[3/30/18]: Updated with the message center post example
[3/28/18]: Known issue has been resolved; updated the text appropriately.
[3/22/18]: Updated with additional screen shots from within the console. Note this change is starting to roll out now but rolls out in phases.
[2/9/18]: This post has been updated to reflect changes in roll out for this security enhancement. The feature will now be rolled out for Intune standalone only at this time. Hybrid and O365 customers will not be affected by this change.
We've started activating the new toggle described below! We're slowing rolling this out. Here's some helpful information from the Office Message Center post that's going live on this topic as we roll out this change. You won't see this message (or a similar one like it) until we roll the new compliance experience to your Intune subscription.
Review Your Device Compliance and Toggle Status in Intune to Prevent Loss of Email
There are some new security enhancements in the Intune service. You may have received previous messages announcing this, the latest being MC128895 and MC131874. This change has been rolled out completely for you. The default setting for the new toggle to manage these security enhancements is now active in your console. If you use Conditional Access (CA) or plan to use CA, end users may lose access to company resources such as email depending on how this toggle is set.
How does this affect me?
- If you are a new or existing customer and do not have any compliance policies in the console, your toggle has been automatically set to treat devices without compliance policies as ‘compliant’. There is no end user impact.
- If you are an existing customer with even a single compliance policy, your toggle has been automatically set to treat devices without compliance policies as ‘not compliant’. If you do not use CA, there is no end user impact.
- If your toggle has been set to ‘not compliant’ and you use compliance policies with CA, devices without at least one compliance policy assigned to them will now be blocked by CA. End users associated with these devices, who were previously allowed access to company resources, will lose their access unless you assign at least one compliance policy to all users.
We’ve also updated our documentation. Please note:
- For enrollment through the device enrollment manager (DEM) method, devices will be ‘not compliant’ if the DEM account has no compliance policies assigned. These devices will show up in the ‘Devices without compliance policy report’ in the console. You can make these devices ‘compliant’ to remove them from the report, by assigning at least one compliance policy to DEM account users.
- There is a new report called the Default Device Compliance policy report which will help you better understand the effect of any company-wide or default rules which are applied to every device during compliance calculation. Note that if you make changes to your compliance policies, the report will not update until the device is next checked for compliance.
- When users on an iOS device are targeted with a passcode compliance policy, they will be considered ‘not compliant’ until they set a PIN.
- With the release of this security enhancement, Intune will now support evaluation of compliance policies assigned to device groups. If your compliance and CA deployment relies on device targeting, set the toggle to “Not compliant”. This is vital to ensure that devices are not allowed access to resources before being added to a device group and getting checked for compliance.
- We’ve also added enhanced jailbreak detection that you can choose to configure as part of your compliance strategy.
What can I do to prepare for this change?
Please check your default toggle status. If you see the default setting is ‘not compliant’, please ensure that all your devices or DEM account users (when using DEM), have at least one compliance policy assigned to them. Thus, if you have CA enabled, end users will not lose access to company resources. If you use CA, we recommend you have this feature turned on and leave the toggle set to ‘Not compliant’. This will ensure access to resources only after device compliance has been evaluated.
<Original blog post below>
We’re introducing some security enhancements, based on your feedback, in the Intune service in March. Depending on how your compliance policies are configured, you may need to take action to avoid loss of email access for your end users.
If you have used compliance policies with Conditional Access (CA) in Intune, you may have noticed that devices without a compliance policy assigned to them are considered compliant and end users are allowed access to email. In March, we'll introduce a new toggle so that admins will have the option to have devices with no compliance policy assigned to them treated as “not compliant”. These devices will be blocked by CA and end users associated with them will lose access to email. However, you’ll have control over turning this feature on or off for your tenant, as we mention later in this post.
How should I prepare for this change?
We’ve launched a new report in Intune on Azure, called “Devices without compliance policy”. This report will help you identify all the devices in your environment that do not have a compliance policy assigned. Please review your compliance policy deployments and ensure that all your devices have at least one compliance policy assigned to them by March.
Here’s a screenshot of what the report looks like. If the count of devices in your report is non-zero, then you have devices in your environment without a compliance policy which will be marked as not compliant when the March update to Intune is released. Click on the report, review the list of devices and users, and assign a compliance policy where necessary. See Get started with Intune device compliance policies and follow links for directions to assign policies to different platforms.
Known issue: Please note that currently, users targeted by any compliance policy, regardless of device platform, will not show up in the “Devices without compliance policy” report. So, for example, if you have unintentionally targeted a Windows compliance policy to a user with an Android device, this device will not show up in the report but will be considered 'not compliant' by Intune. We’re working to resolve this issue in a future release. We recommend that a policy is created for all available device platforms and deployed to all users. Known issue has been resolved for reporting and will be enforced starting in April.
There is a new report which will help you better understand the effect of any company-wide or default rules which are applied to every device during compliance calculation. This report is called the Default Device Compliance Policy and can be found on the Device compliance blade in Monitor -> Policy compliance.
There are three settings you’ll see:
- Is Active
- Has a compliance policy assigned
- Enrolled User Exists
The first one, Is Active, returns back if the device has checked in with the service (the last contact field on the device) within the compliance validity period. In the example below, we’ve set the compliance status validity period to 120 days.
The results will show:
Compliant => Device has checked in within 30 days default or the admin set time period.
Noncompliant => The device has not checked in within the time period.
The second setting is Has a Compliance Policy Assigned. This reports back whether the device has been evaluated for any policies in the last compliance check.
The results will show:
Compliant => Yes. Evaluated for policies.
Noncompliant => No. Azure AD compliance will block.
Error (Not Applicable) => No. Azure AD compliance will not block.
The third setting is Enrolled User Exists. When evaluating compliance for the device, was the user found in Intune?
The results will show:
Compliant => Yes.
Noncompliant => No. The user is not licensed or was deleted from Azure AD.
New toggle for managing security enhancements
In March, we’re introducing a toggle in Intune on Azure that Intune standalone customers can use to treat devices without any policy assigned as ‘Compliant’ (security feature off) or treat these devices as ‘Not compliant’ (security feature on). This toggle will be set to turn the feature on by default, but you can turn it off it in the console if you choose to. If you use Conditional Access, we recommend you do not turn this feature off and leave the toggle set to ‘Not compliant’. Here’s what the toggle looks like.
How will I know if an end-user is impacted?
If an end user is not compliant because no policy is assigned, the Company Portal will show “No compliance policies have been assigned” as the reason. Below is a screenshot of what an end user will see in the Android Company Portal.
What if I have users exempted from CA that aren’t targeted by a compliance policy?
If you have users in your environment that are exempt from CA requirements, their devices will still be reported as not compliant if they’re not targeted by at least one compliance policy. However, this will not impact their access to company resources such as email.
What if I have compliance policies in the Intune Silverlight console?
As a reminder, any compliance policies in the classic Silverlight console will not show up in the Intune on Azure console. Please re-create these policies in Intune on Azure if you haven’t done so already.
What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?
Currently, this will not impact hybrid customers. We will inform you through a message center post if this does become available in a future update. However, we highly recommend that you assign at least one compliance policy to your devices if you haven’t done so already.
What if I am an Office 365 customer using Mobile Device Management for Office 365?
This change will not impact you if you are using Mobile Device Management for Office 365.