Key Takeaways
- Strengthen organizational security by ensuring only compliant Android devices can access corporate resources.
- Enforce password, encryption, and device security requirements to protect sensitive business data.
- Improve endpoint compliance by defining operating system, security patch, and device health requirements.
- Monitor compliance status and quickly identify noncompliant devices for faster remediation.
Let’s discuss How to Configure Android Compliance Policies in Microsoft Intune. This post will provide more details about planning and implementing the policy. Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems.
Table of Contents
Table of Contents
How to Configure Android Compliance Policies in Microsoft Intune
Microsoft Intune compliance policies help organizations ensure that Android devices meet predefined security and compliance requirements before they can access corporate apps, services, and organizational data. These policies evaluate device settings against configured rules and identify whether a device is compliant or noncompliant.
Creating Android compliance policy is an essential part of endpoint security. Administrators can enforce requirements such as password complexity, operating system versions, encryption, security patch levels, and device health checks to reduce security risks and maintain compliance across managed Android devices.
- Step-by-Step Guide to Configuring Intune Compliance Policies for iOS
- Create Intune Compliance Policy for Windows 365 Cloud PC and AVD
- Send Notifications For Noncompliant Devices In Intune
Get Started to Configure Android Compliance Policies
Sign in to the Microsoft Intune admin center using an account with your credentials. From the left navigation pane, select Devices, expand Compliance policies, and then click Create Policies. This page displays all existing compliance policies configured in your Intune tenant.
In the Create a policy window, select Android Enterprise as the Platform, choose the appropriate Profile type (such as Personally-owned work profile), and then click Create to begin configuring the policy.
Start With Bascis
On the Basics page, enter a descriptive Name and an optional Description for the compliance policy to help identify its purpose. For example, use Android Enterprise Compliance Policy as the policy name and This policy defines compliance requirements for Android Enterprise personally owned work profile devices to ensure they meet organizational security standards before accessing corporate resources as the description. After entering the required information, click Next to continue to the Compliance settings page.
Compliance Settings
The Device Health section contains settings that evaluate the health and integrity of Android devices. Configure the available options according to your organization’s security requirements. The Compliance settings page includes four configuration categories: Microsoft Defender for Endpoint, Device Health, Device Properties, and System Security. Each category provides different options to evaluate the security and compliance status of Android devices.
| Category | Setting |
|---|---|
| Microsoft Defender for Endpoint | Require device at or under machine risk score |
| Device Health: Rooted devices | Rooted devices |
| Require device at or under Device Threat Level– Medium | |
| Google Play Protect | Google Play Services configured –Require |
| Up‑to‑date security provider-Require | |
| Play Integrity Verdict –Check basic integrity & device integrity | |
| Device Properties | Minimum OS version -6.0 |
| System Security – Encryption | Require encryption of data storage-Require |
| System Security – Device Security | Block apps from unknown sources – Block |
| Company Portal app runtime integrity- Require |
Expand the Microsoft Defender for Endpoint section by clicking the drop-down arrow to view the available settings. For this example, configure Require the device to be at or under the machine risk score and set the value to Medium. This setting helps ensure that only devices with an acceptable Microsoft Defender for Endpoint risk level are considered compliant.
- Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
- Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
- Operating System Version
- Minimum Android OS version
- Maximum Android OS version
- System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
| Password Compliance Policy for Android |
|---|
| Require a password to unlock mobile devices. |
| Minimum password length |
| Required password type |
| Maximum minutes of inactivity before the password is required |
| Password expiration (days) |
| Number of previous passwords to prevent reuse |
The Actions for noncompliance page allow you to define what happens when an Android device fails to meet the configured compliance requirements. By default, Intune marks a device as noncompliant immediately (0 days), but you can modify the schedule based on your organization’s security policies.
- The recommended setup is to mark the device noncompliant immediately (0 days) and send a push notification at 0 days, ensuring instant enforcement and user awareness.
Scope Tags
The Scope tags page is optional and is used to control which administrators can view and manage the compliance policy. If your organization does not use custom scope tags, leave the Default scope tag selected and click Next to continue
Assignments for the Compliance Policy
In the Assignments step of your Intune compliance policy, you specify which users or device groups the policy applies to, and the best practice for personally‑owned Android Enterprise. You can also configure exclusion groups if specific users should not receive the policy.
Review + Create Option
Review all configured settings on the Review + Create page to verify that they meet your organization’s compliance requirements. If necessary, return to previous pages to make changes. Once you’ve confirmed the configuration, click Create to deploy the Android compliance policy.
After the policy is successfully created, Microsoft Intune displays a notification confirming that the Android Enterprise compliance policy has been created successfully. You are then redirected to the policy’s Overview or Monitoring page, where you can review the policy details and monitor its compliance status.
Review the Policy Status
After the policy is created, open the newly created compliance policy to review its status. The Monitor tab displays the deployment and compliance status of the policy. Administrators can view the number of compliant, noncompliant, and not evaluated devices, and select the available reports to access detailed compliance information for individual Android devices.
- Here you can see that the policy Assigned to the groups successfully.
Delete the Android Enterprise Compliance Policy
To delete an Android Enterprise compliance policy, sign in to the Microsoft Intune admin center and navigate to Devices > Compliance policies > Policies. Search for the Android Enterprise compliance policy you want to remove and select it from the list. Click the 3-dot (More) menu next to the policy, and then select Delete. When prompted, confirm the deletion to permanently remove the compliance policy from Microsoft Intune.
How to Setup Intune Compliance Policies for Android
This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc
