the targeted devices are evaluated and reported with their compliance status. For example, you can get a report on how many devices aren't encrypted, or which devices are jail-broken or rooted. When you use compliance policies without Conditional Access, there aren't any access restrictions to organization resources.
You can deploy compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all of the user's devices are checked for compliance. On Windows 10 version 1803 and newer devices, it's recommended to deploy to device groups if the primary user didn't enroll the device. Using device groups in this scenario helps with compliance reporting.
Intune also includes a set of built-in compliance policy settings. The following built-in policies get evaluated on all devices enrolled in Intune:
-
Mark devices with no compliance policy assigned as: This property has two values:
- Compliant(default): security feature off
- Not compliant: security feature on
If a device doesn't have a compliance policy assigned, then this device is considered compliant by default. If you use Conditional Access with compliance policies, we recommended you change the default setting to Not compliant. If an end user isn't compliant because a policy isn't assigned, then the Company Portal app shows
No compliance policies have been assigned. -
Enhanced jailbreak detection: When enabled, this setting causes iOS devices to check in with Intune more frequently. Enabling this property uses the device’s location services, and impacts battery usage. The user location data isn't stored by Intune.
Enabling this setting requires devices to:
- Enable location services at the OS level.
- Allow the company portal to use location services.
- Evaluate and report its jailbreak status to Intune at least once every 72 hours. Otherwise, the device is marked not compliant. Evaluation is triggered by opening the Company Portal app or physically moving the device 500 meters or more. If the device doesn't move 500 meters in 72 hours, the user needs to open the Company Portal app for enhanced jail break evaluation.
-
Compliance status validity period (days): Enter the time period that devices report the status for all received compliance policies. Devices that don't return the status within this time period are treated as noncompliant. The default value is 30 days.
You can use these built-in policies to monitor these settings. Intune also refreshes or checks for updates at different intervals, depending on the device platform. Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune is a good resource.
Compliance reports are a great way to check the status of devices. Monitor compliance policies includes some guidance.
The following table describes how noncompliant settings are managed when a compliance policy is used with a Conditional Access policy.
| Policy setting | Platform |
|---|---|
| PIN or password configuration | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Remediated - macOS 10.11 and later: Remediated - Windows 8.1 and later: Remediated - Windows Phone 8.1 and later: Remediated |
| Device encryption | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Remediated (by setting PIN) - macOS 10.11 and later: Remediated (by setting PIN) - Windows 8.1 and later: Not applicable - Windows Phone 8.1 and later: Remediated |
| Jailbroken or rooted device | - Android 4.0 and later: Quarantined (not a setting) - Samsung Knox Standard 4.0 and later: Quarantined (not a setting) - Android Enterprise: Quarantined (not a setting) - iOS 8.0 and later: Quarantined (not a setting) - macOS 10.11 and later: Not applicable - Windows 8.1 and later: Not applicable - Windows Phone 8.1 and later: Not applicable |
| Email profile | - Android 4.0 and later: Not applicable - Samsung Knox Standard 4.0 and later: Not applicable - Android Enterprise: Not applicable - iOS 8.0 and later: Quarantined - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Not applicable - Windows Phone 8.1 and later: Not applicable |
| Minimum OS version | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Quarantined - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Quarantined - Windows Phone 8.1 and later: Quarantined |
| Maximum OS version | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Quarantined - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Quarantined - Windows Phone 8.1 and later: Quarantined |
| Windows health attestation | - Android 4.0 and later: Not applicable - Samsung Knox Standard 4.0 and later: Not applicable - Android Enterprise: Not applicable - iOS 8.0 and later: Not applicable - macOS 10.11 and later: Not applicable - Windows 10 and Windows 10 Mobile: Quarantined - Windows 8.1 and later: Quarantined - Windows Phone 8.1 and later: Not applicable |
Remediated: The device operating system enforces compliance. For example, the user is forced to set a PIN.
Quarantined: The device operating system doesn't enforce compliance. For example, Android and Android Enterprise devices don't force the user to encrypt the device. When the device isn't compliant, the following actions take place:
- If a Conditional Access policy applies to the user, the device is blocked.
- The Company Portal app notifies the user about any compliance problems.
The main difference when using device compliance policies in the Azure portal:
- In the Azure portal, the compliance policies are created separately for each supported platform
- In the Azure classic portal, one device compliance policy is common to all supported platforms
Device compliance policies created in the classic portal don't appear in the Azure portal. However, they’re still targeted to users and manageable using the classic portal.
To use the device compliance-related features in the Azure portal, you must create new device compliance policies in the Azure portal. If you assign a device compliance policy in the Azure portal to a user who is also assigned a device compliance policy from the classic portal, then the device compliance policies from the Azure portal take precedence over the policies created in the classic portal.
-
Create a policy and view the prerequisites.
-
See the compliance settings for the different device platforms:
-
Reference for policy entities has information about the Intune Data Warehouse policy entities.