Forum Discussion
Device Config Policy vs Device Compliance Policy
- Sep 21, 2018
Hi Stuart,
compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. So it's a kind of simple check and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.
Configuration policies instead are the way to configure and not to check. E.g. set creation of something like passwords to deny simple passwords. Its not a check, it will enforce the setting in the password example during creation of the password. If two configuration policies have same setting they are in conflict and the setting will not be applied.
Hope this helps in you decisions.
best,
Oliver
Thanks, this was helpful. I have a few more questions...
1) How do I create a compliance policy that the device MUST be Azure or Intune joined to be able to used the Desktop Apps?
2) In general, I think Compliance Policies vs Configuration Policies are confusing....so I plan on just using Compliance Policies with Conditional Access....so how do I make it so that they cannot access resources unless they are compliant?
Hi reditguy,
I think what you are looking for is a set of Conditional Access policies to ensure your devices are compliant before accessing your cloud services. There is a checkbox to grant access only for compliant devices. This way you can create a Conditional Access policy to protect your services and allow access only to devices marked as compliant.
The evaluation to be compliant is simple the device needs to be Azure AD joined and Intune enrolled (i would recommend MDM auto-enrollment). As soon as the device gets joined and enrolled it receives the compliance policy and evaluates its status, e.g. Require Password, enforce encryption, OS version etc. sends the result back and get the flag for compliant or not depending on the evaluation.
The configuration policies are mainly for configuration, for example to turn on or off certain features of Windows 10. As an example: Turn of camera or Cortana or configure a start menu.
best,
Oliver
- reditguyJan 15, 2019Iron Contributor
Thank you....that is how I have it set in CA. So to confirm....if a user tries to for example setup an outlook profile or OneDrive on their office PC or BYOD/home PC....CA will tell that they cannot do it because their PCs are not compliant, and by default (because I see no specific setting for this), they cannot comply with the policy until the PC is joined to Azure AD and/or Intune? Is this by default or a specific setting somewhere?
- Jan 15, 2019
Yes you need to have a device object that can be marked as compliant and you get this device object only during register/join/enroll. The only setting for the default behavior of marking as compliant is about compliance policy is assigned or not, see here:
best,
Oliver- reditguyJan 15, 2019Iron Contributor
Thanks!
So if I have it sent to "Not Compliant" in the section you sent me and have MDM user scope set to All per this link:
https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment
Then users will NOT be able to use or setup outlook/onedrive/Office apps on their devices UNLESS it is marked compliant, correct? FYI, I also have MFA enabled to enroll in Intune/Azure for extra security.