How do we create a compliance policy for IOS for different IOS versions in Intune?
You must pre-configure appropriate device filters within Intune, which we will walk you through in this article here.
Now you will need to create your compliance policy, in this case, we will create only the IOS version policy, leaving a generic policy to cover all other aspects of the device requirements.
Access your Microsoft Intune/Endpoint Manager Portal
Select "Endpoint security" in the left menu, then "Device compliance" in the middle menu, and then "Policies" in the resulting menu.
Select "Create policy" and in the new window, select "IOS/iPadOS" as the platform, and click "Create".
Give your policy a name that makes sense, and click "Next"
We will set the IOS level for version 16.x in this policy (based on the Apple IOS/macOS release dates found here), which at the time of writing, for IOS 16.x was 16.7.5.
Enter the "Minimum OS version" as "16.7.5" (check the one you should be using) and click "Next" (Note: for Cyber Essentials, you should be using whatever is the latest version within and major version, within 14 days of release)
We will configure our policy to chase up the user immediately after they are checked against the policy, then at 2, 4 and 6 days and on day 7 we will mark the device as non-compliant.
(Note: here we need a conditional access policy to block any non-compliant devices as well, which we cover here)
Set your policy as you wish, and click "Next"
We add "All Users" to ensure we capture all the users, and in ours, "All Devices" and then select "Filter" to allow us to apply the filter we created earlier - select your appropriate filter, and click "Select" to apply to the policy.
When you are happy, click "Next"
Review your policy and click "Next"
You will now need to ensure you have a conditional access policy which requires your mobile devices to be marked as compliant, which we cover here.