Microsoft Endpoint Manager / InTune
      Back to home
      1. Knowledge Base
      2. Security
      3. Microsoft Endpoint Manager / InTune

      Create IOS/Android Version Specific Compliance Policy

      How do we create a compliance policy for IOS/Android for different OS versions in Intune?

      You must pre-configure appropriate device filters within Intune, which we will walk you through in this article here.

      Now, you will need to create your compliance policy, in this case, we will create only the IOS version policy, leaving a generic policy to cover all other aspects of the device requirements. You can use this same method for Android versions or, indeed, anything else.

      Access your Microsoft Intune/Endpoint Manager Portal

      Select "Endpoint security" in the left menu, then "Device compliance" in the middle menu, and then "Policies" in the resulting menu.

      Select "Create policy" and in the new window, select "IOS/iPadOS" as the platform, and click "Create".

      Give your policy a name that makes sense, and click "Next"

      We will set the IOS level for version 16.x in this policy (based on the Apple IOS/macOS release dates found here), which at the time of writing, for IOS 16.x was 16.7.5.

      Enter the "Minimum OS version" as "16.7.5" (check the one you should be using) and click "Next" (Note: for Cyber Essentials, you should be using whatever is the latest version within and major version, within 14 days of release)

      We will configure our policy to chase up the user immediately after they are checked against the policy, then at 2, 4 and 6 days and on day 7 we will mark the device as non-compliant.

      (Note: here we need a conditional access policy to block any non-compliant devices as well, which we cover here)

      Set your policy as you wish, and click "Next"

      NOTE: Here, we are advising the users immediately, and then at 2, 4 and day 6 before we block their device on day 7, thus providing a number of changes for them to be compliant before we lock them out.

      We add "All Users" to ensure we capture all the users, and in ours, "All Devices" and then select "Filter" to allow us to apply the filter we created earlier - select your appropriate filter, and click "Select" to apply to the policy.

      NOTE: If you needed to apply this policy, for example, to Android Mobiles, stating that Android 12 was the lowest compliant version, but you had (still supported) Yealink Android 10 devices, you could exclude, rather than include and therefore exclude the Yealink devices.

      When you are happy, click "Next"

      Review your policy and click "Next"

      You will now need to ensure you have a conditional access policy which requires your mobile devices to be marked as compliant, which we cover here.