Now that we have successfully enrolled a device from all of the major platforms (Windows, macOS, iOS, and Android), we need a method of ensuring they are always managed, updated, and compliant with our own requirements. For that, we can use compliance policies. These allow us to configure a set of requirements that devices must meet to be classed as compliant within the environment. Then, we can add a conditional access policy on top to restrict access to corporate data from any devices that do not meet the criteria. This increases your security posture and also gives you the ability to quickly monitor your estate for any major issues.

In addition to showing you how to deploy these policies, we will also look at what each of the settings requires on the device. We will also cover the more advanced custom compliance policy for Windows.

Finally, we will look at how to restrict access from non-compliant machines using conditional access.

In...

For this chapter, you will need a modern web browser and a PowerShell code editor such as Visual Studio Code or PowerShell ISE.

All of the scripts that will be referenced in this chapter can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook.

If you wish to test the policies, you will need a corporate-managed device running each device platform for testing. For Linux, it will need to be running Ubuntu.

Before we begin configuring our policies, there is one setting that we want to configure for the tenant that tells Intune what to do with devices that do not have any compliance policies assigned.

For this, navigate to Devices and then Compliance. Then, click on Compliance policy settings.

We have two settings here:

• Mark devices with no compliance policy assigned as: A device without a policy assigned is a potential security risk as it could potentially be non-compliant with multiple settings. The best practice is always to set this to non-compliant.
• Compliance status validity period (days): This sets how long you will accept a prior status report – put another way, if a device has not checked into Intune, after how many days should it be flagged as non-compliant? At a very basic level, consider Windows updates; if a machine has not been seen for 30 days or more, assume it is missing at least one set of updates, possibly including antivirus...

All supported platforms can send an email to the end user (and copy it to any other distribution lists), informing them that they are using a non-compliant device. This can be used to provide warnings before the device is blocked.

As these are cross-platform, this first recipe will cover how to create your template.

How to do it…

Follow these steps:

1. First, navigate to Devices and then Compliance.
2. Now, click on Notifications and create a new notification.
3. First, you must set a name for the template and select how corporate you want it to look. The corporate details are grabbed from Tenant details, which we will cover in Chapter 13. Once selected, click Next.
4. On the next screen, you can configure your message and language. If you are multi-national, you can have multiple notifications. One has to be set as the default before you can click Next to continue.
5. Click Next to progress past Scope tags.
6. Finally, review...

There are two ways to configure compliance policies for Windows devices. Both will be covered in this chapter, but we will start with the easier of the two, which is GUI-driven.

Getting started

As mentioned earlier, before we start creating our policy, we should look at the available settings and what they do.

Compliance settings

We will start with the available compliance settings.

Custom compliance

We will cover this in a later recipe (Configuring and deploying a Windows custom compliance policy), but to summarize, you can deploy a custom PowerShell script to monitor anything on the device and feed it into a compliance policy.

Device Health

Device health rules use the Device Health Attestation service. One important thing to note is that they require a reboot to report back as they are querying the BIOS, among other things. Therefore, if you set these settings, make sure you do not set devices as non-compliant immediately...

Now, we can look at our Android corporate devices. While BYOD is handled by App Protection policies (as we have no control over the device itself), we can force our managed devices to remain compliant to access corporate data. In this recipe, we are only going to be looking at corporate-owned and managed devices. Settings for other device types can be found here: https://learn.microsoft.com/en-gb/mem/intune/protect/compliance-policy-create-android-for-work#system-security-settings.

Getting started

As with the Windows policy, we will start by looking at the available options and what they do.

Compliance settings

We can run through the various compliance settings for our Android devices.

Microsoft Defender for Endpoint

Note that for these settings, you will require licensing for Defender for Endpoint. Double-check you have the correct licenses before enabling. It also requires the application to be deployed to and running on the...

After setting up our Android policy, we can now look at iOS devices. As with other policies, we will start by looking at the available settings and what they require before looking at configuring the policy and how it works.

Getting started

We will start by looking at all of the available settings and what they require.

Compliance settings

Let us run through all of the settings available for iOS devices.

Email

We will start with the single setting under the Email heading:

• Unable to set up email on the device: The device must use a managed account configured via Intune. Any accounts that were manually added previously will need to be removed before the device can be marked as compliant.

Device Health

Now, we can review the options for Device Health:

• Jailbroken devices: Any jailbroken devices will be blocked on iOS 8.0 and above.
• Require the device to be at or under the Device Threat Level: The options...

Now that we have looked at Apple devices, we can look at making sure our corporate-managed macOS device is compliant.

One important thing to note with macOS is that unlike our other policies (except iOS), if you configure the PIN setting within a macOS compliance policy, it will enforce the setting on the device rather than just reporting on it.

Getting started

As with the other recipes, we will start by looking at the settings available to us.

Compliance settings

Now, let us run through the settings available for macOS devices.

Device Health

We will start with the single setting available under Device Health:

• Require system integrity protection: This stops protected files and folders from being changed by malicious software and was introduced in El Capitan. More information can be found here: https://support.apple.com/en-gb/HT204899.

Device Properties

Now, we will look at the settings for Device Properties...

This is a relatively new addition to Intune. While we cannot currently deploy configuration or applications to Linux devices, we can configure compliance policies, primarily for Ubuntu-based devices to ensure that any devices accessing corporate data meet the same standards across platforms.

Getting started

Again, we will start by looking at the available settings. One of the first things to note is that Linux compliance uses Settings catalog to configure as it is a much newer addition.

Allowed Distributions

Under Allowed Distributions, we have the following option:

• Type: At the time of writing, the only option is Ubuntu, but you can set minimum and maximum versions. The version numbers can be found here: https://wiki.ubuntu.com/Releases.

Custom Compliance

Within Custom Compliance, we have the following single setting:

• Require custom compliance: This will be covered in greater depth in the next recipe, but instead...

Sometimes, you will find that your compliance may not meet what is available with the built-in settings. For example, you may have third-party products that you need to monitor or want to block machines with particular software installed. You could also restrict your environment to a specific hardware type, manufacturer, and amount of RAM – anything that can be detected by PowerShell can be used for compliance.

Once the script has been configured, you can set a JSON policy within Intune that looks at the output from PowerShell and compares it to the settings we specified in the JSON and their values. If the expected value meets the actual value, that setting is compliant. If not, it is non-compliant.

One non-compliant setting is enough to mark a device as non-compliant.

Now that we know how it works, we can configure our scripts.

Getting started

Before we create the policy, we need to create the two...

There is one final step when using compliance policies. While we have some non-compliance settings configured to lock mobile devices, we are mostly just warning users that their device is not compliant, but this does not stop them from using them. We do not want devices that do not meet our criteria to access corporate data, unencrypted devices, devices with active malware, and more. For that, we need to set up a conditional access policy.

Important note

This conditional access policy is just for restricting non-compliant devices. For full tenant security, you will need to deploy further policies. Common policies from Microsoft can be found at the following link: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-common?view=o365-worldwide.

You can also use some pre-configured templates directly from Entra, as covered here: https://learn.microsoft...