Device Compliance settings for Android device administrator in Intune
This article lists the compliance settings you can configure on Android device administrator devices in Intune. As part of your mobile device management (MDM) solution, use these settings to mark rooted devices as not compliant, set an allowed threat level, enable Google Play Protect, and more.
For assistance in configuring compliance policy, see Use compliance policies to set rules for devices you manage with Intune.
This feature applies to:
- Android device administrator
As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see get started with device compliance.
Important
Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.
Before you begin
Create a compliance policy. For Platform, select Android device administrator.
Microsoft Defender for Endpoint
Require the device to be at or under the machine risk score
Select the maximum allowed machine risk score for devices evaluated by Microsoft Defender for Endpoint. Devices that exceed this score get marked as noncompliant.
- Not configured (default)
- Clear
- Low
- Medium
- High
Device Health
Devices managed with device administrator
Device administrator capabilities are superseded by Android Enterprise.- Not configured (default)
- Block - Blocking device administrator guides users to move to Android Enterprise Personally Owned and Corporate Owned Work Profile management to regain access.
Rooted devices
Prevent rooted devices from having corporate access. (This compliance check is supported for Android 4.0 and above.)- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Block - Mark rooted devices as not compliant.
Require the device to be at or under the Device Threat Level
Use this setting to take the risk assessment from a connected Mobile Threat Defense service as a condition for compliance.- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Secured - This option is the most secure, as the device can't have any threats. If the device is detected with any level of threats, the device is evaluated as noncompliant.
- Low - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
- Medium - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, the device is determined to be noncompliant.
- High - This option is the least secure, and allows all threat levels. It can be useful if you're using this solution only for reporting purposes.
Google Play Protect
Important
Devices operating in countries/regions where Google Mobile Services are not available will fail Google Play Protect compliance policy setting evaluations. For more information, see Managing Android devices where Google Mobile Services are not available.
Google Play Services is configured
Google Play services allows security updates, and is a base-level dependency for many security features on certified-Google devices.- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Require - Require that the Google Play services app is installed and enabled.
Up-to-date security provider
- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Require - Require that an up-to-date security provider can protect a device from known vulnerabilities.
Threat scan on apps
- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Require - Require that the Android Verify Apps feature is enabled.
Note
On the legacy Android platform, this feature is a compliance setting. Intune can only check whether this setting is enabled at the device level.
Play integrity verdict
Enter the level of Google's Play Integrity that must be met. Your options:- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Check basic integrity
- Check basic integrity & device integrity
Note
To configure Google Play Protect settings using app protection policies, see Intune app protection policy settings on Android.
Device Properties
Operating System Version
Minimum OS version
When a device doesn't meet the minimum OS version requirement, the devices is reported as noncompliant. A link with information about how to upgrade is shown. The end user can choose to upgrade their device, and then get access to company resources.By default, no version is configured.
Maximum OS version
When a device is using an OS version later than the version specified in the rule, access to company resources is blocked. The user is asked to contact their IT admin. Until a rule is changed to allow the OS version, this device can't access company resources.By default, no version is configured.
System Security
Encryption
Require encryption of data storage on device
Supported on Android 11 and earlier, or Samsung KNOX Android 14 and earlier.- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Require - Encrypt data storage on your devices. Devices are encrypted when you choose the Require a password to unlock mobile devices setting.
Device Security
Block apps from unknown sources
Supported on Android 4.0 to Android 7.x. Not supported by Android 8.0 and later- Not configured (default) - this setting isn't evaluated for compliance or noncompliance.
- Block - Block devices with Security > Unknown Sources enabled sources (supported on Android 4.0 through Android 7.x. Not supported on Android 8.0 and later.).
To side-load apps, unknown sources must be allowed. If you're not side-loading Android apps, then set this feature to Block to enable this compliance policy.
Important
Side-loading applications require that the Block apps from unknown sources setting is enabled. Enforce this compliance policy only if you're not side-loading Android apps on devices.
Company portal app runtime integrity
Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
Require - Choose Require to confirm the Company Portal app meets all the following requirements:
- Has the default runtime environment installed
- Is properly signed
- Isn't in debug-mode
Block USB debugging on device
(Supported on Android 4.2 or later)- Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
- Block - Prevent devices from using the USB debugging feature.
Minimum security patch level
(Supported on Android 8.0 or later)Select the oldest security patch level a device can have. Devices that aren't at least at this patch level are noncompliant. The date must be entered in the
YYYY-MM-DD
format.By default, no date is configured.
Restricted apps
Enter the App name and App bundle ID for apps that should be restricted, and then select Add. A device with at least one restricted app installed is marked as noncompliant.To get the bundle ID of an app added to Intune, you can use the Intune admin center.
Maximum minutes of inactivity before password is required (Samsung KNOX Android 12 and earlier)
This setting specifies the length of time without user input after which the mobile device screen is locked. Options range from 1 Minute to 8 Hours. The recommended value is 15 Minutes.- Not configured (default)
Require a password to unlock mobile devices
This setting specifies whether to require users to enter a password before access is granted to information on their mobile devices. Recommended value: Require (This compliance check is supported for devices with OS versions Android 4.0 and above, or KNOX 4.0 and above.)
Not configured (default) - This setting isn't evaluated for compliance or noncompliance.
Require - Users must enter a password before they can access their device. When set to require, also configure:
- Password complexity
- Required password type
Android 10 and later
The following settings are supported on Android 10 or later, but not on Knox.
Password complexity
This setting is supported on Android 10 or later, but not on Samsung Knox. On devices that run Android 9 and earlier or Samsung Knox, settings for the password length and type override this setting for complexity.Specify the required password complexity.
- None (default) - No password required.
- Low - The password satisfies one of the following conditions:
- Pattern
- Numeric PIN has a repeating (4444) or ordered (1234, 4321, 2468) sequence.
- Medium - The password satisfies one of the following conditions:
- Numeric PIN doesn't have a repeating (4444) or ordered (1234, 4321, 2468) sequence, and has minimum length of 4.
- Alphabetic, with a minimum length of 4.
- Alphanumeric, with a minimum length of 4.
- High - The password satisfies one of the following conditions:
- Numeric PIN doesn't have a repeating (4444) or ordered (1234, 4321, 2468) sequence, and has minimum length of 8.
- Alphabetic, with a minimum length of 6.
- Alphanumeric, with a minimum length of 6.
Android 9 and earlier, or Samsung Knox Android 15 and earlier
The following settings are supported on Android 9.0 and earlier, and any Android OS version 15 and earlier.
Required password type
Choose if a password should include only numeric characters, or a mix of numerals and other characters.- Device Default - To evaluate password compliance, be sure to select a password strength other than Device default.
- Low security biometric
- At least numeric
- Numeric complex - Repeated or consecutive numerals, such as
1111
or1234
, aren't allowed. - At least alphabetic
- At least alphanumeric
- At least alphanumeric with symbols
Based on the configuration of this setting, one or more of the following options are available:
Minimum password length
Enter the minimum number of digits or characters that the user's password must have.Maximum minutes of inactivity before password is required
Enter the idle time before the user must reenter their password. When you choose Not configured (default), this setting isn't evaluated for compliance or noncompliance.Number of days until password expires
Select the number of days before the password expires and the user must create a new password.Number of previous passwords to prevent reuse
Enter the number of recent passwords that can't be reused. Use this setting to restrict the user from creating previously used passwords.