I have a client who is in the process of testing the free MDM in Office 365. They have defined a very limited policy which requires a password, prevents simple passwords, has a minimum password length of 6 characters, prevents rooted/jail broken devices and blocks access for non-compliant devices.

When they enroll an iPhone with a 4 digit PIN they are forced to apply a 6 digit PIN as part of the enrollment process before the device is marked as compliant and allowed to connect. However when they enroll an Android device with a 4 digit PIN they do not have to apply a 6 digit PIN and the device is allowed to enroll and is marked as compliant even though it only has a 4 digit PIN. We have tried this on a Samsung Galaxy S8 running Android 8.0.0 and also on a Moto E4 plus running Android 7.1.1 and get the same results on both devices.

I did think it may have been because fingerprints were enabled on the device and that they maybe overrode the PIN, but we have since tried on a Moto E4 without fingerprints enabled, just a 4 digit PIN and that still shows as compliant with the 4 digit PIN.

Has anybody else experienced this, and more importantly found a way to enforce policies on Android devices?