COMPLIANCE POLICIES IN INTUNE
The course is part of this learning path
This course will provide you with a solid understanding of compliance policies and where they fit into Microsoft 365. You'll also have the chance to watch a guided demonstration showing you how to create a Compliance Policy in Microsoft Intune.
- Learn the basics of compliance policies in Microsoft 365
- Gain an understanding of Compliance Policy Settings and Device Compliance Policies
- Learn how to integrate compliance policies and conditional access
- Learn how to create a compliance policy in Endpoint Security within the Microsoft Endpoint Manager admin center
This quick-hitting course is intended for those who wish to learn about using Compliance Policies in Microsoft 365.
To get the most out of this course, it would be beneficial to have a basic understanding of compliance in general, as well as some basic experience using Microsoft 365.
Hello, and welcome to Compliance Policy Settings.
As I mentioned earlier, Compliance policy settings are tenant-wide settings that establish a baseline for how compliance policy will function in your Intune environment. Compliance policy settings are separate from the settings that you define within a specific device compliance policy.
You use the Microsoft Endpoint Manager admin center to manage your compliance policy settings.
More specifically, you sign in to the Microsoft Endpoint Manager admin center by visiting https://endpoint.microsoft.com, and then you browse to Endpoint security > Device compliance > Compliance policy settings.
Notice in the screenshot that Compliance policy settings include several options.
The first setting, Mark devices with no compliance policy assigned as, determines how Intune should treat devices that haven't yet been assigned a device compliance policy. You have two options here. You can choose Compliant, or Not Compliant. Compliant is the default selection. This means that devices that haven’t yet been sent a device compliance policy would be considered compliant. The Not compliant option results in devices that haven’t received a device compliance policy being considered noncompliant.
The real significance here is that if you plan to integrate Conditional Access with your device compliance policies, you’d want to set this option to Not compliant. Doing so would ensure that only those devices that are confirmed as compliant can access your resources via Conditional Access. Otherwise, if you leave it set to its default state, you could have devices that really are non-compliant accessing resources, because they are only listed as compliant because they haven’t gotten a compliance policy yet. This would sort of defeat the point of the integration.
The Enhanced jailbreak detection option only applies to iOS and iPadOS devices, and it only works with devices that you target with a device compliance policy that blocks jailbroken devices.
You can either Enable this setting or Disable it. This setting is Disabled by default, meaning it’s turned off. When it’s turned off, the setting has no effect on devices that receive device compliance policy that blocks jailbroken devices. When it’s turned on, or enabled, devices that receive device compliance policy to block jailbroken devices will use Enhanced jailbreak detection.
When you enable enhanced jailbreak detection on an iOS or iPadOS device, a few things happen. Location services get enabled at the OS level, AND the OS always allows the Company Portal to use location services on the device. Location services are also used to trigger jailbreak detection more frequently in the background.
Now, all that said, the one thing that doesn’t happen, is that user location data doesn’t ever get stored by Intune.
I should mention that on devices running iOS 13 or higher, enhanced jailbreak detection requires users to select “Always Allow” when they are prompted by the device to continue allowing Company Portal to use their location in the background.
The Compliance status validity period that you see here allows you to specify a period, in days, during which devices must report all their received compliance policies. Devices that fail to report their compliance status prior to the expiration of the validity period get treated as noncompliant.
The default validity period is 30 days, but this can be changed to anything between 1 and 120 days.
So, the key takeaway here is that Compliance policy settings are tenant-wide settings that establish a baseline for how compliance policy will function in your Intune environment. These Compliance policy settings are separate and distinct from the settings that you define within a specific device compliance policy, and they include Mark devices with no compliance policy assigned as, Enhanced jailbreak detection, and Compliance status validity period.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.