How does Azure/Intune identify rooted/jailbroken devices during AD registration?

Question

Question: When a user enters organization credentials on a rooted/jailbroken device, Azure AD registers the device. However, how does Intune/Azure determine that the device is rooted/jailbroken solely based on user credentials? Are there any prerequisites or checks before registration? In this scenario, the device is not enrolled and the user is entering their credentials for the first time on the device.

Answer 1

@Sumit Yadav, Thanks for posting in Q&A.

Based as I know, in Intune, compliance policy can detect Jailbroken/rooted devices and app protection policy can block them to access work or school account data. Here are the links with more details:

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-ios#device-health

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-android-for-work

https://techcommunity.microsoft.com/t5/intune-customer-success/app-protection-policy-conditional-launch-improvements/ba-p/2209022

But how it detected in the background, it is not mentioned in our official document. You can open case to see if you can get more help.

https://learn.microsoft.com/en-us/mem/get-support

Thanks for your understanding.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@Sumit Yadav

There are several check done on the basis of location services to validate if the device is jailbroken/rooted:

• For iOS : Every time the user shares their GPS location (By moving 500 meters from previous location or by opening company portal app), the app does jailbreak detection (Using the same logic as the Intune MAM SDK example ). If the device is jailbroken, the location isn't considered valid, and the user isn't granted access.

MDM makes a variety of checks to determine that a device is jailbroken. For example, checking if certain directories exist, checking if the root partition or directory is writeable any many more which are not documented.

• Android device is rooted so you can't connect:

Rooting a device involves changing its software. These changes make the device more prone to unauthorized access and malicious attacks. So that's why rooted devices are often blocked from accessing company email or files.

Your organization can block your device from accessing work or school resources when:

• You install an app on your device that the root detection software thinks is a security risk. For example, if you're prompted to unroot your device immediately after you install an app, uninstall the app and then check to see if you regain access.
• Your device manufacturer installed software on your device that the root detection software thinks is a security risk. Contact your IT support person for help. For contact information, go to the Company Portal website.
• You rooted the device. Reverse the root (commonly done with PC software or apps) and restore the device back to its previous state. Make sure to back up your device before you begin.

Please do let me know if you have any queries by responding in the comments section.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.