Intune Compliancy Policies

Intune compliancy policies are nice way to check whether your managed devices are compliant with the policies you have made. For example; you want all your machines to be encrypted, it is possible to check this is enforced through a compliance policy.

Example for an Intune Compliancy Policy

The compliancy policy that we are going to create is the compliancy for encryption. After that we create a conditional access policy which only allows compliant machines access.

Let’s create the compliance policy which checks compliant machines.

1. Log on to https://devicemanagement.microsoft.com/

2. Go to “Devices” and after that go to Compliance policies:

3. Click on create policy:

4. Fill in a name and choose the correct platform. After that enable “Require Bitlocker”.

5. The policy is now created. The last step is to assign the policy to the devices that you want to check for compliancy:

Conditional Access policy configuration

This is the configuration of the Conditional Access policy and it is pretty straightforward.

It applies to all Apps and the only way to access these Apps is to have a compliant device AND use multi factor authentication.

Go to (from the Endpoint Manager portal) Endpoint security and after that to Conditional Access:

This image has an empty alt attribute; its file name is image-30.png

Create a new policy:

This image has an empty alt attribute; its file name is image-31-1024x228.png

Enter a name to the policy and assign users to the policy. NOTE: please assign a test user first. It is possible to lock yourself out!

This image has an empty alt attribute; its file name is image-32.png

I have selected All cloud apps:

This image has an empty alt attribute; its file name is image-34.png

Finally we set the Access Controls:

This image has an empty alt attribute; its file name is image-35.png

Compliancy Policy check

It is now time to check if the policy has applied. Go to the device in the Intune management portal and search for the device on which you applied the compliancy policy.

Here you see that the encryption policy has applied and that the device is compliant. In addition you can click on the policy to check the details:

Finally, this is what you will see when you access the cloud app from a non compliant machine:

This image has an empty alt attribute; its file name is image-22.png

In honest opinion this should be the baseline for all company because this actually ensures that company data is only accessed from company owned devices. Furthermore I would require that the devices need to patched to a certain to get access to your organisation.

Finally, this is just a basic example. If you need help configuring a complex Compliancy/Conditional Access configuration feel free to contact me!

Leave a Comment