How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune? This post will provide more details about planning and implementing the Intune compliance policy for Android devices. Intune compliance policies are the first step of the protection before giving access to corporate apps and data.
It’s very important to plan and design compliance policies for Android devices as Android is more vulnerable than other operating systems.
Compliance policies rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Update:- When you use or support Android for Work enrollment, select the platform like Android for Work in a compliance policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy is not applicable for Android for Work enrolled devices.
Check out the video tutorial to setup Intune compliance policies for Android – here
- Intune Compliance policy setup for Windows 10 Devices here
- Intune Compliance policy setup for iOS Devices here
How to setup Windows 10 Device compliance policy
- 1. Sign in to the Endpoint Manager portal with an account that has Intune admin access.
- 2. Select More services, enter Intune in the text box, and then select Enter.
- 3. Select Intune – Device Compliance – Compliance – Policies – and Click on the +Create policy button to create a new compliance policy and select the platform as “Android”.
- 4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Android compliance policies. There are three categories in Android compliance policies and those are Device Health, Device Properties, and System Security.
- 5. Device Health is the setting where the compliance engine will check whether Android devices are to be reported. The device health attestation service has loads of checks, including TPM 2.0, BitLocker encryption, etc.
- 6. Device Properties is the setting where Intune Admins define minimum and maximum versions of operating system details for the corporate application access. I would keep the minimum version as Android version 6 wherever possible.
- Operating System Version
- Minimum Android OS version
- Maximum Android OS version
- 7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 3 sections in these settings – Password, Encryption, and Device Security.
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
Encryption Compliance policy for Android – Encryption should be enabled as a must in your Android compliance policy for Android devices.
Encryption of data storage on the device
Device Security Compliance policy for Android – Block apps from unknown sources and Block USB debugging on Android devices policies are important and should be enabled.
Block apps from unknown sources
Require threat scan on apps
Block USB debugging on the device
Minimum security patch level
8. Deploy Android Compliance Policy to All Android devices dynamic device group (Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group.
I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…