By Murali Krishna Hosabettu Kamalesha | Sr. PM & Tyler Castaldo | PM
Updated 10/17 to include a section for customers using Mobile Device Management for O365.
We’re introducing some security enhancements, based on your feedback, in the Intune service in November. Depending on how your compliance policies are configured, you may need to take action to avoid loss of email access for your end users. Read along!
If you have used compliance policies with Conditional Access (CA) in Intune, you may have noticed that devices without a compliance policy assigned to them are considered compliant and end users are allowed access to email. Towards the end of November 2017, we'll introduce a change so that devices with no compliance policy assigned to them will be treated as “not compliant”. These devices will be blocked by CA and end users associated with them will lose access to email.
How should I prepare for this change?
We’re launching a new report in the October update to Intune on Azure, called “Devices without compliance policy”. This report will help you identify all the devices in your environment that do not have a compliance policy assigned. Please review your compliance policy deployments and ensure that all your devices have at least one compliance policy assigned to them by mid-November.
Here’s a screenshot of what the report will look like. If the count of devices in your report is non-zero, then you have devices in your environment without a compliance policy which will be marked as not compliant towards the end of November. Click on the report, review the list of devices and users, and assign a compliance policy where necessary. See Get started with Intune device compliance policies and follow links for directions to assign policies to different platforms.
How do I assign a compliance policy to “All Users”?
In November, to make things easier, we’ll add a new feature to the Intune on Azure Portal that allows you to assign compliance policies to “All Users”.
What if I only care about enrollment and don't need compliance?
To allow access for enrolled devices without any additional security checks, create a blank compliance policy with no settings configured and assign it to your users.
What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?
If you’re using a hybrid MDM configuration, this change applies to you, too. Towards the end of November, devices not covered by compliance policy will be marked “not compliant,” and if you have CA configured, these devices will lose access to company resources such as email. You’ll need to prepare for that by first determining which users’ devices are impacted. To do this in hybrid, you can run the following SQL query in your Configuration Manager database. Note that this query does not make any changes, but only returns information about the impacted devices.
SELECT UMR.UniqueUserName AS UserName, CDR.Name AS DeviceName, CDR.DeviceOS, CDR.SiteCode, CDR.LastActiveTime, CDR.ManagementAuthority, CDR.SMSID, CDR.SerialNumber, CDR.IMEI
FROM vSMS_CombinedDeviceResources CDR LEFT JOIN v_UserMachineRelationship UMR ON CDR.MachineID = UMR.MachineResourceID
WHERE CDR.ClientType = 3 AND CDR.ArchitectureKey = 5 AND CDR.MachineID NOT IN
(SELECT DISTINCT MachineResourceID FROM v_UserMachineRelationship WHERE UniqueUserName IN (SELECT DISTINCT SMSID FROM vCollectionMembers WHERE CollectionID IN (SELECT DISTINCT TargetCollectionID FROM vCI_CIAssignments WHERE AssignmentType = 8)))
You can also create a custom report using this query. See the instructions here. Once you’ve identified the impacted users and devices, you should ensure that they are targeted with a compliance policy.
What if I am an Office 365 customer using Mobile Device Management for Office 365?
If you are using Mobile Device Management for Office 365, this change applies to you, too. Towards the end of November, devices that previously have been targeted with a policy to “Allow access even if the device does not meet the requirements of the policy” (see below) will be marked “not compliant”, and if you have CA configured, these devices will lose access to company resources such as email and SharePoint.
You’ll need to prepare for this by first determining which users’ devices are impacted. To do this you need to identify all users that currently have policies (as described above) targeted. Once you have these users identified, you can mitigate the impact of this change in one of two ways.
- You can change your existing device policies in Mobile Device Management for Office 365 by replacing each existing policy with a new one, leaving all the settings the same with the exception of changing the above to “Block access and report violation”. OR
- You can simply create a blank policy and target the policy to “all existing users who have a policy targeted”, and make sure the policy is set to “Block access and report violation”.
By doing either of the above, you can ensure that your existing devices that are currently targeted with policies can remain in “compliant” state and continue to access your corporate assets in Exchange Online and SharePoint Online.