Skill 2.1: Implement compliance policies for devices
Once you begin to manage Windows 10 devices using standalone Microsoft Intune or integrated into Microsoft Endpoint Manager, you will want to implement conditional access to provide granular access control for your corporate resources. These resources can include data contained in controlled applications. Intune works together with Azure Active Directory (Azure AD) to actively check the status of enrolled devices against your policies each time a resource such as corporate email is accessed.
With Microsoft Intune, you can stipulate the necessary compliance checks that Azure AD will perform on enrolled devices. By deploying compliance policies, devices can be allowed or denied access to your corporate resources. You need to understand how to plan, implement, and manage these policies to meet organizational security requirements.
This skill covers how to:
- Plan device compliance policies
- Implement device compliance policies
- Manage device compliance policie
Plan device compliance policies
Many organizations are regulated and must comply with laws and regulations, such as those shown in Table 2-1. To remain in compliance, administrators need to configure and manage devices and any data contained on them, in accordance with the corporate security and compliance requirements. Modern management enables administrators to control devices and restrict their usage when accessing corporate data.
TABLE 2-1 Regulations and compliance
Regulation | Region | Requirement |
HIPAA (Health Insurance Portability and Accountability Act of 1996) | USA | User isn’t prompted to Multifactor Authentication (MFA). |
Sarbanes-Oxley Act | USA | The Chief Financial Officer (CFO) and Chief Executive Officer (CEO) have joint responsibility for the financial data. Administrators will need to keep financial data secure and free from tampering, theft, and deletion. |
Gramm-Leach-Bliley Act | USA | Responsibility for security lies within the entire board of directors. IT administrators, while not legally bound, will be delegated the implementation and management of IT security. |
GDPR (General Data Protection Regulation) | EU | Requires all enterprises regardless of their location to adhere to EU privacy laws relating to any individual living in the EU. |
Using Microsoft Intune, you can define compliance policies. Once compliance policies have been created, they can be assigned to enrolled devices and device groups. Devices will be configured using the compliance policy and become compliant.
Each time that a device attempts to access corporate resources, such as a SharePoint TeamSite or corporate email client, the policy on the device will be evaluated and its compliance status determined. Only compliant devices will be granted access to the resources.
Organizations must have Azure AD Premium P1 or P2 licenses, and each device requires an Intune license to use compliance policies.
The following device platforms can be managed using compliance policies once they have been enrolled into Intune:
- Android and Android Enterprise
- iOS and macOS
- Windows 10 and Windows 8.1
When considering how your organization will achieve compliance, you may need to review the features available and support for compliance policies. Each compliance policy within Intune is platform specific, and the actual compliance policy settings available will vary depending on the settings that are exposed to the mobile device management (MDM) framework by the platform vendor. For example, BitLocker encryption is available only on Windows devices and Google Play Protect is available only on the Android platform.
Exam Tip
The exam will expect you to know that Intune enables you to configure compliance policies on devices that do not run Windows. Ensure that you know the various platforms that Intune supports. Some of the more commonly used device compliance settings that you can implement include the following:
- Require A Password To Access Devices For example, a PIN or password.
- Local Data Encryption BitLocker encryption or other boot protection such as Secure Boot.
- Is The Device Jailbroken Or Rooted Often, a device that has been jailbroken or rooted will be more vulnerable to malware attack.
- Minimum Operating System Version Required Prevents outdated software being used, which may be more vulnerable to malware attack.
- Maximum Operating System Version Allowed Prevents software that has not been tested or approved for corporate use from being used.
- Protected Against Malware Threats Requires the device to have an antimalware solution enabled, signatures up to date, or real-time protection enabled.
- Network Location-Based Blocks access to a corporate network if a device leaves a defined location.