Apply compliance settings at enrollment - InTune

Steve Stormont 21 Reputation points
2020-09-14T13:55:15.07+00:00

We have created a compliance policy for Android devices that blocks rooted devices and set the minimum OS to 7.0. However, when a user enrolls a device that is either below Android 7 or rooted, they are able to enroll and then the compliance policy is applied later. Is there a way to force the policy at enrollment, so that the user isn't even able to enroll if they don't meet those requirements?

Also, is there a way to log users out of corporate applications if their device isn't compliant? Teams seems to let them stay logged in even if the device is non-compliant.

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,921 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 49,426 Reputation points Microsoft Vendor
    2020-09-15T02:13:44.46+00:00

    @Steve Stormont , Based as I know, the compliance policy will be applied to the device after it is enrolled. To block device enrollment when the OS version is low, we can try to set the maximum version under Device enrollment restriction. The following link for the reference:
    https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set#create-a-device-type-restriction

    In addition, to block non-compliant device to access the application like Teams, we can create a conditional access policy and configure "Require device to be marked as compliant" in Access controls. To create a conditional access policy, we can read the following article:
    https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

    The policy will be applied when the user is checked in. If the user is already login the application, the connection will be kept. And the resource is still accessible. For this scenario, we can consider sign-in frequency to force the user to sign in again. To see more details, we can read the following article:
    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. Steve Stormont 21 Reputation points
    2020-09-18T13:27:02.103+00:00

    Thank you for those answers. One thing that we have noticed regarding the sign in is that it seems to take 20-30 minutes between when a device is marked noncompliant and when the user session is revoked (even if we change a conditional access policy, and then sync the device). Is that expected?

    The third link you provided (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) says that sessions will be revoked when marked noncompliant, but it doesn't make any reference to time.

    It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but are not limited to) a password change, an incompliant device, or account disable. You can also explicitly revoke users’ sessions using PowerShell. The Azure AD default configuration comes down to “don’t ask users to provide their credentials if security posture of their sessions has not changed”.


  2. Steve Stormont 21 Reputation points
    2020-09-21T18:30:25.803+00:00

    Yes, they show non-compliant in both Azure and InTune


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.