AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Device Management > Manage Policies

Export to PDF

Manage Policies

On the Policies page, you can view and manage compliance policies, configuration profiles, and conditional access policies in separate tabs. Click Refresh in each tab to view the latest policies or configuration profiles. Click Export to export the currently displayed policies.

Compliance policies

In the Compliance tab, you can view the compliance policies with their basic information. Compliance policies help protect organizational data by requiring devices to meet requirements that are set in the policies.

Click the name of a compliance policy to access the Compliance policy details page. In the upper-right corner of the page, you can click Delete compliance policy to delete this policy.

NOTE

Currently, this is not available for compliance policies of the Linux platform.

There are five tabs on the page.

  • Basics – In the Basics tab, you can view compliance policy basics, device health, system security, device properties, Microsoft Defender for endpoint, Configuration Manager compliance, and other custom compliance settings.

  • Devices – In the Devices tab, the devices that have this compliance policy applied are listed in the table with their basic information. Click Refresh to refresh the device list. You can also click Export to export the device list.

    Click a device name to access the Policy settings page where you can view and export the policy settings on this device. The device name, status, type, OS version, and operating system can also be viewed on the top of this page. Click Refresh to view the latest monitor results.

  • Actions for noncompliance – In the Actions for noncompliance tab, you can manage the sequence of actions that will be applied automatically to devices that do not meet this compliance policy.

  • Assignments – In the Assignments tab, you can manage the group assignment for the compliance policy.

    • Add groups – Click Add groups and the Add groups window appears. Select the assignment type as Included or Excluded, select groups, and click Select to include or exclude the groups for this compliance policy.

    • Include all users – Click Include all users to add all users to the assignment scope.

    • Include all devices – Click Include all devices to add all devices to the assignment scope.

    • Remove – Select one or multiple groups and click Remove to remove the groups from the assignment scope.

    • Export – Click Export to export the group assignment of the compliance policy.

    • View group details – Clicking a group name allows you to view the detailed information of the group in the Group details window. Refer to View and Manage Groups for more details.

    • Change assignment – Select Included or Excluded in the Assignment column for a group to change the group assignment.

  • Audit logs – In the Audit logs tab, all actions performed to the current policy within Elements are listed in the table. You can click Refresh to view the latest records, or click Export to export the audit logs.

To create a new compliance policy, click Create compliance policy. In the Create compliance policy window, select a platform for this policy from the following options:

  • Android device administrator

  • Android (AOSP)

  • Android Enterprise

    NOTE

    Also select a profile type for Android Enterprise.

    • Fully managed, dedicated, and corporate-owned work profile
    • Personally-owned work profile

  • iOS/iPadOS

  • macOS

  • Windows 10 and later

Then, click Save to open the configuration page.

  1. In the Basics step, enter a display name and optional description for the policy, and click Next.

  2. In the Compliance settings step, configure settings of the available categories for your policy, and click Next.

  3. In the Actions for noncompliance step, select a sequence of actions to apply automatically to devices that do not meet this compliance policy. You can add multiple actions, and configure schedules and details for some actions.

    The following are the available actions for noncompliance:

    • Mark device noncompliance – By default, this action is set for each compliance policy and has a schedule of zero day, marking devices as noncompliant immediately. When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as noncompliant.

    • Send email to end user – This action sends an email notification to the user. When you enable this action, you can select a notification message template that this action sends, and choose to send the message to more recipients by selecting one or more Microsoft Entra groups.

    • Send push notification to end user– Configure this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.

      NOTE

      The following platforms support this action: Android device administrator, Android Enterprise, and iOS/iPadOS.

    • Remotely lock the noncompliant device – Use this action to issue a remote lock of a device. The user is then prompted for a PIN or password to unlock the device.

    • Add device to retire list – When this action is performed on a device, the device is added to a list of retired, noncompliant devices. However, the device is not retired until an administrator explicitly initiates the retirement process. When an admin retires the device from that list, retirement removes all company data off the device and removes that device from management.

  4. In the Scope tags step, select tags to help filter policies to specific groups. After you add the settings, you can also add a scope tag to your compliance policies.

  5. In the Assignments step, assign the policy to your groups.

    • Add groups – Click Add groups and the Add groups window appears. Select the assignment type as Included or Excluded, select groups, and click Select to include or exclude the groups for this compliance policy.

    • Add all users – Click Add all users to add all users to the assignment scope.

    • Add all devices – Click Add all devices to add all devices to the assignment scope.

    • Remove – Click the recycle bin button to the right of a group, All users, or All devices to remove the group, all users, all devices from the assignment scope.

    • Change assignment – Select Included or Excluded in the Group mode column for a group to change the group assignment.

  6. Click Create to create the compliance policy.

Configuration profiles

In the Configuration tab, you can view the configuration profiles with their basic information. Configuration profiles allow you to add and configure settings, and then push these settings to devices in the organization.

Click the name of a configuration profile of which the platform is Windows to access the Configuration profile details page. You can view the profile name and created time on the top of this page. Click Delete configuration profile in the upper-right corner to delete this configuration profile.

  • In the Basics tab, you can view the general information of the configuration profile.

  • In the Assignments tab, you can manage the group assignment for the configuration profile.

    NOTE

    You cannot mix user and device groups across include and exclude when excluding groups. Refer to Assign policies in Microsoft Intune for more information.

    • Add groups – Click Add groups and the Add groups window appears. Select the assignment type as Included or Excluded, select groups, and click Add to include or exclude the groups for this configuration profile.

    • Include all users – Click Include all users to add all users to the assignment scope.

    • Include all devices – Click Include all devices to add all devices to the assignment scope.

    • Remove – Select one or multiple groups and click Remove to remove the groups from the assignment scope.

    • Export – Click Export to export the group assignment of the configuration profile.

    • View group details – Clicking a group name allows you to view the detailed information of the group in the Group details window. Refer to View and Manage Groups for more details.

    • Change assignment – Select Included or Excluded in the Assignment column for a group to change the group assignment.

  • In the Audit logs tab, all actions performed to the current profile within Elements are listed in the table. You can click Refresh to view the latest records, or click Export to export the audit logs.

Conditional access policies

In the Conditional access tab, you can view the conditional access policies with their basic information. Conditional access policies can specify the apps or services you want to protect, the conditions under which the apps or services can be accessed, and the users to whom the policy applies to.

You can manage conditional access policies as follows:

  • Delete – Select one or multiple policies and click Delete to delete the conditional access policies.

  • Enable policy – Select a conditional access policy, click Enable policy and click On or Off from the drop-down list to update the state of the policy.

  • Refresh – Click Refresh to view the latest conditional access policies.

Click the name of a conditional access policy to access the Conditional access policy details page. You can view the profile name, status (Report-only, On, and Off), and created time on the top of this page.

In the Basics tab, you can view the basic information of the policy.

In the Assignments tab, you can view and configure the user assignment, and view the assignments of target resources, network, and conditions.

  • Users – Configure users to select the identities in the directory that the policy applies to. Click the value link to open the Users window.

    Configure the users and groups you want to include in the Include section.

    • None – No users selected.

    • All users – All users that exist in the directory including B2B guests.

    • Select users and groups – Specific users and groups.

      • Guest or external usersB2B collaboration guest users, B2B collaboration member users, B2B direct connect users, Local guest users (for example, any user belonging to the home tenant with the user type attribute set to guest), Service provider users (for example, a Cloud Solution Provider), and Other external users can be used to target the policy to specific guest or external user types containing those types of users.

        One or multiple tenants can be specified for the selected user types, or you can specify all tenants.

      • Directory roles – You can select specific built-in directory roles used to determine policy assignment.

      • Users and groups – This allows targeting of specific sets of users.

        NOTE

        There is a limit to the number of individual users that can be added directly to a Conditional Access policy. If there are a large amount of individual users that need to be added to directly, we recommend placing the users in a group, and assigning the group to the policy instead.

    If there are any users, roles, or groups you want to exclude from this policy, configure settings in the Exclude section.

  • Target resources – Control access based on all or specific apps, internet resources, actions, or authentication context.

  • Network – Control user access based on their network or physical location.

  • Conditions – The signals that are used as conditions for this policy.

    • User risk – User risk represents the probability that a given identity or account is compromised.

    • Sign-in risk – Sign-in risk represents that probability that a given authentication request was not made by the identity owner.

    • Insider risk – Insider risk takes into account your data governance, data security, and risk and compliance configurations from Microsoft Purview. This condition allows you to take actions like blocking access, requiring stronger authentication methods, or requiring terms of use acceptance. You can tailor access permissions based on contextual factors such as user behavior, historical patterns, and anomaly detection.

    • Device platforms – Apply policy to selected device platforms.

    • Locations – Control user access based on their network or physical location.

    • Client apps – Control user access to target specific client applications not using modern authentication.

    • Filter for devices – Control filters to apply to devices based on their attributes.

    • Authentication flows – Control how your organization uses certain authentication and authorization protocols and grants.

In the Access controls tab, you can view the grant and session controls of the policy.

  • Grant access – Control access enforcement to block or grant access.

  • Session control – Control access based on session controls to enable limited experiences within specific cloud applications.

In the Audit logs tab, all actions performed to the current policy within Elements are listed in the table. You can click Refresh to view the latest records, or click Export to export the audit logs.