Intune compliancy policies are nice way to check whether your managed devices are compliant with the policies you have made. For example; you want all your machines to be encrypted, it is possible to check this is enforced through a compliance policy.
Example for an Intune Compliancy Policy
The compliancy policy that we are going to create is the compliancy for encryption. After that we create a conditional access policy which only allows compliant machines access.
Let’s create the compliance policy which checks compliant machines.
1. Log on to https://devicemanagement.microsoft.com/
2. Go to “Devices” and after that go to Compliance policies:
3. Click on create policy:
4. Fill in a name and choose the correct platform. After that enable “Require Bitlocker”.
5. The policy is now created. The last step is to assign the policy to the devices that you want to check for compliancy:
Conditional Access policy configuration
This is the configuration of the Conditional Access policy and it is pretty straightforward.
It applies to all Apps and the only way to access these Apps is to have a compliant device AND use multi factor authentication.
Go to (from the Endpoint Manager portal) Endpoint security and after that to Conditional Access:
Create a new policy:
Enter a name to the policy and assign users to the policy. NOTE: please assign a test user first. It is possible to lock yourself out!
I have selected All cloud apps:
Finally we set the Access Controls:
Compliancy Policy check
It is now time to check if the policy has applied. Go to the device in the Intune management portal and search for the device on which you applied the compliancy policy.
Here you see that the encryption policy has applied and that the device is compliant. In addition you can click on the policy to check the details:
Finally, this is what you will see when you access the cloud app from a non compliant machine:
In honest opinion this should be the baseline for all company because this actually ensures that company data is only accessed from company owned devices. Furthermore I would require that the devices need to patched to a certain to get access to your organisation.
Finally, this is just a basic example. If you need help configuring a complex Compliancy/Conditional Access configuration feel free to contact me!