In Microsoft Intune, a Compliance Policy is a set of rules and settings that a device must meet to be considered "healthy" and secure by your organization.
Its primary role is verification. Before a device is allowed to touch corporate data, Intune checks it against a "checklist" you define (e.g., "Does it have a password? Is the drive encrypted?").
Here is a detailed breakdown of how Compliance Policies work, what they check, and how they enforce security.
1. The Core Function: The "Gatekeeper"
In a modern Zero Trust architecture, you cannot assume a device is safe just because a user logs in. The Compliance Policy acts as a real-time health check.
Compliant: The device meets all your security rules. It is granted a "Compliant" flag in the system.
Non-Compliant: The device fails one or more checks (e.g., old OS, no antivirus). It is flagged as "Non-Compliant," which triggers enforcement actions.
2. Common Compliance Settings
You can create different policies for different platforms (Windows, iOS, Android, macOS). Common rules include:
| Category | Common Checks |
| Device Health | Is the device jailbroken (iOS) or rooted (Android)? Is BitLocker (Windows) or FileVault (macOS) encryption enabled? |
| Operating System | Is the device running the minimum required OS version (e.g., "Must be on iOS 17 or later")? This ensures devices have the latest security patches. |
| System Security | Does the device have a password/PIN? Does it meet complexity requirements (e.g., 6 digits, alphanumeric)? Is the firewall enabled? |
| Defender Exposure | For Windows, is the "Machine Risk Score" from Microsoft Defender low enough? If Defender detects malware, the device instantly becomes "Non-Compliant". |
3. What Happens When a Device is Non-Compliant?
Intune doesn't just flag the device; it takes action based on "Actions for Non-compliance" that you configure:
Mark device non-compliant: This happens immediately or after a grace period (e.g., 1 day) to give the user time to fix it.
Send email to end user: Intune automatically emails the user: "Your device is non-compliant. Please update your OS to regain access."
Remotely lock: The device can be forced to lock if it remains non-compliant for too long.
Retire the device: In extreme cases, the device can be removed from management.
4. Integration with Conditional Access (The Enforcer)
This is the most critical part. Intune checks the status, but Microsoft Entra ID (Azure AD) enforces the consequence via Conditional Access.
The Rule: "Block access to Office 365 if the device is marked Non-Compliant."
The Scenario:
A user tries to open Outlook on their phone.
Entra ID checks Intune: "Is this phone compliant?"
Intune says: "No, the OS is outdated."
Entra ID blocks the login and tells the user: "Update your device to continue."
5. Best Practices
Don't be too aggressive immediately: When rolling out a new policy, use the "Report Only" mode or set a "Grace Period" (e.g., 3 days) so users aren't locked out instantly for minor issues.
Separate Compliance from Configuration: Use Configuration Profiles to apply settings (make the change), and Compliance Policies to check settings (verify the result).
Tenant-Wide Settings: Configure the specific setting "Mark devices with no compliance policy assigned as" to Not Compliant. This ensures that a new, unproven device is treated as unsafe until it explicitly passes your checks.
No comments:
Post a Comment