This post will provide more details about planning and be implementing the Intune compliance policy for Android devices. Intune compliance policies are the first step of the protection before providing access to corporate apps and data. It’s very important to plan and design compliance policy for Android devices as Android more vulnerable than other operating systems. Compliance policies rules might include using a password/PIN to access devices and encrypting data stored on devices. These set of such rules is called a compliance policy. The best option is to use compliance policy with Azure AD Conditional Access.
Update :- When you use or support Android for Work enrollment select the platform as Android for Work in compliance policy. Otherwise the compliance policies will evaluate your Android devices and say this policy not applicable for Android for Work enrolled devices.
Checkout the Video tutorial to setup Intune compliance policies for Android – here
- Intune Compliance policy setup for Windows 10 Devices here
- Intune Compliance policy setup for iOS Devices here
How to setup Windows 10 Device compliance policy in the Azure portal?
1. Sign in to the Azure portal with an account that has Intune admin access.
2. Select More services, enter Intune in the text box, and then select Enter.
3. Select Intune – Device Compliance – Compliance – Policies – and Click on +Create policy button to create new compliance policy and select platform as “Android”.
4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Android compliance policies. There are three categories in Android compliance policies, and those are Device Health, Device Properties, and System Security.
5. Device Health is the setting where compliance engine will check whether Android devices to be reported as. Device health attestation service has loads of checks included like TPM 2.0, BitLocker encryption, etc..
6. Device Properties is the setting where Intune Admins define a minimum and maximum versions of operating system details for the corporate application access. I would keep minimum version as Android version 6 wherever possible.
Operating System Version
Minimum Android OS version
Maximum Android OS version
7. System Security is the setting where Intune Admins define password policies for the Windows devices. There are 3 sections in these settings – Password, Encryption and Device Security.
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices along with all the above configurations.
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before password is required
Password expiration (days)
Number of previous passwords to prevent reuse
Encryption Compliance policy for Android – Encryption should be enabled as a must in your Android compliance policy for Android devices.
Encryption of data storage on device
Device Security Compliance policy for Android – Block app from unknown sources and Block USB debugging on Android devices policies are important and should be enabled.
Block apps from unknown sources
Require threat scan on apps
Block USB debugging on device
Minimum security patch level
8. Deploy Android Compliance Policy to All Android devices dynamic device group (Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies) . Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.
What is device compliance in Intune Azure preview – here