Compliance Policy Setup in Intune is a must use feature in Mobile Device Management. These rules might include using a password or a PIN to access devices; and encrypting data stored on devices with the use of technology called Bitlocker. These set of rules is called a compliance policy. The best option is to use the compliance policy with Azure AD Conditional Access Not familiar with Intune? Check out our Intune guide. Now let’s set up a compliance policy. To set up this policy, we will do so from the main devices screen.
Displayed below is the compliance policy page. Since we got to this page from the main devices page we can see and make policies for and platform from this page.
Let’s make a new policy. Remember compliance polices allows us to measure the compliance of the device. We are not setting up the device for us to make sure it meets the company’s compliance standards.
Below is the compliance policy page. First, we need to enter a name for our policy. You can enter an optional description if you want. Then we need to select a platform. In this case we are selecting iOS/iPadOS for our device.
Now that we selected a platform, we have a few more options to select from below. We can enter the settings for our policy, actions for noncompliance, and assign scope tags. Clicking on settings will bring up an additional blade where we can measure various aspects of the device. The settings found here will be specific to the platform we selected previously.
The email profile must be connected to Intune or the device will be marked as noncompliant under the email tab we can require an email profile.
In the device health section below, we can check for jail broken device. If this was an android policy, we can look for rooted devices. Here we can also see if the device has been flagger for various threat levels and add that to our compliance policy.
In the device properties, we can check the OS version of the device. If the device’s OS doesn’t meet the setting here it will be marked as non-compliant.
In the security section below, we can look at the security setup of the device. We can look at the password settings along with any apps on the device. The apps section is a great way to see if company devices have unwanted apps on them.
Now, let’s take a look at the actions section.
In the actions for noncompliance section, we can see a list of the actions to take place when a device is non-compliant.
The action is what we want to happen when a device is marked as non-compliant.
Let’s select an action from the list. Opening the drop down illustrated below gives us two options. We can send and email to the end user or we can remotely lock the device.
Under the send an email below, we have a few more options. We can select a message template to be sent to the end user. We can send a notification to others in the organization. We can set how many days the device needs to be non-compliant before the notifications are sent.
We can specify how many days before the device needs to be non-compliant before the device is locked if we select remote lock from the drop down. One way to set this up is to have policies that send notifications during the first few days. It will notify the user the device will be locked if it is not compliant in X amount of days. Follow that up with another policy to lock the device if it is noncompliant after that amount of days has occurred.
Compliance Policy Setup in Intune Summary
Check out Microsoft’s post for more details on compliance policy setup in Intune.