How to Create a Compliance Policy in Microsoft Intune

In this article, I’m going to show you how to create a compliance policy in Intune, Microsoft’s Mobile Device Management (MDM) solution, that restricts access to resources to cloud managed and compliant devices only.

Even if your devices are registered or joined to Azure Active Directory (AD), there are still risks that could lead to compromised devices gaining access to your Microsoft 365 tenant’s resources. Hence, it’s necessary to control which types of devices are allowed to access your resources and under what conditions they are permitted to connect. Here’s a high-level overview of the entire process:

The first step to create a policy for each device platform in the Endpoint Manager portal. For example, Android devices and/or Windows devices. You choose which controls will be enforced in the policy. For instance, you could opt to block rooted Android devices. Next, define the actions for non-compliance and assign the policy to users. And then, create a template for email notifications, informing users that their device has been blocked. Finally, you specify remediation actions for non-compliant devices.

Create a compliance policy with Microsoft Intune (all platforms)

Let’s take a brief look at some examples of compliance policies that an admin may want to configure in the Endpoint Manager portal. Here you will create a new compliance policy to handle personally owned Android devices.

  1. Go to Devices > Compliance Policies in the Endpoint Manager portal and click Create Policy.

Create a new compliance policy in Microsoft Intune
Create a new compliance policy in Microsoft Intune

 

2. The next step is to configure the settings that will determine whether a device is allowed to connect.

Choose the settings that determine whether a device is allowed to connect.
Choose the settings that determine whether a device is allowed to connect.

Choose which controls to apply in your compliance policy

You can define various controls here and we will look at a few of them:

  • Machine level risks – Defender for Endpoint provides individual device level risks. So, you can leverage that by defining a lower limit for that.
  • Rooted Devices – These can be blocked as they pose a security threat.
  • Minimum OS version – Some OS versions may have become obsolete; hence, such devices won’t receive the latest security patches or upgrades. It’s essential to avoid devices with outdated operating systems.
  • Device Password – You must enforce the use of passwords to unlock devices.
  • Encryption – If you want data to be encrypted on devices.

Under Device security there are more settings like ‘Block apps from unknown sources’ and ‘Company portal app integrity check’, which can also be configured.

Define actions for non-compliance

Now you must decide what to do with non-compliant devices. You can view the basic actions configured in the screenshot here.

Choose the actions for non-compliant devices.
Choose the actions for non-compliant devices.

Next, assign this policy to users or groups.

Assign the compliance policy to users.
Assign the compliance policy to users.

 

On the final page you can review your selections and then create the policy. Likewise, you can create policies for iOS devices and for Windows or Mac OS.

Send email to non-compliant device owners automatically

It’s important to educate end users whenever their devices fail to meet the compliance standards. This can be done by sending emails to users. Here, we will see how you can create a template for such events.

  1. Click Notifications.

Create a new email notification template.
Create a new email notification template.

2. On the next tab, create a template.

Design your email notification template.
Design your email notification template.

 

3. And on the final page, review the settings and click Create to have email notifications enabled.

In the next section, you will learn how to use this template to send emails.

Create remediation actions for non-compliant devices in Intune

You have already seen how to create a remediation action while creating new compliance policies in Intune. You may even add more actions to those as seen here. As per the policy we created in this tenant, a non-compliant device owner gets a maximum of 10 days before the device is retired. They will receive an email alerting them as soon as their device becomes non-compliant. The device will also be marked as noncompliant right away. A push notification is sent to the user a week after this event.

Here, we also decide to send emails to owners of non-compliant devices using the template created in the previous section.

Choose the actions for non-compliant devices.
Choose the actions for non-compliant devices.

 

And that is it! Now you have a policy to control which devices can access your Microsoft 365 tenant.