Let’s discuss planning and designing an Intune Compliance Policy for Android Devices. This post will provide more details about planning and implementing the policy.
Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems.
Compliance policies and rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Update: When you use or support Android for work enrollment, select a platform like Android for Work that complies with a policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy does not apply to Android for Work-enrolled devices.
- Create Intune Compliance Policy for Windows 365 Cloud PC and AVD
- How to Setup Intune Compliance Policy for iOS Devices
Table of Contents
How to Setup Intune Compliance Policies for Android
This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.
How to Setup Windows 10 Device Compliance Policy – How to Plan Design Intune Compliance Policy for Android Devices
Sign in to the Endpoint Manager portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.
Select Intune—Device Compliance—Compliance—Policies and click on the +Create policy button to create a new compliance policy. Select the platform “Android.” Settings configurations are significant for compliance policies.
- There are some improvements in Azure portal Android compliance policies.
- There are three categories in Android compliance policies: Device Health, Device Properties, and System Security.
Sign in to the Intune portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter.
- Select Intune – Device Compliance – Compliance – Policies – and click the +Create policy button to create a new compliance policy. Select the platform “Android”.
- Settings configurations are significant for compliance policy. There are some improvements in Azure portal Android compliance policies. Android compliance policies have three categories: Device Health, Device Properties, and System Security.
- Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
- Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
- Operating System Version
- Minimum Android OS version
- Maximum Android OS version
- System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.
| Password Compliance Policy for Android |
|---|
| Require a password to unlock mobile devices. |
| Minimum password length |
| Required password type |
| Maximum minutes of inactivity before the password is required |
| Password expiration (days) |
| Number of previous passwords to prevent reuse |
Encryption Compliance Policy for Android – Encryption should be a must in your Android compliance policy for Android devices. Encryption of data storage on the device Device Security Compliance policy for Android: Block apps from unknown sources and Block USB debugging on Android devices. These policies are essential and should be enabled.
- Block apps from unknown sources
- Require threat scan on apps
- Block USB debugging on the device
- Minimum security patch level
Deploy Android Compliance Policy to all Android devices’ dynamic device groups (Update Device Groups are not supported for compliance policies; hence, use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.