Updated: Upcoming Security Enhancements in the Intune Service


[7/12/18]: Updated with new Hybrid MDM information and brought the hybrid information to the top of this post since hybrid is now adding support for this feature. Added updated docs links on 7/13/18.

[3/30/18]: Updated with the message center post example.

[3/28/18]: Known issue has been resolved; updated the text appropriately.

[3/22/18]: Updated with additional screen shots from within the console. Note this change is starting to roll out now but rolls out in phases.

[2/9/18]: This post has been updated to reflect changes in roll out for this security enhancement. The feature will now be rolled out for Intune standalone only at this time. Hybrid and O365 customers will not be affected by this change.

 

(pulled to the top of the post for hybrid MDM customers) What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?

We have added support for using the same toggle that appears in Intune on Azure for hybrid MDM. Rather than turn this on automatically, we have left this feature off for hybrid tenants; however, we strongly encourage that you deploy compliance policies in your environment and that you turn this feature on.

When you turn this feature on, devices with no compliance policy assigned will be treated as "not compliant". If you have CA enabled in your environment, these devices will be blocked according to your CA policies, and end users will lose access to company resources, such as e-mail, on these devices.

We have not added support for the reporting described below for Intune standalone. Instead, we have made a SQL query available here that you can run on your Configuration Manager database. This query will show the devices that have no compliance policy enabled. The query does not make changes to your environment and only returns this information.

If you have any devices in your environment without compliance policies assigned, as shown by the SQL query, you should create a compliance policy that applies to the platforms of the devices returned, and deploy it to user collections that include the devices' owners. Once you have done this, make sure the compliance policies are active and run the query again to make sure you haven't missed any devices.

Once you have checked that all devices have at least one compliance policy assigned, you should turn on the security feature:

  • Sign into the Azure Portal with your admin credentials and go to the Intune blade
  • Go to Device compliance > Compliance policy settings
  • Set the Mark devices with no compliance policy assigned as toggle to Not Compliant
  • Click Save

For documentation on this feature for hybrid - head to the updated docs pages here:

_________________________________________________

<Original blog post below>

We've started activating the new toggle described below! We're slowing rolling this out.  Here's some helpful information from the Office Message Center post that's going live on this topic as we roll out this change. You won't see this message (or a similar one like it) until we roll the new compliance experience to your Intune subscription.

Review Your Device Compliance and Toggle Status in Intune to Prevent Loss of Email

There are some new security enhancements in the Intune service. You may have received previous messages announcing this, the latest being MC128895 and MC131874. This change has been rolled out completely for you. The default setting for the new toggle to manage these security enhancements is now active in your console. If you use Conditional Access (CA) or plan to use CA, end users may lose access to company resources such as email depending on how this toggle is set.

How does this affect me?

  • If you are a new or existing customer and do not have any compliance policies in the console, your toggle has been automatically set to treat devices without compliance policies as ‘compliant’. There is no end user impact.
  • If you are an existing customer with even a single compliance policy, your toggle has been automatically set to treat devices without compliance policies as ‘not compliant’. If you do not use CA, there is no end user impact.
  • If your toggle has been set to ‘not compliant’ and you use compliance policies with CA, devices without at least one compliance policy assigned to them will now be blocked by CA. End users associated with these devices, who were previously allowed access to company resources, will lose their access unless you assign at least one compliance policy to all users.

 

We’ve also updated our documentation. Please note:

  • For enrollment through the device enrollment manager (DEM) method, devices will be ‘not compliant’ if the DEM account has no compliance policies assigned. These devices will show up in the ‘Devices without compliance policy report’ in the console.  You can make these devices ‘compliant’ to remove them from the report, by assigning at least one compliance policy to DEM account users.
  • There is a new report called the Default Device Compliance policy report which will help you better understand the effect of any company-wide or default rules which are applied to every device during compliance calculation. Note that if you make changes to your compliance policies, the report will not update until the device is next checked for compliance.
  • When users on an iOS device are targeted with a passcode compliance policy, they will be considered ‘not compliant’ until they set a PIN.
  • With the release of this security enhancement, Intune will now support evaluation of compliance policies assigned to device groups.  If your compliance and CA deployment relies on device targeting, set the toggle to “Not compliant”. This is vital to ensure that devices are not allowed access to resources before being added to a device group and getting checked for compliance.
  • We’ve also added enhanced jailbreak detection that you can choose to configure as part of your compliance strategy.

What can I do to prepare for this change?

Please check your default toggle status. If you see the default setting is ‘not compliant’, please ensure that all your devices or DEM account users (when using DEM), have at least one compliance policy assigned to them. Thus, if you have CA enabled, end users will not lose access to company resources. If you use CA, we recommend you have this feature turned on and leave the toggle set to ‘Not compliant’. This will ensure access to resources only after device compliance has been evaluated.

 

<Original blog post below>

We’re introducing some security enhancements, based on your feedback, in the Intune service in March. Depending on how your compliance policies are configured, you may need to take action to avoid loss of email access for your end users.

If you have used compliance policies with Conditional Access (CA) in Intune, you may have noticed that devices without a compliance policy assigned to them are considered compliant and end users are allowed access to email. In March, we'll introduce a new toggle so that admins will have the option to have devices with no compliance policy assigned to them treated as “not compliant”. These devices will be blocked by CA and end users associated with them will lose access to email. However, you’ll have control over turning this feature on or off for your tenant, as we mention later in this post.

How should I prepare for this change?

We’ve launched a new report in Intune on Azure, called “Devices without compliance policy”. This report will help you identify all the devices in your environment that do not have a compliance policy assigned. Please review your compliance policy deployments and ensure that all your devices have at least one compliance policy assigned to them by March.

Here’s a screenshot of what the report looks like. If the count of devices in your report is non-zero, then you have devices in your environment without a compliance policy which will be marked as not compliant when the March update to Intune is released. Click on the report, review the list of devices and users, and assign a compliance policy where necessary. See Get started with Intune device compliance policies and follow links for directions to assign policies to different platforms.

SBD1

Known issue: Please note that currently, users targeted by any compliance policy, regardless of device platform, will not show up in the “Devices without compliance policy” report. So, for example, if you have unintentionally targeted a Windows compliance policy to a user with an Android device, this device will not show up in the report but will be considered 'not compliant' by Intune. We’re working to resolve this issue in a future release. We recommend that a policy is created for all available device platforms and deployed to all users. Known issue has been resolved for reporting and will be enforced starting in April.

New Default Device Compliance Policy Report

There is a new report which will help you better understand the effect of any company-wide or default rules which are applied to every device during compliance calculation. This report is called the Default Device Compliance Policy and can be found on the Device compliance blade in Monitor -> Policy compliance.

 There are three settings you’ll see:

  • Is Active
  • Has a compliance policy assigned
  • Enrolled User Exists

The first one, Is Active, returns back if the device has checked in with the service (the last contact field on the device) within the compliance validity period. In the example below, we’ve set the compliance status validity period to 120 days.

The results will show:

Compliant => Device has checked in within 30 days default or the admin set time period.

Noncompliant => The device has not checked in within the time period.

The second setting is Has a Compliance Policy Assigned. This reports back whether the device has been evaluated for any policies in the last compliance check.

The results will show:

Compliant => Yes. Evaluated for policies.

Noncompliant => No. Azure AD compliance will block.

Error (Not Applicable) => No. Azure AD compliance will not block.

The third setting is Enrolled User Exists. When evaluating compliance for the device, was the user found in Intune?

The results will show:

Compliant => Yes.

Noncompliant => No.  The user is not licensed or was deleted from Azure AD.

 

New toggle for managing security enhancements

In March, we’re introducing a toggle in Intune on Azure that Intune standalone customers can use to treat devices without any policy assigned as ‘Compliant’ (security feature off) or treat these devices as ‘Not compliant’ (security feature on). This toggle will be set to turn the feature on by default, but you can turn it off it in the console if you choose to. If you use Conditional Access, we recommend you do not turn this feature off and leave the toggle set to ‘Not compliant’. Here’s what the toggle looks like.

 

How will I know if an end-user is impacted?

If an end user is not compliant because no policy is assigned, the Company Portal will show “No compliance policies have been assigned” as the reason. Below is a screenshot of what an end user will see in the Android Company Portal.

SBD3

How do I assign a compliance policy to “All Users”?

We’ve added a new feature to the Intune on Azure Portal that allows you to assign compliance policies to “All Users”. You can even create a blank compliance policy with no settings configured and assign it to your users, to ensure that they have at least one policy targeted to them at all times.

What if I have users exempted from CA that aren’t targeted by a compliance policy?

If you have users in your environment that are exempt from CA requirements, their devices will still be reported as not compliant if they’re not targeted by at least one compliance policy. However, this will not impact their access to company resources such as email.

What if I have compliance policies in the Intune Silverlight console?

As a reminder, any compliance policies in the classic Silverlight console will not show up in the Intune on Azure console. Please re-create these policies in Intune on Azure if you haven’t done so already.

What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?

We have added support for using the same toggle that appears in Intune on Azure for hybrid MDM. Rather than turn this on automatically, we have left this feature off for hybrid tenants; however, we strongly encourage that you deploy compliance policies in your environment and that you turn this feature on.

When you turn this feature on, devices with no compliance policy assigned will be treated as "not compliant". If you have CA enabled in your environment, these devices will be blocked according to your CA policies, and end users will lose access to company resources, such as e-mail, on these devices.

We have not added support for the reporting described above for Intune standalone. Instead, we have made a SQL query available here that you can run on your Configuration Manager database. This query will show the devices that have no compliance policy enabled. The query does not make changes to your environment and only returns this information.

If you have any devices in your environment without compliance policies assigned, as shown by the SQL query, you should create a compliance policy that applies to the platforms of the devices returned, and deploy it to user collections that include the devices' owners. Once you have done this, make sure the compliance policies are active and run the query again to make sure you haven't missed any devices.

Once you have checked that all devices have at least one compliance policy assigned, you should turn on the security feature:

  • Sign into the Azure Portal with your admin credentials and go to the Intune blade
  • Go to Device compliance > Compliance policy settings
  • Set the Mark devices with no compliance policy assigned as toggle to Not Compliant
  • Click Save

What if I am an Office 365 customer using Mobile Device Management for Office 365?

This change will not impact you if you are using Mobile Device Management for Office 365 unless you have both O365 MDM policy and Intune policy assigned.

Comments (7)

  1. Kazzan says:

    And what if customer using Office 365 MDM with Intune? Last days I see some reporting, that they must include users in Office 365 MDM rules to Intune work correctly for them on devices.

    1. milan24 says:

      we are using Office 365 MDM and with few Intune license for testing (license are not assigned to user who currently using MDM). Now, we are starting to see some of our phone showing ‘No compliance policies have been assigned’, so we turn off the security feature and those phone are showing Compliant.
      Not sure how this is related as it should not impact Office 365 MDM.

      1. We researched and found two tickets where customers also were using Office 365 MDM but still had Intune licenses assigned. Unfortunately, this change applies if Intune licenses are in use as that was one of the selection criteria for the change. Thank you for bringing this to our attention. You can always create a policy for the devices (like minimum version) then turn the feature back on to ensure device compliance.

  2. “Hybrid and O365 customers will not be affected by this change.” Will this update be available for O365 and Hybrid users at a later date? The last I heard this was going to be available to standalone users this month and it would be rolled out to O365 and Hybrid users next month. I’ve long thought this was an overdue feature in Intune and a pitfall with the platform. I would love to see this added for O365 and Hybrid users.

    1. Thank you for your interest in this feature! We do appreciate your feedback but we don’t have a date for releasing to O365 and Hybrid. We’ll keep you informed of any developments through this support blog and the Office Message Center.

  3. jh2001 says:

    Intune Standalone and also using conditional access:
    We currently have compliance policies with specific settings assigned to dynamic device groups by platform. Would it be sufficient to create a blank policy per platform and assign to “All Users”? If so, does the most restrictive compliance policy take precedence? In this case the one assigned to the dynamic device groups?

    1. You’re right, a blank policy per platform will work without affecting the current policies you have assigned. https://docs.microsoft.com/en-us/intune/device-compliance-get-started#assign-a-resulting-compliance-policy-status shows how statuses will be resolved when multiple compliance policies are targeted.

Skip to main content