Microsoft Intune: Managing iOS and Android devices with Compliance Policy

Module Overview

• Compliance Policy
• Conditional Access
• Device Configuration Profiles

Compliance Policy

Microsoft Confidential

4

General Compliance Settings

Default handling of the compliance state
. Devices without compliance policy can be marked as "Not Compliant"
-> helps to prevent configuration errors
· Inactive devices can be marked as "Not Compliant"
Compliance policies | Compliance policy settings
...

Search
«
Save
X
Discard
Policies
These settings configure the way the compliance service treats devices. Each device evaluates these as a "Built-in
Mark devices with no compliance policy
assigned as
Not compliant
O
Enhanced jailbreak detection @
Disabled
Compliance status validity period (days) @
30
Is reported as
„Built-in Device
Compliance Policy"
Policy
User Principal Na ..
State
Built-in Device Compliance Policy
in-user1@m3651
Compliant
iOS Compliance Policy
in-user1@m3651
Compliant
Notifications
Retire noncompliant devices
Compliance policy settings
Scripts

Intune Device Compliance Policy I

Basics Edit
Name
iOS Compliance Policy
Description
Platform
iOS/iPadOS
Profile type
iOS compliance policy
Compliance settings Edit
Device Health
Jailbroken devices
Block
Device Properties
Minimum OS version
14
Actions for noncompliance Edit
Action
Schedule
Mark device noncompliant
Immediately
Send email to end user
Immediately
Scope tags Edit
Default
Assignments Edit
Included groups
Group
Filter
IN-ConditionalAccess
None
Check for:
· Managed email profile
· PIN/password configuration
· Device encryption, Jailbreak / Root
· OS version min/max
· Undesirable app installed
· Risk level (Defender for Endpoint)
Optional actions
· Send email (localized)
· Delay Azure AD compliance
· Prepare for Retire
· Send push notification
· Remote lock

Intune Device Compliance Policy II

• Mobile Threat Defense solution
• Defender for Endpoint
• Apps available in Google Play or Apple store
• Configured by app configuration policy
• Devices onboard to Security Center
• Threat signal can be used
  in compliance policy

Contacts
Edge
Files
Gmail
MSDefe ...
My Certi ...
Office
OneDrive
Numbers
Comp Portal
TestFlight
Microsoft Def ..
1 Compliance settings
2
Review + save
V Microsoft Defender ATP
~ Device Health
Rooted devices
Block
Not configured
Medium
Not configured
Secured
Low
Google Play Services is configured
0
Medium
Up-to-date security provider
O
High
1
Require the device to be at or under the
Device Threat Level @
Google Play Protect

Intune Device Compliance Policy III

Device State Management

Intune forwards compliance report to Azure AD
· Immediately or after grace period
Intune and Azure AD are managing own device state
· Azure AD may show „Compliant = Yes“ and Intune „In grace period“

Device Compliance View

Device name 11.
Ownership TV
Compliance 11
OS
Intune view
In-user1 iPhone WS
Personal
In grace period
iOS/iPadOS
Intune Workshop's iPhone
Personal
Compliant
iOS/iPadOS
in-user1_AndroidForWork_4/10 ...
Personal
Compliant
Android (Work Profile)
in-user1_AndroidForWork_4/5/ ...
Personal
Compliant
Android (Work Profile)
in-user2_AndroidEnterprise_3/ ...
Corporate
1 Not Compliant
Android (Fully Managed)
in-user2_AndroidEnterprise_4/ ...
Corporate
Name
Enabled
Os
Version
Join Type
Compliant
In-user1 iPhone WS
Yes
IPhone
13.4.1
Azure AD registered
Yes
Same device in different
services (Intune <- > AAD)
Intune Workshop's iPhone
Yes
IPhone
13.3.1
Azure AD registered
Yes
AAD view

Noncompliant Device View

• Android
• iOS

Device Details
...
in-user2_AndroidForWork_10/28/2020_
SM-G950F
0
You need to update settings on this device. >
Update device settings
Original Name
in-user2_AndroidForWork_10/28/2020_11:01
AM
in-user2_AndroidForWork_10/28/2020_11:0 ...
!
You need to update settings on this device.
Last checked: October 28, 17:57
Your company needs you to adjust these
settings to comply with organizational
policies. Tap Confirm Device Settings to
recheck these settings.
Update your operating system
You need to update your operating
system to 10 or later.
How to resolve this
CONFIRM DEVICE SETTINGS
< Devices
Device details
IN-User1's iPhone SE
Rename
FourthCoffee
Done
You need to update settings on this device.
See status for details
Device settings status
May not be abl
access comp
resour
Tap Retry to recheck your compliance with
FourthCoffee requirements.
Last checked
22. Nov 2022 at 06
iPhone SE
Last checked: 22. Nov 2022 at 06:04
Check status
This device does not meet company compliance
and security policies. You need to make some
changes to this device so that you can access
company resources
..
3
Apps
Devices
Support
Notifications
2
Checking device settings
Operating System
Android
Ownership Type
Personal
Learn More
Device Settings Status
Not in Compliance
Last checked: October 28, 17:57
Check device settings
O
Update your operating system
You need to update your operating system to 17
or later.
How to resolve this

Device Compliance - Report Framework

Device compliance
...

Columns
Export
All compliance status
>
All OS
All ownership
V
H
Generate again
Cancel
Report generated on: 41/22/2022, 4:48:50 PM
Custom reporting
based on status, OS,
ownership and
trends.
Compliant
2
Not compliant
12
In grace period
0
Not evaluated
0
Managed by ConfigMgr
0
Total
A
Device compliance (60 day trend)
Search by device name, Azure AD device ID, primary user email address, primary UPN,
Showing 1 to 4 of 4 records
Device name +1
Primary ... 14 Compliance status 14
OS TV
IN-User1's iPhone
in-user1@m ... Compliant
ios
in-user1_AndroidForWork ... in-user1@m ... Not compliant
Android (WOI
IN-User1's iPhone SE
in-user1@m ...
Compliant
ios
in-user1_AndroidForWork ... in-user1@m ...
Not compliant
Android (woI
0
Aug 30
Sep 6
Sep 13
Sep 20
Sep 27
Oct 4
Oct 11
Oct 18
Oct 25
Not compliant (Last)
Not evaluated (Last)
Managed by ConfigMgr ( ...
In grace period (Last)
Compliant (Last)
13
4
1
0
0
20
15
10
5
See Reporting
Module

Conditional Access

Microsoft Confidential

11

Conditional Access Overview

010
0
Conditions
01
Controls
10тв
Allow access
Users
Session
Risk
...
Machine
learning
3
Limit access
Devices
On-premises apps
Require MFA
Real time
Evaluation
Engine
Location
......
..........
X
*****
Force
password reset
.. .
Policies
.. .
Apps
Effective
policy
Web apps
Deny access
Enable users to work from
everywhere, from any device
......
...

Conditional Access (CA) Requirement

Modern Authentication Support

• Token-based & Multi Factor authentication
  to Office 365
• Office-wide single-sign-on (SSO)
• ADAL / MSAL (Active Directory / Microsoft
  Authentication Library)

Cloud Services

• Turned on for Exchange Online, SharePoint
  Online, Teams

Considerations

Think about
· Disable legacy protocols and apps which are
using basic authentication, e.g., IMAP/POP3
· Disable legacy authentication in general
Microsoft
Sign in
Email, phone, or Skype
No account? Create one!
Can't access
Cancel ^ login.microsoftonline.c( AA
four'th
coffee
< in-user1@m3651
.onmicrosoft.com
Enter password
Password
Forgot my password
Sign in with another account
Sign in
Terms of use
Privacy & cookies
...
<
>

CA: Signals And Decisions

• Signals
• Applications
  When this happens
  Then do this
• GRANT
  Require compliant device
  Require MFA
  Require Domain Join
  Signals
  Verify every access
  attempt
  Apps and data
  User and
  location
  Device
  Allow access
  101010
  010101
  101010
  Require MFA
  5
  Application
  Real-time
  risk
  Block access
• Decision
• BLOCK
• Device
• Risk
• User / Group
• IP Locations

CA: Conditions III - Client Apps

Browsers

• Works with all browsers
• Support varies in conjunction with
  device policy

Mobile and Desktop Clients

• Outlook app / Windows 10 mail app
• Outlook 2016/2013 with modern
  authentication
• Teams
• ...

Other Clients

• POP3 / IMAP4 clients
  Client apps
  X
  Control user access to target specific client
  applications not using modern authentication.
  Learn more
  Configure(
  €
  Yes
  No
  Select the client apps this policy will apply to
  Modern authentication clients
  Browser
  Mobile apps and desktop clients
  Legacy authentication clients
  Exchange ActiveSync clients @
  Other clients
  O
  O
  When not configured, policies now apply to
  all client apps, including modern and
  legacy auth.

CA: Conditions IV - Filter for devices

Filter for devices
X
Configure a filter to apply policy to specific devices. Learn more
Configure
0
Yes
No
Devices matching the rule:
Include filtered devices in policy
Exclude filtered devices in policy
You can use the rule builder or rule syntax text box to create or edit the filter rule.
And/Or
Property
Operator
Value
Manufacturer
Equals
>
Apple
4
+ Add expression
Rule syntax @
Edit
device.manufacturer -eq "Apple"
Creating device
filters based on
AAD attributes
allows a lot of
flexibility
without
creating AAD
groups
Property
V
Choose a property
Deviceld
DisplayName
DeviceOwnership
EnrollmentProfileName
IsCompliant
Manufacturer
MdmAppld
Model
OperatingSystem
OperatingSystemVersion
Physicallds
Profile Type
SystemLabels
TrustType
ExtensionAttribute 1

CA: Controls

Device Compliance Requirement

Require device to be marked as
compliant
· Requires MDM enrollment and
compliance policy
· Only Azure AD known devices (joined /
registered) can be marked as compliant

Approved Client App Requirement

Require approved client app
· Apps that support Intune App
Protection policies, like Microsoft
Outlook, Word, Excel, ...
· Don't require MDM enrolled devices
· Supersedes browser and mobile app
condition if selected
Grant
X
Control user access enforcement to block or
grant access. Learn more
Block access
Grant access
Require multi-factor authentication @
Require device to be marked as
compliant @
Require Hybrid Azure AD joined
device @
0
Require approved client app
See list of approved client apps
Require app protection policy
See list of policy protected client apps
Require password change @
For multiple controls
Require all the selected controls
Require one of the selected controls
A
Don't lock yourself out! Make sure that
your device is compliant.
References
to
Intune
Device
Compliance
Policy