Search the Petri IT Knowledgebase

The Unofficial M365 Changelog

Sponsors

Podcasts

Learning Center
search icon

close

Icon for Latest Whitepaper

Latest Whitepaper

Choosing an MFA Solution for Your Active Directory Environment? Ask These 15 Questions.
Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your Active Directory
Icon for Live Webinar Coming Soon

Live Webinar Coming Soon

Deep Dive: How to Migrate Native GPOs to Microsoft Intune
Icon for Upcoming Conference

Upcoming Conference

GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference

Home

Endpoint Protection

Microsoft 365

Security

How to Create a Compliance Policy in Microsoft Intune

Vignesh Mudliar

 |

Sep 16, 2021

In this article, I’m going to show you how to create a compliance policy in Intune, Microsoft’s Mobile Device Management (MDM) solution, that restricts access to resources to cloud managed and compliant devices only.

Even if your devices are registered or joined to Azure Active Directory (AD), there are still risks that could lead to compromised devices gaining access to your Microsoft 365 tenant’s resources. Hence, it’s necessary to control which types of devices are allowed to access your resources and under what conditions they are permitted to connect. Here’s a high-level overview of the entire process:

advertisment

The first step to create a policy for each device platform in the Endpoint Manager portal. For example, Android devices and/or Windows devices. You choose which controls will be enforced in the policy. For instance, you could opt to block rooted Android devices. Next, define the actions for non-compliance and assign the policy to users. And then, create a template for email notifications, informing users that their device has been blocked. Finally, you specify remediation actions for non-compliant devices.

Create a compliance policy with Microsoft Intune (all platforms)

Let’s take a brief look at some examples of compliance policies that an admin may want to configure in the Endpoint Manager portal. Here you will create a new compliance policy to handle personally owned Android devices.

  1. Go to Devices > Compliance Policies in the Endpoint Manager portal and click Create Policy.

Create a new compliance policy in Microsoft Intune

Create a new compliance policy in Microsoft Intune

 

2. The next step is to configure the settings that will determine whether a device is allowed to connect.

advertisment

Choose the settings that determine whether a device is allowed to connect.

Choose the settings that determine whether a device is allowed to connect.

Choose which controls to apply in your compliance policy

You can define various controls here and we will look at a few of them:

  • Machine level risks – Defender for Endpoint provides individual device level risks. So, you can leverage that by defining a lower limit for that.
  • Rooted Devices – These can be blocked as they pose a security threat.
  • Minimum OS version – Some OS versions may have become obsolete; hence, such devices won’t receive the latest security patches or upgrades. It’s essential to avoid devices with outdated operating systems.
  • Device Password – You must enforce the use of passwords to unlock devices.
  • Encryption – If you want data to be encrypted on devices.

Under Device security there are more settings like ‘Block apps from unknown sources’ and ‘Company portal app integrity check’, which can also be configured.

Define actions for non-compliance

Now you must decide what to do with non-compliant devices. You can view the basic actions configured in the screenshot here.

Choose the actions for non-compliant devices.

Choose the actions for non-compliant devices.

Next, assign this policy to users or groups.

advertisment

Assign the compliance policy to users.

Assign the compliance policy to users.

 

On the final page you can review your selections and then create the policy. Likewise, you can create policies for iOS devices and for Windows or Mac OS.

Send email to non-compliant device owners automatically

It’s important to educate end users whenever their devices fail to meet the compliance standards. This can be done by sending emails to users. Here, we will see how you can create a template for such events.

  1. Click Notifications.

Create a new email notification template.

Create a new email notification template.

2. On the next tab, create a template.

Design your email notification template.

Design your email notification template.

 

3. And on the final page, review the settings and click Create to have email notifications enabled.

In the next section, you will learn how to use this template to send emails.

Create remediation actions for non-compliant devices in Intune

You have already seen how to create a remediation action while creating new compliance policies in Intune. You may even add more actions to those as seen here. As per the policy we created in this tenant, a non-compliant device owner gets a maximum of 10 days before the device is retired. They will receive an email alerting them as soon as their device becomes non-compliant. The device will also be marked as noncompliant right away. A push notification is sent to the user a week after this event.

Here, we also decide to send emails to owners of non-compliant devices using the template created in the previous section.

Choose the actions for non-compliant devices.

Choose the actions for non-compliant devices.

 

And that is it! Now you have a policy to control which devices can access your Microsoft 365 tenant.

More from Vignesh Mudliar

How to Customize Endpoint Security Settings in Microsoft Intune

How to Create a Compliance Policy in Microsoft Intune

How to Enable Windows Hello for Business

advertisment

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

advertisment

More in Security

Windows Server 3 Hero Approved

CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers

May 17, 2022 | Rabia Noureen

Security

F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems

May 9, 2022 | Rabia Noureen

Security

Microsoft's New Security Experts Service Protects Businesses Against Ransomware Attacks

May 9, 2022 | Rabia Noureen

Security

Microsoft, Google, and Apple to Expand Passwordless Login Across All Major Platforms

May 5, 2022 | Rabia Noureen

DevOps code

GitHub to Require All Code Contributors to Enable 2FA by Late 2023

May 5, 2022 | Rabia Noureen

Security Authenticator

Microsoft Authenticator Now Lets Users Generate Strong Passwords

May 5, 2022 | Rabia Noureen

Most popular on petri

Log in to save content to your profile.

Login

Sign Up

Username/Email

Password

Forgot Password?

Login

Article saved!

Access saved content from your profile page. View Saved

Reach out

Contact Us

Advertising

About Us

Media Kit

Learn More

Podcasts

Learning Center

Webinars

Sitemap

Windows

Cloud

Office 365

Servers

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy