Article
04/07/2016

Compliance Policies in Configuration Manager

Updated: April 7, 2016

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager SP1

The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

Compliance policies in Configuration Manager define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. You can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access.

Important

Compliance policies only apply to devices that are managed by Microsoft Intune.

These rules include:

PIN and passwords
Encryption
Whether the device is jailbroken or rooted
Whether email on the device is managed by an Intune policy
Minimum OS version required - Typically this depends on your company compliance policies and security requirements. This helps to prevent access to devices that might have security vulnerabilities because they are using an older OS version.
Maximum OS version allowed - You may choose not to support the latest OS version available before testing or other reasons. You can choose to block devices that have a version later than the one you have specified. The device will not be able to access company resources until the policy is changed.

Note

In order to use the Minimum and Maximum OS version rules, you must use the latest Conditional access extension for System Center 2012 R2 Configuration Manager SP1.

Note

On Windows PCs, Windows Operating System version 8.1, is reported as 6.3 instead of 8.1. If the OS version rule is set to Windows 8.1 for Windows, then the device will be reported as non-compliant even if the device has Windows OS 8.1. Make sure you are setting the right reported version of Windows for the Minimum and Maximum OS rules. The version number must match the version returned by the winver command.

Windows Phones do not have this issue, the version is reported as 8.1 as expected.
Windows PCs with Windows 10 operating system, the version should be set as "10.0"+ the OS Build number returned by the winver command. For example, it could be something like 10.0.10586.

Windows 10 Mobile does not have this issue.

You deploy compliance policies to user collections. When a compliance policy is deployed to a user, then all of the users devices are checked for compliance.

The following table lists the device types supported by compliance policies and how noncompliant settings are managed when the policy is used with a conditional access policy.

Device type	PIN or password configuration	Device encryption	Jailbroken or rooted device	Email profile	Minimum OS version	Maximum OS version
Windows 8.1 and later	Remediated	N/A	N/A	N/A	Quarantined	Quarantined
Windows Phone 8.1 and later	Remediated	Remediated	N/A	N/A	Quarantined	Quarantined
iOS 6.0 and later	Remediated	Remediated (by setting PIN)	Quarantined (not a setting)	Quarantined	Quarantined	Quarantined
Android 4.0 and later	Quarantined	Quarantined	Quarantined (not a setting)	N/A	Quarantined	Quarantined
Samsung KNOX Standard 4.0 and later	Quarantined	Quarantined	Quarantined (not a setting)	N/A	Quarantined	Quarantined

Remediated = Compliance is enforced by the device operating system (for example, the user is forced to set a PIN). There is never a case when the setting will be noncompliant.

Quarantined = The device operating system does not enforce compliance (for example, Android devices do not force the user to encrypt the device). In this case:

The device will be blocked if the user is targeted by a conditional access policy.
The company portal or web portal will notify the user about any compliance issues.

Step 1: Create a compliance policy

In the Configuration Manager console, click Assets and Compliance.
In the Assets and Compliance workspace, expand Compliance Settings, and then click Compliance Policies.
On the Home tab, in the Create group, click Create Compliance Policy.

On the General page of the Create Compliance Policy Wizard, specify the following information:

Setting	More information
Name	Enter a unique name for the compliance policy. You can use a maximum of 256 characters.
Description	Enter a description that gives an overview of the VPN profile and helps identify it in the Configuration Manager console. You can use a maximum of 256 characters.
Noncompliance severity for reports	Specify the severity level that is reported if this compliance policy is evaluated as noncompliant. The available severity levels are the following: None Devices that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Devices that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Devices that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

Name

Enter a unique name for the compliance policy. You can use a maximum of 256 characters.

Description

Enter a description that gives an overview of the VPN profile and helps identify it in the Configuration Manager console. You can use a maximum of 256 characters.

Noncompliance severity for reports

Specify the severity level that is reported if this compliance policy is evaluated as noncompliant. The available severity levels are the following:

None Devices that fail this compliance rule do not report a failure severity for Configuration Manager reports.
Information Devices that fail this compliance rule report a failure severity of Information for Configuration Manager reports.
Warning Devices that fail this compliance rule report a failure severity of Warning for Configuration Manager reports.
Critical Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports.
Critical with event Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

On the Supported Platforms page, choose the device platforms that this compliance policy will be evaluated on, or click Select all to choose all device platforms.

On the Rules page, you define one or more rules that define the configuration that devices must have in order to be evaluated as compliant. The following table shows the available rules. When you create a compliance policy, some rules are enabled by default, but you can edit or delete these.

Rule name	More information	Supported platforms
Require password settings on mobile devices	Require users to enter a password before they can access their device. (Enabled by default)	Windows Phone 8 and later iOS 6 and later Android 4.0 and later Samsung KNOX Standard 4.0 and later
Allow simple passwords	Let users create simple passwords such as ‘1234’ or ‘1111’. (Disabled by default)	Windows Phone 8 and later iOS 6 and later
Minimum password length1	Specifies the minimum number of digits or characters that the user’s password must contain. (6 by default)	Windows Phone 8 and later Windows 8.1 iOS 6 and later Android 4.0 and later Samsung KNOX Standard 4.0 and later
File encryption on mobile device	Requires the device to be encrypted in order to connect to resources. Devices that run Windows Phone 8 are automatically encrypted. Important Devices that run iOS are encrypted when you configure the setting Require password settings on mobile devices. (Enabled by default)	Windows Phone 8 and later Windows 8.1 Android 4.0 and later Samsung KNOX Standard 4.0 and later
Device must not be jailbroken or rooted	If enabled, jailbroken (iOS), or rooted (Android) devices will not be compliant. (Disabled by default)	iOS 6 and later Android 4.0 and later Samsung KNOX Standard 4.0 and later
Email profile must be managed by Intune	When this option is set to Yes , the device must use the email profile deployed to the device. The device is considered noncompliant in the following situations: The email profile must also be deployed to the same user group as user group targeted by the compliance policy, otherwise the users’ devices will be considered non-compliant. The device is reported as noncompliant if the user has already set up an email account on the device that matches the Intune email profile deployed to the device. Intune cannot overwrite the user-provisioned profile, and therefore cannot manage it. To ensure compliance, the user must remove the existing email settings, then, Intune can install the managed email profile. For details about email profiles, see Enable access to corporate email using email profiles with Microsoft Intune. (Disabled by default)	iOS 6 and later
Email profile	If Email account must be managed by Intune is selected, click Select to choose the email profile that devices must be managed by. The email profile must be present on the device.	iOS 6 and later
Minimum OS required	When a device does not meet the minimum OS version requirement, it will be reported as non-compliant. A link with information on how to upgrade will be displayed. The end-user can choose to upgrade their device after which they will be able to access company resources.	Windows Phone 8 and later Windows 8.1 iOS 6 and later Android 4.0 and later Samsung KNOX Standard 4.0 and later
Maximum OS version allowed	When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.	Windows Phone 8 and later Windows 8.1 iOS 6 and later Android 4.0 and later Samsung KNOX Standard 4.0 and later

1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number of character sets is more than 2.

On the Summary page of the wizard, review the settings you made, and then complete the wizard.

The new policy displays in the Compliance Policies node of the Assets and Compliance workspace.

Deploy a compliance policy

In the Configuration Manager console, click Assets and Compliance.
In the Assets and Compliance workspace, expand Compliance Settings, and then click Compliance Policies.
On the Home tab, in the Deployment group, click Deploy.
In the Deploy Compliance Policy dialog box, click Browse to select the user collection to which to deploy the policy.

Additionally, you can select options to generate alerts when the policy is not compliant, and also to configure the schedule by which this policy will be evaluated for compliance.
When you are done, click OK.

Monitor the compliance policy

To view compliance results in the Configuration Manager console

In the Configuration Manager console, click Monitoring.
In the Monitoring workspace, click Deployments.
In the Deployments list, select the compliance policy deployment for which you want to review compliance information.

You can review summary information about the compliance of the policy deployment on the main page. To view more detailed information, select the deployment, and then on the Home tab, in the Deployment group, click View Status to open the Deployment Status page.

The Deployment Status page contains the following tabs:

- **Compliant**: Displays the compliance of the policy based on the number of assets affected. You can click a rule to create a temporary node under the **Users** or **Devices** node that are in the **Assets and Compliance** workspace, which contains all users or devices that are compliant with this rule. The **Asset Details** pane displays the users or devices that are compliant with the policy. Double-click a user or device in the list to display additional information.

- **Error**: Displays a list of all errors for the selected policy deployment based on number of assets affected. You can click a rule to create a temporary node under the **Users** or **Devices** node of the **Assets and Compliance** workspace, which contains all users or devices that generated errors with this rule. When you select a user or device, the **Asset Details** pane displays the users or devices that are affected by the selected issue. Double-click a user or device in the list to display additional information about the issue.

- **Non-Compliant**: Displays a list of all noncompliant rules within the policy based on number of assets affected. You can click a rule to create a temporary node under the **Users** or **Devices** node of the **Assets and Compliance** workspace, which contains all users or devices that are not compliant with this rule. When you select a user or device, the **Asset Details** pane displays the users or devices that are affected by the selected issue. Double-click a user or device in the list to display further information about the issue.

- **Unknown**: Displays a list of all users and devices that did not report compliance for the selected policy deployment together with the current client status of devices.

Next Steps

You can now use the compliance policy with conditional access policies to control access to services in your organization.