Microsoft Intune is a tool that allows users to create and apply device policies to protect endpoints and manage devices and data stored on them. Protected devices are also known as managed devices.
It includes settings and features that can be enabled or disabled for different devices within an organization. Users can create profiles for various platforms, including iOS/iPadOS, macOS, Android, Android Enterprise, and Windows, and then apply or assign these profiles to the devices.
Types of
device policies
Device
policies enable various actions to safeguard devices. For example, they allow
the following actions on the devices within your organization:
- Restrict
- Reset
- Require
- Configure
- Protect
- Control
- Retire
Intune
configuration policies help you protect and configure devices by allowing you
to control a multitude of settings and features
1. Password Policy
·
Purpose: Enforce strong password requirements to secure devices.
·
Settings:
o Require a password to
unlock the device.
o Minimum password
length: 6-8 characters.
o Password complexity:
Require letters, numbers, and special characters.
o Maximum minutes of
inactivity before the screen locks: 5 minutes.
o Number of sign-in
failures before wiping the device: 10.
2. Device Encryption
Policy
·
Purpose: Ensure data on devices is encrypted to protect sensitive
information.
·
Settings:
o Require encryption on
Windows, macOS, iOS, and Android devices.
o Enable BitLocker for
Windows devices.
o Enable FileVault for
macOS devices.
3. Wi-Fi
Configuration Policy
·
Purpose: Automatically configure Wi-Fi settings on devices to connect
to corporate networks.
·
Settings:
o SSID: Corporate WiFi
o Security type:
WPA2-Enterprise
o Pre-shared key or
certificate-based authentication.
o Automatically connect
to this network.
4. Email
Configuration Policy
·
Purpose: Configure corporate email accounts on devices.
·
Settings:
o Email server:
outlook.office365.com
o Account name: Corporate
Email
o Use SSL for incoming and
outgoing emails.
o Require encryption for
email communication.
5. Browser
Configuration Policy
·
Purpose: Control browser settings to ensure secure and consistent
browsing.
·
Settings:
o Set the default
homepage to the company intranet.
o Block pop-ups.
o Disable autofill for
forms and passwords.
o Restrict access to
specific websites (e.g., block social media sites).
6. App Management
Policy
·
Purpose: Control how apps are used and installed on devices.
·
Settings:
o Allow only approved
apps from the Company Portal.
o Block sideloading of
apps (Android/iOS).
o Require app updates to
be installed automatically.
7. Kiosk Mode Policy
·
Purpose: Lock down a device to run only specific apps (e.g., for shared
devices or point-of-sale systems).
·
Settings:
o Allow only a single app
to run (e.g., a kiosk app).
o Disable the home button
and power menu.
o Restrict access to
device settings.
8. VPN Configuration
Policy
·
Purpose: Automatically configure VPN settings for secure access to
corporate resources.
·
Settings:
o VPN type: IKEv2, L2TP,
or Cisco AnyConnect.
o Connection name: Corporate
VPN.
o Server address:
vpn.corporate.com.
o Use certificate-based
authentication.
9. Update Policy
·
Purpose: Ensure devices are up to date with the latest security
patches.
·
Settings:
o Require automatic
updates on Windows and macOS devices.
o Set a maintenance
window for updates (e.g., 2:00 AM - 5:00 AM).
o Delay feature updates
for a specific number of days.
10. Location Services
Policy
·
Purpose: Control whether devices can use location services.
·
Settings:
o Disable location
services for all apps.
o Allow location services
only for specific apps (e.g., Maps).
11. Bluetooth and NFC
Policy
·
Purpose: Restrict the use of Bluetooth and NFC to prevent unauthorized
data transfer.
·
Settings:
o Disable Bluetooth
pairing.
o Allow Bluetooth only
for approved devices.
o Disable NFC.
12. Camera and Microphone
Policy
·
Purpose: Prevent unauthorized use of the camera and microphone.
·
Settings:
o Disable the camera and
microphone on all devices.
o Allow camera and
microphone use only for specific apps.
13. Compliance Policy
·
Purpose: Ensure devices meet specific security requirements.
·
Settings:
o Require devices to be
encrypted.
o Require devices to be
free of jailbreak or root access.
o Set a minimum OS
version (e.g., iOS 14 or Android 10).
14. Custom Profile
Policy
·
Purpose: Apply custom settings not available in the default Intune
templates.
·
Settings:
o Use OMA-URI (Open
Mobile Alliance Uniform Resource Identifier) to configure specific settings for
Windows, iOS, or Android devices.
o Example: Configure a
custom registry key on Windows devices.
15. Conditional Access
Policy
·
Purpose: Control access to corporate resources based on device
compliance.
·
Settings:
o Block access to
corporate email and apps if the device is non-compliant.
o Require multi-factor
authentication (MFA) for access.
These
policies can be tailored to meet your organization's specific needs and applied
to different groups of users or devices. Intune provides a flexible and
scalable way to manage device configurations across various platforms,
including Windows, macOS, iOS, and Android.