Getty Images/iStockphoto

Tip

How to deploy Intune compliance policies for iOS and iPadOS

Compliance policies are a significant part of IT's device management, so admins should learn about Intune's compliance management features for all types of devices.

Investing in compliance policy for mobile devices such as iPhones and iPads offers significant returns for IT automation and organization data security.

Mobile devices are often under further scrutiny than stationary workstations and PCs as the risk of device theft is much higher, so IT departments need to deploy specific compliance policies to match the mobility of these endpoints.

Mobile administrators can use the various functions of Microsoft Intune to secure, manage and automate the user experience of iOS and iPadOS devices while complying with security policies and regulations.

What are compliance policies?

Compliance policies are crucial to maintain the integrity and security of organizational data across a range of mobile devices such as smartphones, tablets and laptops. These policies ensure mobile devices adhere to specific requirements, protecting sensitive organizational information. Compliance policies often focus on meeting standards for governments -- both local and international -- but some may be in service of internal policies or just general device security.

Compliance policies fall into three main categories:

  • Security reinforcement. Compliance policies ensure that devices are secure with the appropriate settings in place. This mitigates the risk of unauthorized access.
  • Data protection. Protection of sensitive company data is crucial. Compliance policies help prevent data leakage and secure information on all managed devices by automatically taking security-based actions for noncompliant endpoints.
  • Regulatory alignment. Many industries are governed by regulations that demand strict data control. Compliance policies can help validate that the endpoints are up to data governance standards during audits or inspections.

The role of compliance policies in mobile device management

As part of the tool set of a mobile device management (MDM) platform, administrators can distribute a vast array of management and security settings and rules, including compliance policies.

Administrators can deploy compliance policies via an MDM platform to both BYOD and corporate mobile endpoints. These policies consist of two components: compliance policy settings and actions for noncompliance.

Apart from setting security parameters such as passcodes, Wi-Fi limitations, email authentication and data restrictions, admins must also consider how to maintain device compliance. In case a device falls out of compliance, the IT team should have an automated response to quickly address it to ensure data security.

When an administrator creates a compliance policy, it allows them to monitor a device for specific settings and rules. The MDM system allows admins to automate actions in response to compliance-related events on a device. Once a compliance policy is in place on the platform and IT has assigned it to the relevant devices, any noncompliant devices will enter an automated action sequence to remediate the issue. These steps can include alerting users about noncompliant conditions, safeguarding data on noncompliant devices by quarantining, or removing devices from the MDM system automatically based on severity or organization policy.

Comparing compliance policies for mobile devices vs. desktops

Implementing compliance policies can be a complicated task, especially when administrators have to manage mobile devices and desktops alongside one another. Although they share the same fundamental principles, the execution on iOS and iPadOS via MDM can be more straightforward than desktop compliance. The goal is to reflect the users' expectations for their mobile experience.

Although they share the same fundamental principles, the execution on iOS and iPadOS via MDM can be more straightforward than desktop compliance. The goal is to reflect the users' expectations for their mobile experience.

Desktop deployments usually take a top-down framework to compliance, which allows IT to configure almost every aspect of a device without user involvement. On the other hand, mobile compliance deployment focuses on the user with more user-friendly prompts and executive options.

Types of Apple compliance policies for iOS and iPadOS

There are a variety of compliance settings and rules that IT administrators can configure on Apple mobile devices running iPadOS and iOS. These policies include the following:

  • Email Configuration. Setting and rules around email configuration on devices.
  • Device Health. Jailbroken status, Device Threat Level.
  • Operating System Version. Minimum and Maximum OS and OS build version.
  • Microsoft Defender for Endpoint. Requirement for a device to have a risk score that falls within a specified range.
  • Security. Passcode requirements.
  • Device Security. Restricted applications.

Implementing iOS and iPadOS compliance policies with Intune

Creating compliance policies for iOS and iPadOS in Intune is straightforward, and Intune helps guide admins through the process.

1. Navigate and log into the Microsoft Intune admin center.

2. Select Devices on the left sidebar.

3. Select iOS/iPadOS in the Device Overview section.

The Intune interface showing how to navigate to iOS and iPadOS device management.
Figure 1. The Devices column showing the managed endpoints sorted by platform.

4. Next, select Compliance Policies under the iOS/iPadOS policies section. From here, IT administrators can create their compliance policies.

5. Select Create policy and then select Create.

6. Name the policy and add any additional descriptions to help other admins determine what the policy pertains to.

7. Select Next.

The input screen for defining an Intune compliance policy for iOS and iPadOS.
Figure 2. The name and description of the jailbroken devices policy for Apple mobile devices.

8. Select the policy to configure from the available settings. This example will use the Jailbroken status policy, and will block any devices that are jailbroken.

9. Select the relevant options from the Actions menu that the device will need. Administrators can choose multiple actions for this step.

  • To send notifications to end users, admins need to set up this Intune template ahead of time.
Intune's defining of what will happen for noncompliant iOS and iPadOS devices.
Figure 3. The policy defining step where the admin determines what happens to noncompliant devices.

10. Select the included group assignments and select Next.

11. Confirm your selections on the next screen and select Create.

Michael Goad is a freelance writer and solutions architect with experience handling mobility in an enterprise setting.

Dig Deeper on Mobile management