Microsoft Endpoint Manager (MEM) offers a range of tools and services for unified security, management, and monitoring of end devices such as laptops, desktops, mobile phones, virtual machines, servers, and more. This endpoint management service operates both on-premises and in the cloud. It provides several advantages such as reduced costs, flexible experiences for employees, and streamlined, robust security threat detection. This article discusses one of MEM’s most popular tools, Microsoft Intune, focusing on its special feature—Device Compliance Policies. Read on to learn about compliance policies, their importance, and how to configure them.
What is Microsoft Intune?
Microsoft Intune is a cloud-based tool within Microsoft Endpoint Manager that serves as both a Mobile Device Management (MDM) and Unified Endpoint Management (UEM) solution, depending on your organization’s needs. It integrates with Microsoft and third-party apps, offering various features. Intune separates a user’s personal data from the organization’s data and can manage devices not enrolled in Intune. It provides self-service features like password updates and app installations. Integration with Microsoft Defender, third-party threat detection apps, and adherence to the Zero Trust model make Intune a highly secure service.
What are Compliance Policies in Microsoft Intune?
Compliance policies in Microsoft Intune are specific rules and settings that devices must adhere to; otherwise, they will be marked non-compliant and actions such as removing access to specific resources, sending warning notifications, etc., will be triggered. Compliance policies ensure access control and protect the organization’s data and resources. Integrating compliance policies with conditional access policies strengthens security, operating as if-then statements—if a device is compliant, then it is granted access.
Compliance Policy Status
Each device with a compliance policy has an assigned compliance status, each associated with a severity level:
Severity | Status |
---|---|
1 | Unknown |
2 | NotApplicable |
3 | Compliant |
4 | InGracePeriod |
5 | NonCompliant |
6 | Error |
When a device has multiple compliance policies with differing statuses, only the status with the highest severity level is assigned to the device.
Creating Compliance Policies: A Step-by-Step Guide
- Log in to your Microsoft Intune admin center.
- Navigate to Devices > Compliance > Create policy.
- Select a platform for the policy you create:
- Android device administrator
- Android (AOSP)
- Android Enterprise
- iOS/iPadOS
- Linux (Ubuntu Desktop, version 20.04 LTS and 22.04 LTS)
- macOS
- Windows 8.1 and later
- Windows 10 and later
- For Android Enterprise, choose a policy type:
- Fully managed, dedicated, and corporate-owned work profile
- Personally-owned work profile
- Under the Basics tab, enter a Name and Description for the policy.
- Under the Scope tags tab, select tags to filter compliance policy settings for specific groups, e.g., MarketingTeam, Alex_Developer, etc.
- Under the Compliance settings tab, configure your policy settings based on the platform selected.
For Windows:
- Go to Compliance settings > Custom Compliance.
- Set Custom compliance to “Require.”
- Select and upload the JSON file with custom compliance settings.
For Linux:
- Go to Compliance settings > Add settings.
- In the Settings picker pane, select Custom Compliance.
- Set Require Custom Compliance to True.
- Specify a pre-uploaded discovery script.
- Select and upload the JSON file for Linux compliance.
- Under the Actions for noncompliance tab, add actions for non-compliant devices, such as marking the device non-compliant or sending warning emails. Schedule these actions and set timeframes for them.
- Under the Assignments tab, select groups to include and assign the policy to them.
- Review and create the compliance policy settings under the Review + create tab, then click Create.
Monitoring Compliance Policies in Microsoft Intune
Monitoring compliance policies is essential for understanding scenarios where devices become non-compliant. Intune provides tools like the Device compliance status dashboard, policy-based device compliance reports, and organizational compliance reports. These features help identify compliance-related issues and offer insights into each setting, policy, or device’s compliance statuses.