Compliance Security policy for mobile devices using Microsoft Intune
As we saw in our previous blogs that Microsoft Intune simplifies BYOD and mobile device management. Intune manages personal devices in a corporate environment, giving employees access to corporate resources whatever they want on their own mobile devices and mobile apps development, all while helping ensure corporate data security. Today we will see how an IT administrator can create a corporate security compliance policy from the management console and apply it to enrolled devices.
Compliance Policy:
Compliance Policy is some kinds of rules and settings that a device must comply with in order to be considered compliant by conditional access policies or in order to register into Intune. After applying only, they can access the corporate resources.
Creation of compliance policy:
In order to create Intune compliance policy, follow the below steps:
- Go to Azure Portal i.e. https://portal.azure.com and sign-in with global credentials.
- Go to Intune Blade and select “Device compliance” under manager tab.
- In Device compliance, go to “Policies” and select “Create Policy” option.
- In Create Policy section, enter the name of the policy such as location wise, device wise, department wise, country wise etc, and provide the description into it.
- Select the platform, such as Android, iOS, MacOS, Windows. And select the parameters which need to be compliant for end user devices from “Setting” tab.
- In “Action for non-compliance” tab, add “mark device non-compliant-immediately”
These are three parameters (Device Health, Device Properties and System Security) basis of which you can create the compliance policy by select various options.
Best possible or best use case for Android based compliance is to make them at least on minimum OS version (defined in below snap).
Policy Assignment:
In order to assign the device compliance policy, follow the below steps:
- Go the Device compliance, go to “Policies” and select policy which you have created.
- Go the “Assignments” task.
- Choose the “Select group to include” option from it.
Note: Only Mail enabled security group can be selected as implementing group.
Once selecting the group all the policies will be applying on the devices of the users who using Intune company portal.
Compliance Monitoring:
- Go to Device compliance > Policies > select Policy which you have created.
- Select the “Overview” tab.
- Here you will get the exact count of devices or users whose devices are compliant or non-compliant.
Certificate deployment for mobile devices using Microsoft Intune – Part 1 – Overview https://t.co/yRhG99zp8S via @NickolajA @SCConfigMgr #ConfigMgr #MSIntune pic.twitter.com/gLe7zdSC19
— TrueSec Inc (@TrueSec_US) July 20, 2018
Working methodology:
When a user enrol his own device in Intune, at the backend registration the Azure AD registration process starts, and updates the device attributes into Azure A. The compliance status is used by conditional access policies to block/allow access to corporate e-mail and other resources.
Every Device will follow with certain severity:
| Status | Severity |
|---|---|
| Pending | 1 |
| Succeeded | 2 |
| Failed | 3 |
| Error | 4 |
