Export (0) Print
Expand All

Compliance Settings for Mobile Devices in Configuration Manager

Updated: September 15, 2014

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

noteNote
The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.

You can configure compliance settings for mobile devices that are enrolled by the Windows Intune connector. This topic includes:

Create configuration items to define configurations that you want to manage and assess for compliance on mobile devices. The steps you have to take to manage compliance settings are as follows.

 

Step Description

Step 1: Create a configuration item for mobile devices.

To create configuration items for mobile devices that you enroll by using the Windows Intune connector, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

Step 2: Create a configuration baseline.

For more information about how to create the configuration baseline, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

Step 3: Deploy the configuration baseline.

After a configuration baseline is created, you can apply it to a user or device collection. If you apply the settings to a user collection, the compliance settings are applied to all the enrolled devices for those users. For more information, see How to Deploy Configuration Baselines in Configuration Manager.

ImportantImportant
Mobile devices check for deployed policies every 8 hours. If a mobile device cannot connect to the internet to check for policy, it will retry at the next 8 hour interval.

The following table lists the compliance settings available to Android, iOS and Windows devices. The Exchange connector settings are also listed but do not necessarily apply to all mobile devices, for information on what devices the exchange connector settings apply to, see the Exchange ActiveSync Client Comparison Table.

This table lists the compliance settings available for mobile devices, it is not a feature list, for information on management capabilities, see:

 

Device Setting Group Settings Values Windows Phone 8 and Windows Phone 8.1 (See below for settings introduced by the Windows Phone 8.1 extension) Windows RT Windows 8.1 and Windows RT 8.1 (enrolled by Windows Intune) iOS (See below for settings introduced by the iOS 7 settings extension) Android and Samsung KNOX Exchange Connector (these settings do not necessarily apply to all mobile devices)

Browser

Default browser

Allowed/Prohibited

Windows Phone 8.1 only

No

No

Yes

No

Yes

Browser

Autofill

Allowed/Prohibited

No

No

Yes

Yes

No

No

Browser

Plug-ins

Allowed/Prohibited

No

No

Yes

No

No

No

Browser

Active scripting

Allowed/Prohibited

No

No

Yes

Yes

No

No

Browser

Pop-ups

Allowed/Prohibited

No

No

Yes

Yes

No

No

Browser

Fraud warning

Allowed/Prohibited

No

No

Yes

Yes

No

No

Browser

Cookies

Allowed/Prohibited

No

No

No

Yes

No

No

Cloud

Encrypted backup

Allowed/Prohibited

No

No

No

Yes

No

No

Cloud

Document synchronization

Allowed/Prohibited

No

No

No

Yes

No

No

Cloud

Photo synchronization

Allowed/Prohibited

No

No

No

Yes

No

No

Cloud

Cloud backup

Allowed/Prohibited

No

No

No

Yes

No

No

Cloud

Settings synchronization

Allowed/Prohibited

Windows Phone 8.1 only

No

Yes (Get only)

No

No

No

Cloud

Credentials synchronization

Allowed/Prohibited

No

No

Yes (GET only)

No

No

No

Cloud

Synchronization over metered connection

Allowed/Prohibited

No

No

Yes (GET only)

No

No

No

Content Rating

Explicit Content in media store

Allowed/Prohibited

No

No

No

Yes

No

No

Content Rating

Ratings Region

Country of choice

No

No

No

Yes

No

No

Content Rating

Movie Rating

Rating

No

No

No

Yes

No

No

Content Rating

TV Show Rating

Rating

No

No

No

Yes

No

No

Content Rating

App Rating

Rating

No

No

No

Yes

No

No

Device

Voice Dialing

Allowed/Prohibited

No

No

No

Yes

No

No

Device

Voice Assistant

Allowed/Prohibited

No

No

No

Yes

No

No

Device

Voice Assistant while Locked

Allowed/Prohibited

No

No

No

Yes

No

No

Device

Screen Capture

Enabled/Disabled

Windows Phone 8.1

No

No

Yes

No

No

Device

Video Conferencing

Enabled/Disabled

No

No

No

Yes

No

No

Device

Add Game Center friends

Allowed/Prohibited

No

No

No

Yes

No

No

Device

Multiplayer Gaming

Allowed/Prohibited

No

No

No

Yes

No

No

Device

Personal wallet software While Locked

Allowed/Prohibited

No

No

No

Yes

No

No

Device

Diagnostic data Submission

Enabled/Disabled

Windows Phone 8.1 only

No

Yes

Yes

No

No

Encryption

File encryption on mobile device

On/Off

Yes

No

Yes (Get only)

No

Yes, for Android 4

Yes

Internet Explorer

Go to intranet site for single word entry

Allowed/Prohibited

No

No

Yes

No

No

No

Internet Explorer

Always send Do Not Track header

Allowed/Prohibited

No

No

Yes

No

No

No

Internet Explorer

Intranet security zone

Allowed/Prohibited

No

No

Yes

No

No

No

Internet Explorer

Security level for internet zone

High, Medium-high, Medium

No

No

Yes

No

No

No

Internet Explorer

Security level for intranet zone

High, Medium-high, Medium, Medium-low, Low

No

No

Yes

No

No

No

Internet Explorer

Security level for trusted sites zone

High, Medium-high, Medium, Medium-low, Low

No

No

Yes

No

No

No

Internet Explorer

Security level for restricted sites zone

High

No

No

Yes

No

No

No

Internet Explorer

Namespace exists for browser security zone

Sites

No

No

Yes

No

No

No

Password

Require password settings on mobile devices

Required

Yes

No

No

Yes

Yes, for Android 4

Yes

Password

Password complexity

PIN, Strong

Yes

Yes

Yes

Yes

No

Yes

Password

Idle time before mobile device is locked (minutes)

1 minute – 12 hours

Yes

Yes

Yes

Yes

Yes, for Android 4

Yes

Password

Minimum password length (characters)

4-18

Yes

Yes. Password length cannot be less than six characters.

Yes

Yes

Yes, for Android 4

Yes

Password

Number of passwords remembered

0-50

Yes

Yes

Yes

Yes

Yes, for Android 4

Yes

Password

Password expiration in days

1-365

Yes

Yes

Yes

Yes

Yes, for Android 4

Yes

Password

Number of failed logon attempts before device is wiped

0-100

Yes

Yes

Yes

Yes

Yes, for Android 4

Yes

Password

Password Quality

Low security biometric, Required, At least numeric, At least alphabetic, Alphanumeric with symbols

No

No

No

No

Yes, for Android 4

No

Roaming

Allow Voice Roaming

Allowed/Prohibited

No

No

No

Yes

No

No

Roaming

Allow Data Roaming

Allowed/Prohibited

No

No

Yes

Yes

No

No

Security

Removable storage

Allowed/Prohibited

Yes

No

No

No

No

Yes

Security

Camera

Allowed/Prohibited

Windows Phone 8.1 only

No

No

Yes

Yes, for Android 4.1

Yes

Security

Bluetooth

Allowed/Prohibited

Windows Phone 8.1 only

No

Yes (GET only)

No

No

Yes

Security

Allow app installation

Allowed/Prohibited

No

No

No

Yes

No

No

Store

Application Store

Allowed/Prohibited

Windows Phone 8.1 only

No

No

Yes

No

No

Store

Force Application Store Password

Enabled/Disabled

No

No

No

Yes, this setting applies to iTunes only

No

No

Store

In App Purchases

Allowed/Prohibited

No

No

No

Yes

No

No

System Security

User to accept untrusted TLS certificates

Allowed/Prohibited

No

No

No

Yes

No

No

System Security

User Access Control

Always notify, Notify app changes, Notify app changes (do not dim desktop), Never notify

No

No

Yes

No

No

No

System Security

Network Firewall

Required

No

No

Yes

No

No

No

System Security

Updates

Automatic updates is required

No

No

Yes

No

No

No

System Security

Virus Protection

Required

No

No

Yes (GET only)

No

No

No

System Security

Virus Protection signatures are up-to-date

Required

No

No

Yes (GET only)

No

No

No

System Security

Smart Screen

Enabled/Disabled

No

No

Yes

No

No

No

Windows Server Work Folders

Work Folders URL

URL

No

No

Yes

No

No

No

With System Center 2012 R2 Configuration Manager, the optional iOS 7 Security Settings extension introduces new security settings to manage iOS devices using Windows Intune and is available from within the Configuration Manager console. For information on how to install the extension, see Planning to Use Extensions in Configuration Manager. The table below lists the additional settings available once you install the extension.

 

Device Setting Group Settings At least iOS 7

System Security

Lock screen control center

Yes

System Security

Lock screen notification view

Yes

System Security

Lock screen today view

Yes

System Security

Fingerprint for unlocking

Yes

Data Protection

Open managed documents in other unmanaged apps

Yes

Data Protection

Open unmanaged documents in other managed apps

Yes

With System Center 2012 R2 Configuration Manager, the optional Windows Phone 8.1 extension introduces new security settings to manage Windows Phone 8.1 devices using Windows Intune and is available from within the Configuration Manager console. For information on how to install the extension, see Planning to Use Extensions in Configuration Manager. The table below lists the additional settings available once you install the extension.

 

Device Setting Group Settings Setting Values Windows Phone 8.1

Device

Geolocation

Enabled/Disabled

Yes

Device

Copy and Paste

Enabled/Disabled

Yes

Cloud

Microsoft Account

Enabled/Disabled

Yes

Security

Near field communication (NFC)

Enabled/Disabled

Yes

Email Management

Custom Email account

Enabled/Disabled

Yes

Wireless Communication

Wi-Fi Tethering

Enabled/Disabled

Yes

Wireless Communication

Offload data to Wi-Fi when possible

Enabled/Disabled

Yes

Wireless Communication

Wi-Fi Hotspot Reporting

Enabled/Disabled

Yes

Wireless Communication

Wireless Network Connection

Enabled/Disabled

Yes

Additional settings that support Windows Phone 8.1 can be found in the table above at Compliance Settings for System Center 2012 R2 Configuration Manager.

With System Center 2012 R2 Configuration Manager, the optional Enterprise Mode Internet Explorer extension introduces Enterprise Mode for Internet Explorer 11 and later, which allows access to sites that would otherwise only work in earlier versions of Internet Explorer. When you install the Enterprise Mode extension for Windows Intune, the following settings are available:

  • Enterprise Mode menu option – Enable this option if you want to allow users to activate and deactivate Enterprise Mode from the Internet Explorer Tools menu.

  • Logging report location (URL) – Specify a URL where visited websites will be logged when Enterprise Mode is active.

  • Enterprise Mode site list location (URL) – Specify the location of the list of websites that will use Enterprise Mode when it is active.

For information on how to install the extension, see Planning to Use Extensions in Configuration Manager.

  1. If a setting exists and is not on this list, then that setting is not supported by any platform.

  2. If an iOS device is modified or an Android device is rooted, you can detect this through the query, All jailbroken or rooted devices, or through the report, Jailbroken or rooted devices.

  3. The System Security settings, Network Firewall, Virus Protection, and Virus Protection signatures are up-to-date cannot be disabled.

  4. Disabling or enabling the Voice roaming or Data roaming settings does not affect the carrier setting. These settings will only affect the device to which the policy is applied.

You can ensure that users comply with basic security settings by using compliance settings. The following table lists the compliance settings available to Windows Phone 8, Windows RT, and iOS devices. For Android devices, you can use the Exchange server connector for basic security settings.

 

Compliance setting Windows Phone 8 Windows RT iOS

Require password settings on mobile devices

Yes

No

Yes

Minimum password length (characters)

Yes

Yes

Yes

Idle time before mobile device is locked

Yes

Yes

Yes

Number of passwords remembered

Yes

Yes

Yes

Password expiration in days

Yes

Yes

Yes

Password complexity

Yes

No

Yes

Number of failed logon attempts before device is wiped

Yes

Yes

Yes

Removable storage

Yes

No

No

Camera

No

No

Yes

File encryption on mobile device

Yes

No

No

See Also

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft