Planning for device compliance

Before you begin creating policies, take a moment to consider all of your options and identify which configurations best suit your organizational compliance needs. You'll consider a number of factors, including the restrictions we set up in Chapter 1, Implementing Mobile Device Management (MDM), and the types of responses that are appropriate at different levels of device compliance.

Typically, you'll create a compliance policy and then create a conditional access policy using the compliance status from the first policy as a determining characteristic, for example, if Device A is compliant, allow access to SharePoint. Let's take a look at this process:

1. In Intune, navigate to Device Compliance. From here, you can view or create compliance policies based on individual device platforms. After navigating to Device Compliance, select Policies | Create Policy to begin a new policy. The initial setup screen resembles the following, where you'll select a platform to which the policy will apply:

1. Once you've configured the compliance policy, you can create conditional access policies in Azure AD, which require those compliance policies to be met so that a device or app can be granted access to organizational data.

To plan for the implementation of compliance and conditional access policies, answer the following questions:

• Which groups of users may require more or less restrictive policies? 
• On which platforms will your managed devices operate (Android, Windows 10, and so on)?
• What action(s) should be taken when a device is identified as non-compliant, and how long can a device be non-compliant before that happens?

We now know how to set up compliance policies based on device platforms and that we will likely use the compliance status that's determined by the policy to allow or disallow access via a conditional access policy. Now, let's configure a full compliance policy.