Device compliance settings for Android (AOSP) in Intune

Article
02/22/2023

This article lists the compliance settings you can configure for Android (AOSP) devices in Intune. Use these settings as part of your mobile device management (MDM) solution to define your organization's standards for:

Device health
Device properties
System security

Devices are also governed by tenant-wide compliance policy settings. To manage the tenant-wide compliance policy settings in your tenant, sign in to Microsoft Intune admin center and go to Endpoint security > Device compliance > Compliance policy settings.

To learn more about compliance policies, and what they do, see get started with device compliance.

This feature applies to:

Android (AOSP)

Before you begin

To access these settings, create an Android (AOSP) compliance policy. When prompted to select a Platform, choose Android (AOSP).

Device health

Rooted devices
Prevent rooted devices from having corporate access.
- Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
- Block - Mark rooted devices as not compliant.

Device properties

Minimum OS version
When a device doesn't meet the minimum OS version requirement, it's reported as noncompliant. A link with information about how to upgrade is shown. The end user can choose to upgrade their device, and then get access to company resources.

By default, no version is configured.
Maximum OS version
When a device is using an OS version later than the version specified in the rule, access to company resources is blocked. The user is asked to contact their IT admin. Until a rule is changed to allow the OS version, this device can't access company resources.

By default, no version is configured.
Minimum security patch level
Enter the oldest security patch level a device can have. Devices that aren't at least at this patch level are noncompliant. The date must be entered in the YYYY-MM-DD format.

By default, no patch level is configured.

System security

If you don't configure password requirements, the use of a device password is optional and left up to the users to configure.

Require a password to unlock mobile devices
Require users to have a password-protected lock screen on their device. Your options:
- Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
- Yes - Users must enter a password to unlock their devices.

If you require a password, also configure:

Required password type
Require users to use a certain type of password. Your options:
- Device default - To evaluate password compliance, be sure to select a password strength other than Device default.
- Numeric - Password must only be numbers, such as 123456789. Also enter:
  - Minimum password length: The minimum number of digits required, from 4 to 16.
- Numeric complex - Repeated or consecutive numerals, such as 1111 or 1234, aren't allowed. Also enter:
  - Minimum password length: The minimum number of digits required, from 4 to 16.
Note
- There is a known issue that prevents Password required, no restriction from working on Android (AOSP) devices.
- The following password types are listed as options but are not supported for Android (AOSP) devices: alphabetic, alphanumeric, and alphanumeric with symbols.
Maximum minutes of inactivity before password is required
Enter the maximum idle time allowed, from 1 minute to 8 hours, before the user must re-enter their password to get back into their device. When you choose Not configured (default), this setting isn't evaluated for compliance or non-compliance.

Encryption

Encryption of data storage on a device
Your options are:
- Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
- Require - Encrypt data storage on your devices. Devices are encrypted when you choose the Require a password to unlock mobile devices setting.

Device compliance reporting

Compliance reports are currently not available for Android (AOSP) devices. This section will be updated when reporting becomes available.