Last Updated on December 2, 2018 by Dishan M. Francis
In my previous posts I explained how we can add devices to Intune and how we can push applications to those. This is another blog post under same category and in here I am going to talk about managing device compliances using Microsoft Intune.
In an infrastructure, we know how trusted device should looks like. We use different tools and services to make sure those does. As a simple example, most use group policies to make sure firewall, windows updates are up and running. But now, it is hard to define infrastructure boundaries as many people use same device for work and personal stuff. More and more people are working remotely. So, administrators are losing control over the devices. With Microsoft Intune we can easily define compliance policies and detect devices which is not meeting infrastructure requirements. It is similar how network policy server works in BYOD environment.
In this demo I am going to create compliance policy to detect the devices which doesn’t have firewall and antivirus services running. once it detects, it also should send notification to IT department so they aware that non-compliance device is in network.
1. To start, log in Azure portal as Global administrator
2. Then go to All Services | Intune | Devices
3. Under devices I can see my demo device is in healthy state.
4. First, we need to create device group, so I can target it with the policy. to do that go to Intune home page and click on Groups
5. Then click on New Group
6. Then create the new security group with demo device.
7. As next step, we need to create notification. This is email template that we going to fire when policy detects a non-compliance device. To do that go to Intune home page, Device compliance | Notifications | Create notification
8. Then create template with relevant data.
9. Now we have everything ready for the policy. To start click on Policies | Create Policy
10. In next window type policy name & select the platform. In my demo it is going to be for Windows 10 device.
11. Then click on Setting | System Security & set Require for Firewall, Antivirus, Antispyware & Defender.
12. Next, click on Actions for noncompliance | Add and select the action option as send email to end user. Under message template select new notification we created.
13. Above will only send notification to the global admin account that I am using to setup this policy. I also need to send notifications to IT department. To do that, click on Additional recipient and select the IT distribution group.
14. After all settings are in place, click on Create
15. Once policy is in place, click on it and then click on Assignments
16. Then select the device group we created in the beginning. This will be the target for the policy.
17. Now it is time for testing. I went to my demo pc and turn off the firewall.
18. Then go to Intune | Devices | All Devices and click on the demo device.
19. In new window click on Sync so it will forcefully speed up the policy evaluation.
20. Then after few minutes, I go to new policy and click on overview. In there I can see 1 device is detected.
21. If I go in details I can see the device is non-compliant with the new policy and it is flagged because it is not running firewall services.
22. As expected, it sent email notification to IT department as well.
As we can see it does the job. It is easy to setup and easy to detect. This marks the end of this blog post. If you have any further questions feel free to contact me on email@example.com also follow me on twitter @rebeladm to get updates about new blog posts.
- Sign in to the Microsoft Intune admin center.
- Select Devices > Compliance policies > Policies > Create Policy.
- Select a Platform for this policy from the following options: ...
- On the Basics tab, specify a Name that helps you identify them later.
You can view details about a devices compliance to the validity period setting. Sign in to Microsoft Intune admin center and go to Devices > Monitor > Setting compliance. This setting has a name of Is active in the Setting column.What is an Intune device compliance policy? ›
Intune Compliance Policy for device help to protect company data; the organization needs to ensure that the devices used to access company apps and data comply with certain rules.What are the top 3 best practices when implementing Intune? ›
- Simplify access management by using Azure AD groups. ...
- Apply Mobile Application Management (MAM) regulations to apps. ...
- Leverage the Intune Company Portal mobile app. ...
- Bring Microsoft Defender ATP into use. ...
- keep track of performance using reports. ...
- Set up conditional access.
|iOS||Every 15 minutes for 6 hours, and then every 6 hours|
|Mac OS X||Every 15 minutes for 6 hours, and then every 6 hours|
|Android||Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours|
If your device is compliant, then it is granted access. Non-compliant devices are not granted access. You can also monitor device compliance and troubleshoot compliance-related issues in Intune by going to Devices > Overview > Compliance status.What happens if a device is not compliant in Intune? ›
The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.How do I check my TPM status in Intune? ›
To identify the category of a device encryption failure, sign in to the Microsoft Intune admin center and select Devices > Monitor > Encryption report. The report will show a list of enrolled devices and show if a device is encrypted or ready to be encrypted, and if it has a TPM chip.How do I check my device compliance in SCCM? ›
- In the Configuration Manager console, click Monitoring > Deployments.
- In the Deployments list, select the configuration baseline deployment for which you want to review compliance information.
Before you can add custom settings to a policy, you'll need to prepare a JSON file, and a detection script for use with each supported platform. Both the script and JSON become part of the compliance policy.
Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level.What is a requirement for all devices using Microsoft Intune? ›
Intune requires Android 8. x or higher for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. This requirement does not apply to Microsoft Teams Android devices as these devices will continue to be supported.What is the difference between MDM and MAM in Intune? ›
As you can see from the definitions above, the simple difference between MDM and MAM is that MDM is about control of devices like tablets and smartphones, whereas MAM is about controlling specific corporate applications and their data.What are the five phases in the Microsoft Intune application lifecycle? ›
- Add. The first step in app deployment is to add the apps, which you want to manage and assign, to Intune. ...
- Deploy. ...
- Configure. ...
- Protect. ...
- Retire. ...
- Next steps.
Microsoft Intune is a cloud-based mobile device management (MDM) solution that helps you manage and secure endpoints. It offers many features to simplify access, including: Single sign-on (SSO) to corporate resources - no need to remember multiple passwords.How do I fix non compliant devices in Intune? ›
- Please create a new compliance policy and the settings in the policy are same as the old one.
- Create a new group and add just a user in the group.
- Add the new user group in the new compliance policy's assignments.
- Please use the user to login in the device which shows "Not compliant".
- Sign in to the Microsoft Intune admin center.
- Select Devices > Compliance policies > Policies, select one of your policies, and then select Properties. ...
- Select Actions for noncompliance > Add.
- Select your Action:
Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator. Browse to Azure Active Directory > Security > Conditional Access. Select New policy. Give your policy a name.What 2 items do you need to Create a custom compliance policy? ›
Introducing custom compliance settings
Those settings relies on a JSON file and a PowerShell script that must be uploaded to Microsoft Intune. That PowerShell script is used to detect a specific configuration and that JSON file is used to define the actual rule.