How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune? This post will provide more details about planning and be implementing the Intune compliance policy for Android devices. Intune compliance policies are the first step of the protection before providing access to corporate apps and data.
It’s very important to plan and design compliance policy for Android devices as Android more vulnerable than other operating systems.
Compliance policies rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use compliance policy with Azure AD Conditional Access.
Update:- When you use or support Android for Work enrollment select the platform as Android for Work in a compliance policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy not applicable for Android for Work enrolled devices.
Check out the video tutorial to setup Intune compliance policies for Android – here
- Intune Compliance policy setup for Windows 10 Devices here
- Intune Compliance policy setup for iOS Devices here
How to setup Windows 10 Device compliance policy
- 1. Sign in to the Endpoint Manager portal with an account that has Intune admin access.
- 2. Select More services, enter Intune in the text box, and then select Enter.
- 3. Select Intune – Device Compliance – Compliance – Policies – and Click on +Create policy button to create a new compliance policy and select the platform as “Android”.
- 4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Android compliance policies. There are three categories in Android compliance policies, and those are Device Health, Device Properties, and System Security.
- 5. Device Health is the setting where the compliance engine will check whether Android devices to be reported. Device health attestation service has loads of checks included like TPM 2.0, BitLocker encryption, etc..
- 6. Device Properties is the setting where Intune Admins define minimum and maximum versions of operating system details for the corporate application access. I would keep the minimum version as Android version 6 wherever possible.
- Operating System Version
- Minimum Android OS version
- Maximum Android OS version
- 7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 3 sections in these settings – Password, Encryption, and Device Security.
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices along with all the above configurations.
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before password is required
Password expiration (days)
Number of previous passwords to prevent reuse
Encryption Compliance policy for Android – Encryption should be enabled as a must in your Android compliance policy for Android devices.
Encryption of data storage on device
Device Security Compliance policy for Android – Block app from unknown sources and Block USB debugging on Android devices policies are important and should be enabled.
Block apps from unknown sources
Require threat scan on apps
Block USB debugging on device
Minimum security patch level
8. Deploy Android Compliance Policy to All Android devices dynamic device group (Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies) . Click on Assignment and select the dynamic device group.
I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.
What is device compliance in Intune Azure preview – here