Forum Discussion
Device Config Policy vs Device Compliance Policy
- Sep 21, 2018
Hi Stuart,
compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. So it's a kind of simple check and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.
Configuration policies instead are the way to configure and not to check. E.g. set creation of something like passwords to deny simple passwords. Its not a check, it will enforce the setting in the password example during creation of the password. If two configuration policies have same setting they are in conflict and the setting will not be applied.
Hope this helps in you decisions.
best,
Oliver
Hi Stuart,
compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. So it's a kind of simple check and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.
Configuration policies instead are the way to configure and not to check. E.g. set creation of something like passwords to deny simple passwords. Its not a check, it will enforce the setting in the password example during creation of the password. If two configuration policies have same setting they are in conflict and the setting will not be applied.
Hope this helps in you decisions.
best,
Oliver
I find it confusing that not all compliance policy settings are "simple check" as you say. Example is "Maximum minutes of inactivity before password is required" (Android). Rather than just checking if the configured time is within the value set for compliance, the setting acts like a configuration and applies a restriction in the "Lock screen" menu.
arnabmitra is correct that settings in the compliance policy, applying the configuration rather than just assessing, take priority over the equal settings in the configuration profile (you get "Not applicable" for the configuration if it is in a conflict with the compliance setting).
That I believe can easily be a source of frustration, because the compliance policy assignment scope can be different to the configuration profile and it can be overwriting settings.