Guidance on compliance policy configuration for BYOD vs company devices

GregT8 46 Reputation points
2021-05-17T20:53:36.603+00:00

We would like to apply a compliance policy to all users in the org. In our company, each user has their own device. Users do not share devices. In this case, we've been advised that it is best practice to deploy compliance policies only to users and not to devices. We have different security requirements for BYOD devices vs company devices.

Given that we have been advised to deploy compliance policies only to users, what guidance do you have for maintaining separate compliance policies for users' BYOD devices and users' company devices?

Microsoft Security | Intune | Configuration
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2021-05-18T01:32:31.727+00:00

    @GregT8 , From your description, I know we want to deploy compliance policies to users. And we have different security requirements for BYOD devices and company devices.

    Here we would like to confirm if a user will only use one kind of the devices. For example, only use BYOD devices, or only use company devices. If so, we can add these users to different groups to apply the policies. However, if the users have both BYOD devices and company devices, when the compliance policy apply to this user, both BYOD and company devices will apply the same policy. To separate them, it seems the new feature "filters (preview)" can accomplish what you want. Currently, the feature is still in preview stage. But we can try.

    1. Enable filters public preview. Select Tenant administration > Filters (preview) > Try out the filters (preview) feature. Set Filters (preview) to On:
      98114-image.png
    2. Create a filter, we can create a filter with a rule set deviceownership as Personal or Corporate
      98115-image.png
    3. Go to the compliance policy and edit the filter for our policy to only apply to Personal devices for the users in that group.
      98085-image.png

    We can see more details in the following link:
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. GregT8 46 Reputation points
    2021-05-18T14:28:26.223+00:00

    Thanks for getting back to me Crystal.

    Our scenario is that users have both a BYOD device and a company device.

    In this case, is the only recommended method to deploy compliance policies to device groups instead of user groups?


  2. GregT8 46 Reputation points
    2021-05-19T12:48:05.567+00:00

    Thanks again Crystal.

    BTW...it looks like Microsoft will soon introduce a new feature to better accommodate this scenario:

    https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/use-microsoft-endpoint-manager-filters-to-target-apps-and/ba-p/2333342

    0 comments No comments

  3. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2021-05-20T04:37:44.47+00:00

    @GregT8 , Good sharing. After reviewing the feature in preview, it seems the new feature can accomplish what you want. Currently, the feature is still in preview stage. But we can try.

    1. Enable filters public preview. Select Tenant administration > Filters (preview) > Try out the filters (preview) feature. Set Filters (preview) to On:
      98114-image.png
    2. Create a filter, we can create a filter with a rule set deviceownership as Personal or Corporate
      98115-image.png
    3. Go to the compliance policy and edit the filter for our policy to only apply to Personal devices for the users in that group.
      98085-image.png

    We can see more details in the following link:
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

    Hope it can help.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.