Forum Discussion
Solved
No PIN / No Access
Hi All
I hope you are well.
Anyway, on Android Enterprise Fully Managed devices, I have an ask to to enforce a No PIN No Device Access policy.
These devices have the usual, where the PIN requirements are set with a device config policy and then checked with a corresponding compliance policy. But no where can I see "restrict use of the device til a PIN is set" setting.
Perhaps it's really obvious but is this possible?
Only obvious option I can is in the compliance policy settings on Actions for noncompliance as below:
Would this be the appropriate setting or are there others? And if the device is locked, is the user able to set a PIN?
Info appreciated.
SK
Not sure you can like this.
What I would do is this (I use MDM with MAM):
- Make sure you check for PIN in Compliance Policy
- MDM -Create Conditional Access Policy that requires Compliance Device and target all Apps
- MAM - Create another CA Policy that requires "Require app protection policy"
Keep in mind you do not want to block access to the device because then they can't get onto it to fix complaint issues that they can get guidance from the "Company Portal"
- What this will give you is they can get onto the device but they can't access corporate data (SharePoint, OneDrive, Teams, etc) until they fix the compliance issue and in this case its the PIN.
So look at it this way, Intune configures the device via config policies and the compliance policies check those settings and mark the device non-compliant.
Conditional Access is the Bouncer at the door checking you out and not allowing you in if you not compliant.
Not sure you can like this.
What I would do is this (I use MDM with MAM):
- Make sure you check for PIN in Compliance Policy
- MDM -Create Conditional Access Policy that requires Compliance Device and target all Apps
- MAM - Create another CA Policy that requires "Require app protection policy"
Keep in mind you do not want to block access to the device because then they can't get onto it to fix complaint issues that they can get guidance from the "Company Portal"
- What this will give you is they can get onto the device but they can't access corporate data (SharePoint, OneDrive, Teams, etc) until they fix the compliance issue and in this case its the PIN.
So look at it this way, Intune configures the device via config policies and the compliance policies check those settings and mark the device non-compliant.
Conditional Access is the Bouncer at the door checking you out and not allowing you in if you not compliant.
Hi Buddy
Many thanks for your very informative reply.
Great point with regards to no access to the device, then the end user couldn't rectify the situation. I knew it had to be something obvious!!!
I do like your concept of the App Protection policy though. so many thanks for that.
SK
