Export (0) Print
Expand All

Windows Intune Mobile Device Security Policy Reference

Updated: February 1, 2014

Applies To: Windows Intune

The Mobile Security Policy template in the Windows Intune administrator console lets you create policies that you can apply to mobile devices that are managed through Windows Intune direct management or Exchange ActiveSync.

noteNote
If a device is managed by policy settings from both Windows Intune direct management and Exchange ActiveSync, the more secure policy settings are applied.

Settings that are set to Not configured are not enforced, and no changes are made to the existing settings on the user’s mobile devices.

The mobile security policy settings are divided into the following categories:

For a detailed list of Exchange ActiveSync policy settings and features that are supported by specific mobile devices, see Exchange ActiveSync Client Comparison Table.

The following password settings are common to most mobile devices, except where otherwise noted.

 

Policy setting Description

Require a password to unlock mobile devices

This setting specifies whether to require users to enter a password before access is granted to information on their mobile devices.

Recommended value: Yes

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in direct management: Windows RT, Windows Phone 8, iOS, Android 4.0

noteNote
On Windows RT devices, the device needs an existing password before any password setting can be enforced.

On iOS devices, if the device is locked when an attempt is made to enact policy on the device, the policy is enacted the next time that the device is unlocked.

Required password type

This setting specifies whether passwords are allowed to be comprised only of numeric characters, or whether they must contain characters other than numbers.

Recommended value: Numeric

If Alphanumeric is selected, you must specify the Minimum number of character sets setting. The Minimum number of character sets: setting specifies the minimum number of different character sets that must be present in the password.

There are four character sets: lowercase letters, uppercase letters, symbols, and numbers. Use this setting to specify the minimum number of sets of character sets that the password must contain. If you set a higher number of character sets, users will be required to create more complex passwords. For iOS-based devices, this setting refers to the number of special characters (such as #, &, !) that should be included in the password.

ImportantImportant
For Windows RT and Windows 8.1 devices, the Minimum number of character sets: must be set to 1. Setting this to any other value will return an error.

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows RT, Windows Phone 8, iOS

Password quality

Sets the password requirements for Android 4.0 devices.

The possible values for this setting are: Low security biometric, Required, At least numeric, At least alphabetic, At least alphanumeric, and Alphanumeric with symbols

Recommended value: At least alphanumeric

Minimum password length

This setting specifies the minimum number of characters that the password must contain.

Required value for Windows RT and Windows 8.1 devices: 6

Recommended value for other devices: 4

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows RT, Windows Phone 8, iOS, Android 4.0

On Windows RT devices, the following settings are applicable only to local user accounts on the device: Minimum password length, Allow simple passwords, Number of repeated sign-in failures to allow before the device is wiped, Minutes of inactivity before device screen is locked (minutes), Password expiration (days), and Remember password history. Also, if users have not set a password locally before, they need to set the password one time by signing out and signing back in before the new password settings take effect.

Allow simple passwords

This setting specifies whether to allow mobile devices to use simple character sequences, such as 1234 or 1111.

Recommended value: No

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows Phone 8, iOS

Number of repeated sign-in failures to allow before the device is wiped

This setting specifies the number of times that an incorrect password can be entered before the mobile device performs a wipe of all data.

Recommended value: 4

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows RT, Windows Phone 8, iOS, Android 4.0

Minutes of inactivity before device screen is locked (minutes)

This setting specifies the length of time without user input, after which the mobile device locks.

Recommended value: 15 minutes

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows RT, Windows Phone 8, iOS, Android 4.0

Minutes of inactivity before password is required

This setting specifies the length of time without user input, after which the mobile device locks.

Recommended value: 15 minutes

This setting applies to iOS devices only.

Password expiration (days)

This setting specifies the length of time (days) after which a mobile device password must be changed.

Recommended value: Not configured

Default value when configured: 41

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows RT, Windows Phone 8, iOS, Android 4.0

Remember password history

This setting specifies whether to restrict the reuse of previous passwords. The number that is specified for the setting indicates the number of previous passwords that cannot be used.

Recommended value: Not configured

Default value when configured: Yes and Prevent reuse of previous password default value: 5

This setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows RT, Windows Phone 8, iOS, Android 4.0

Allow picture password and PIN

This setting specifies whether to allow or prohibit the use of a picture password and PIN on the device. A picture password allows a user to sign in by interacting with gestures on a picture. A PIN is a quick, convenient way to sign in by using a four-digit code.

Recommended value: Not configured

Default value when configured: No

This setting is specific to Windows RT devices only.

Allow fingerprint lock

Allows a fingerprint to unlock the device

Recommended value: Yes

This setting is specific to iOS 7 devices only.

The following setting applies only to devices that support device encryption.

 

Policy setting Description

Require encryption on mobile device

This setting enables encryption on the mobile device. Not all mobile devices can enforce encryption.

ImportantImportant
If a mobile device does not support encryption, and if you enable this setting and set the Allow mobile devices that don’t fully support these settings to synchronize with Exchange setting to No, mobile devices that cannot enforce encryption will not be able to connect to Exchange.

Recommended value: Yes

Setting can be applied to:

Exchange ActiveSync-managed devices and the following devices when the device is enrolled in Windows Intune direct management: Windows Phone 8 (for Windows Phone 8 this policy value can be set to Yes only), iOS, Android 4.0

The following setting applies only to devices that support device encryption and that are connected to your organization’s Exchange servers through Exchange ActiveSync.

 

Policy setting Description

Require encryption on storage cards

This setting specifies whether the mobile device storage card must be encrypted.

ImportantImportant
If a mobile device does not support encryption, and if you enable this setting and set the Allow mobile devices that don’t fully support these settings to synchronize with Exchange setting to No, mobile devices that cannot enforce encryption will not be able to connect to Exchange.

Recommended value: Not configured

Default value when configured: No

The following settings control malware settings.

 

Policy setting Description

Require network firewall

Require a network firewall on the mobile device. Configuring this setting will not change the state on the device, but it will allow compliance reporting on this setting.

Recommended value: Yes

This setting applies to Windows 8.1 devices only.ssminimum impass

Enable Smart Screen

Enable the SmartScreen Filter in Internet Explorer to help protect against phishing websites and malware.

Recommended value: Yes

This setting applies to Windows 8.1 devices only.

The following settings control system settings.

 

Policy setting Description

Require automatic updates

Require the mobile device to receive automatic updates.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 devices.

Allow screen capture

Allow the contents of the screen to be captured as an image.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow control center in lock screen

Allow access to control center without unlocking the device.

Recommended value: No

noteNote
This setting applies to iOS 7 devices.

Allow notification view in lock screen

Allow access to the notifications view without unlocking the device.

Recommended value: No

noteNote
This setting applies to iOS 7 devices.

Allow today view in lock screen

Allow access to the today view without unlocking the device.

Recommended value: No

noteNote
This setting applies to iOS 7 devices.

User Account Control

Set how the user is notified about changes to the device.

Possible values for this setting: Always notify, Notify app changes, Notify app changes (do not dim desktop), Never notify.

Recommended value: Always notify

noteNote
This setting applies to Windows 8.1 devices.

Allow diagnostic data submission

Allow the device to submit diagnostic data.

Recommended value: No

noteNote
This setting applies to Windows 8.1 and iOS devices.

Allow untrusted TLS certificates

Allow untrusted Transport Layer Security certificates.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow personal wallet software while locked

Allow the use of personal wallet software while the mobile device is locked.

Recommended value: No

noteNote
This setting applies to iOS devices.

The following settings control access to documents and data.

 

Policy setting Description

Allow backup to iCloud

This setting specifies whether the device can be backed up to iCloud.

Recommended value: No

Default value when configured: No

This setting applies to iOS devices only.

Allow document sync to iCloud

This setting specifies whether to allow synchronization of documents and key-values to iCloud.

Recommended value: No

Default value when configured: No

This setting applies to iOS devices only.

Allow Photo Stream sync to iCloud

This setting specifies whether to allow synchronization of Photo Stream to iCloud.

Recommended value: No

Default value when configured: No

This setting applies to iOS devices only.

Require encrypted backup

Require encryption on the mobile device backup.

Recommended value: Yes

This setting applies to iOS devices only.

Work Folders URL

Sets the Work Folder URL to allow access to work files across mobile devices.

This setting applies to Windows 8.1 devices only.

The following email settings are specific to devices that are connected to your organization’s Exchange servers through Exchange ActiveSync.

 

Policy setting Description

Allow users to download e-mail attachments

This setting specifies whether email attachments may be downloaded to the mobile device.

Recommended value: Yes

Default value when configured: Yes

E-mail synchronization period

This setting specifies the maximum number of days’ worth of e-mail items to synchronize to the mobile device.

Recommended value: 3 days

Default value when configured: 3 days

Allow mobile devices that don’t fully support these settings to synchronize with Exchange

This setting specifies whether to allow Exchange access for mobile devices that do not support some or all of the selected policies.

Recommended value: Yes

Make Microsoft account optional in Windows Mail application

Allow access to the Windows Mail application without a Microsoft account.

Recommended value: No

This setting applies to Windows 8.1 devices

The following affect the browser settings on the specified devices.

 

Policy setting Description

Allow web browser

This setting specifies whether the user can use the web browser for the mobile device.

Recommended value: Not configured

Default value when configured: Yes

noteNote
This setting applies to iOS devices.

Allow autofill

Allow autofill in the web browser.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 and iOS devices.

Allow pop-up blocker

Allow the use of a pop-up blocker in the web browser.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 and iOS devices.

Allow cookies

Allow cookies in the web browser.

Possible values for this setting: Yes, No, From visited sites.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow plug-ins

Allow plug-ins in the web browser.

Recommended value: Yes

Allow active scripting

Allow active scripting in the web browser.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 and iOS devices.

Allow fraud warning

Allow fraud warning in the web browser.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow intranet site for single word entry

Allow a single word URL to redirect Internet Explorer to an intranet site.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 devices.

Allow automatic detection of intranet network

Allow security for intranet sites in Internet Explorer.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 devices.

Security level for internet

Set the security level for internet sites in Internet Explorer. Configuring this setting will not change the state on the device, but it will allow compliance reporting on this setting.

Possible values for this setting: High, Medium-high, Medium

Recommended value: Medium-high

noteNote
This setting applies to Windows 8.1 devices.

Security level for intranet

Set the security level for intranet sites in Internet Explorer. Configuring this setting will not change the state on the device, but it will allow compliance reporting on this setting.

Possible values for this setting: High, Medium-high, Medium, Medium-Low, Low

Recommended value: Medium-low

noteNote
This setting applies to Windows 8.1 devices.

Security level for trusted sites

Set the security level for trusted sites in Internet Explorer. Configuring this setting will not change the state on the device, but it will allow compliance reporting on this setting.

Possible values for this setting: High, Medium-high, Medium, Medium-Low, Low

Recommended value: Medium

noteNote
This setting applies to Windows 8.1 devices.

Security level for restricted sites

Set the security level for restricted sites in Internet Explorer. Configuring this setting will not change the state on the device, but it will allow compliance reporting on this setting.

Recommended value: High

noteNote
This setting applies to Windows 8.1 devices.

Send Do Not Track header

Send a Do Not Track header in Internet Explorer.

Recommended value: No

noteNote
This setting applies to Windows 8.1 devices.

The following affect the application settings on the specified devices.

 

Policy Setting Description

Allow application store

Allow use of the application store on the mobile device.

Recommended value: Yes

noteNote
This setting applies to Windows 8.1 and iOS devices.

Require a password to access application store

Require the use of a password to access the application store.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow in-app purchases

Allow purchases to be made within applications on the mobile device.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow managed documents in other unmanaged apps

Allow corporate documents to be viewed in any app.

Recommended value: Yes

noteNote
This setting applies to iOS 7 devices.

Allow unmanaged documents in other managed apps

Allow any document to be viewed in corporate apps.

Recommended value: Yes

noteNote
This setting applies to iOS 7 devices.

Allow adult content in media store

Allow the mobile device to access adult content in the media store.

Recommended value: No

noteNote
This setting applies to iOS devices.

ImportantImportant
If a mobile device policy has the Allow adult content in media store setting configured, and is applied to an iOS 5 or iOS 6 device, the status of all settings for that device may display as Conforms. To see the correct status of the device settings, remove the Allow adult content in media store setting from the policy, and reapply.

Allow video conferencing

Allow video conferencing on the mobile device.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

The following affect the gaming settings on the specified devices.

 

Policy setting Description

Allow Game Center friends

Allow friends to be added in Game Center

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow multiplayer gaming

Allow multiplayer gaming on the mobile device.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

The following affect the hardware settings on the specified devices.

 

Policy setting Description

Allow camera

This setting specifies whether the camera of the mobile device can be used.

Recommended value: Not configured

Default value when configured: Yes

noteNote
This setting applies to iOS and Android 4.0 devices.

Allow removable storage

Allow the mobile device to use removable storage.

Recommended value: Yes

noteNote
This setting applies to Windows Phone devices.

The following affect the cellular settings on the specified devices.

 

Policy setting Description

Allow voice roaming

Allow voice roaming over the cellular network.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow data roaming

Allow data roaming over the cellular network.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow automatic synchronization while roaming

Allow background fetch when roaming over the cellular network.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

The following affect the feature settings on the specified devices.

 

Policy setting Description

Allow voice assistant

Allow the use of a voice assistant on the mobile device.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow voice assistant while device is locked

Allow the use of a voice assistant while the mobile device is locked.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

Allow voice dialing

Allow the use of voice dialing on the mobile device.

Recommended value: Yes

noteNote
This setting applies to iOS devices.

See Also

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft