About Intune compliance policy | When will devices become non-compliant?

This week’s mail sack question is from David Berner via email:

Question: Quick question on compliance policies for iOS. If I add a second compliance policy and only target a subset of devices, when the second compliance policy is assigned, do the devices ever go into a weird evaluation state that could impact access to resources? Example: using conditional access to check for compliance and want to add a second compliance policy to a subset of devices for a prohibited app. What actually happens when the policy is targeted to those subset of devices? Do they remain compliant until something is flagged which would mark the device non compliant?

Answer: The short answer for David is “No — devices will stay in their current state”, Devices that were “Compliant” before the targeting change will stay that way until they check-in with Intune, receive the latest compliance policies and do the compliant/not-compliant evaluation.

How compliance policy targeting works:

Compliance policy targeting works almost exactly the same as any other type of policy in Intune in that it is check-in based. The high-level process is something like this:

  1. Intune computes policy for a target device
  2. Device checks-in and asks for the newest policy changes
  3. Intune marks device as “compliant” or “not compliant” in Intune and Azure AD

If you’ve set up Azure AD Conditional Access policy to “require compliant devices”, Azure AD will look at that attribute and block or allow access to the resources you’ve protected.

When it doesn’t work like that..

It can sometimes get a bit more complex and nuance than that though… the two cases that come to mind are Grace periods and External compliance signals:

Screenshot of “Actions for noncompliance” settings in Intune, where you can set a grace period for device compliance.
Screenshot of Intune compliance policy, showing where 3rd party health signal can influence compliance calculation by setting Device Threat Level

Wrap up

This was a short and sweet post answering the “What the heck is going to happen?” fear that most of us have when working with large changes in production environments. I cleared up some of that fear by explaining that device compliance will only change once the device has checked in, got the new policy and reported back a new state and added a few details on scenarios where this could work differently.

Hope this information to helps bolster your understanding of Intune and compliance targeting but please TEST, TEST, TEST, before doing any big changes in production that could have unwanted impact, such as blocking access to corporate resources based on an unexpected compliance calculation.

If you have any questions you’d like to have answered in this blog, just shoot me an email or reach out to me on twitter.

Device compliance policies in Microsoft Intune | Microsoft Learn



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store