[2/9/18]: This post has been updated to reflect changes in roll out for this security enhancement. The feature will now be rolled out for Intune standalone only at this time. Hybrid and O365 customers will not be affected by this change.
We’re introducing some security enhancements, based on your feedback, in the Intune service in March. Depending on how your compliance policies are configured, you may need to take action to avoid loss of email access for your end users.
If you have used compliance policies with Conditional Access (CA) in Intune, you may have noticed that devices without a compliance policy assigned to them are considered compliant and end users are allowed access to email. In March, we'll introduce a new toggle so that admins will have the option to have devices with no compliance policy assigned to them treated as “not compliant”. These devices will be blocked by CA and end users associated with them will lose access to email. However, you’ll have control over turning this feature on or off for your tenant, as we mention later in this post.
How should I prepare for this change?
We’ve launched a new report in Intune on Azure, called “Devices without compliance policy”. This report will help you identify all the devices in your environment that do not have a compliance policy assigned. Please review your compliance policy deployments and ensure that all your devices have at least one compliance policy assigned to them by March.
Here’s a screenshot of what the report looks like. If the count of devices in your report is non-zero, then you have devices in your environment without a compliance policy which will be marked as not compliant when the March update to Intune is released. Click on the report, review the list of devices and users, and assign a compliance policy where necessary. See Get started with Intune device compliance policies and follow links for directions to assign policies to different platforms.
Known issue: Please note that currently, users targeted by any compliance policy, regardless of device platform, will not show up in the “Devices without compliance policy” report. So, for example, if you have unintentionally targeted a Windows compliance policy to a user with an Android device, this device will not show up in the report but will be considered 'not compliant' by Intune. We’re working to resolve this issue in a future release. We recommend that a policy is created for all available device platforms and deployed to all users.
New toggle for managing security enhancements
In March, we’re introducing a toggle in Intune on Azure that Intune standalone customers can use to treat devices without any policy assigned as ‘Compliant’ (security feature off) or treat these devices as ‘Not compliant’ (security feature on). This toggle will be set to turn the feature on by default, but you can turn it off it in the console if you choose to. If you use Conditional Access, we recommend you do not turn this feature off and leave the toggle set to ‘Not compliant’. Here’s a preview of what the toggle will look like.
How will I know if an end-user is impacted?
If an end user is not compliant because no policy is assigned, the Company Portal will show “No compliance policies have been assigned” as the reason. Below is a screenshot of what an end user will see in the Android Company Portal.
How do I assign a compliance policy to “All Users”?
We’ve added a new feature to the Intune on Azure Portal that allows you to assign compliance policies to “All Users”. You can even create a blank compliance policy with no settings configured and assign it to your users, to ensure that they have at least one policy targeted to them at all times.
What if I have users exempted from CA that aren’t targeted by a compliance policy?
If you have users in your environment that are exempt from CA requirements, their devices will still be reported as not compliant if they’re not targeted by at least one compliance policy. However, this will not impact their access to company resources such as email.
What if I have compliance policies in the Intune Silverlight console?
As a reminder, any compliance policies in the classic Silverlight console will not show up in the Intune on Azure console. Please re-create these policies in Intune on Azure if you haven’t done so already.
What if I am a Configuration Manager customer using hybrid mobile device management (MDM)?
What if I am an Office 365 customer using Mobile Device Management for Office 365?
This change will not impact you if you are using Mobile Device Management for Office 365.