Export (0) Print
Expand All

Configure policy for mobile devices in Windows Intune

Updated: June 30, 2014

Applies To: Windows Intune

Windows Intune provides policy settings that control the security of users’ mobile devices including Android, iOS, and Windows devices. For a list of Windows Intune policies by platform, see Mobile Device Management Capabilities in Windows Intune. For a list of Exchange ActiveSync policy settings and features by platform, see Exchange ActiveSync Client Comparison Table.

Use the Policy workspace of the Windows Intune administrator console to:

  • Create policies based on templates

  • Configure policy settings

  • Deploy policies to user groups

You can also:

  • Use the recommended settings of policy templates to easily create and deploy policies that implement best practices.

  • View information about policy conflicts and recommended actions to take.

When you deploy mobile device policies to user groups, policies are applied to each applicable mobile device enrolled by each user in the group.

Each new policy you create is based off a built-in template for that policy type that always includes the recommended settings. You can choose to use the recommended settings or to customize the policy with settings that meet your needs. You can always return to edit a policy, even after it is deployed.

  1. In the Windows Intune administration console, click Policy > Add Policy.

  2. Select Mobile Device Security Policy and then click

    1. Create and Deploy a Policy with the Recommended Settings to save a new policy that uses the recommended settings of the built-in template. By default this policy is saved using the name of the template and the time when the policy is created. After it is saved, you can edit the policy and change the name.

    2. Create and Deploy a Custom Policy to open a copy of the built-in template that you can edit to meet your needs. You must provide a name for the policy. When you click Save Policy, your edits are saved as a new policy.

  3. A confirmation message appears that prompts you to confirm whether you want to deploy the policy now. To deploy the policy, click Yes.

  4. In the Manage Deployment dialog box, select one or more user groups to which you want to deploy the policy, click Add, and then click OK.

Mobile devices check for deployed policies every 8 hours. If a mobile device cannot connect to the internet to check for policy, it will retry at the next 8 hour interval.

The policy applied to the user is determined by merging all policies that have deployed to the user. When multiple policies that contain a configuration for the same setting are applied to a user, only the value from the winning policy is applied. The winning policy setting is determined as follows:

  • If a user is a member of two groups, the policy associated with the deepest group in the group tree structure wins. You can view the user group tree structure in the Groups workspace of the Windows Intune administration console.

  • If multiple policies are deployed to the same group, or if both groups are at the same depth in the group tree structure, the older policy setting wins and a Policy Conflict alert is raised.

  • Policy coming from either Intune direct management or Exchange ActiveSync using the Intune Exchange connector is treated the same and simply part of Intune policy.

  • If the device is managed by both Exchange ActiveSync outside of Intune and Intune direct management then the policy on the device will always be the last policy applied from either Exchange ActiveSync or Intune.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft