Device Compliance Policies
Overview
Compliance policies allow Intune to mark devices as non-compliant when certain settings are incorrect.
Before the device is marked as non-compliant, we have an intermediate status called “grace period” which allows you to update the IOS or one of the settings below in a determined period and continue using the device until the grace period ends. Email notifications will be send to the user according of the needed recurrence.
For this example, I have created 4 compliance policies. These policies are configured at: - Intune Console > Device Compliance > Policies
|Type|Settings|Configured?|Policy Name|Actions|Include| |–|–|–|–|–|–| System Security | Require a password to unlock mobile devices |Require|iOS_Compliance_Default|1. Mark device noncompliant after 5 days|All users ||Simple Passwords|Block||| ||Minimum password length|6||| ||Required password type |Numeric||| ||Number of non-alphanumeric characters in password|Not Configured||| ||Maximum minutes after screen lock before password is required|15 Minutes||| ||Maximum minutes of inactivity until screen locks|||| ||Password expiration (days)|180||| ||Number of previous passwords to prevent reuse|5||| |Device Health|Jailbroken devices|Block|iOS_Compliance_Jailbroken|1. Mark device noncompliant immediately|All Users| ||Require the device to be at or under the Device Threat Level|Not Configured|||| |Email|Require mobile devices to have a managed email profile|Require|iOS_Compliance_Managed_Mail| 1.Mark device noncompliant after 7 days 2.Notification template: iOS_Mailprofile noncompliance|All Users| |Device Properties|Minimum OS version|15.3.1|iOS_Compliance_OSVersion_iOS14_Devices|1.Mark device noncompliant after 21 days 2. Notification template: mail notification 7, 14 and 20 days before mark as non compliant|All Users| ||Maximum OS version|||| ||Minimum OS build version|||| ||Maximum OS build version||||
References:
Device compliance policies in Microsoft Intune | Microsoft Learn