AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > Device Management > Manage Policies

Export to PDF

Manage Policies

On the Policies page, you can view and manage compliance policies, configuration profiles, and conditional access policies in separate tabs. Click Refresh in each tab to view the latest policies or configuration profiles. Click Export to export the currently displayed policies.

Compliance policies

In the Compliance tab, you can view the compliance policies with their basic information. Compliance policies help protect organizational data by requiring devices to meet requirements that are set in the policies.

Click the name of a compliance policy to access the Compliance policy details page. In the upper-right corner of the page, you can click Delete compliance policy to delete this policy.

There are five tabs on the page.

- **Basics** – In the **Basics** tab, you can view compliance policy basics, device health, system security, device properties, Microsoft Defender for endpoint, Configuration Manager compliance, and other custom compliance settings. - **Devices** – In the **Devices** tab, the devices that have this compliance policy applied are listed in the table with their basic information. Click **Refresh** to refresh the device list. You can also click **Export** to export the device list. Click a device name to access the **Policy settings** page where you can view and export the policy settings on this device. The device name, status, type, OS version, and operating system can also be viewed on the top of this page. Click **Refresh** to view the latest monitor results. - **Actions for noncompliance** – In the **Actions for noncompliance** tab, you can manage the sequence of actions that will be applied automatically to devices that do not meet this compliance policy. - **Assignments** – In the **Assignments** tab, you can manage the group assignment for the compliance policy. - **Add groups** – Click **Add groups** and the **Add groups** window appears. Select the assignment type as **Included** or **Excluded**, select groups, and click **Select** to include or exclude the groups for this compliance policy. - **Include all users** – Click **Include all users** to add all users to the assignment scope. - **Include all devices** – Click **Include all devices** to add all devices to the assignment scope. - **Remove** – Select one or multiple groups and click **Remove** to remove the groups from the assignment scope. - **Export** – Click **Export** to export the group assignment of the compliance policy. - View group details – Clicking a group name allows you to view the detailed information of the group in the **Group details** window. Refer to [View and Manage Groups](#missing-link) for more details. - Change assignment – Select **Included** or **Excluded** in the **Assignment** column for a group to change the group assignment. - **Audit logs** – In the **Audit** **logs** tab, all actions performed to the current policy within Elements are listed in the table. You can click **Refresh** to view the latest records, or click **Export** to export the audit logs.

To create a new compliance policy, click Create compliance policy. In the Create compliance policy window, select a platform for this policy from the following options:

- Android device administrator - Android (AOSP) - Android Enterprise - > ***Note**: For you also select a profile type for Android Enterprise. - Fully managed, dedicated, and corporate-owned work profile - Personally-owned work profile - iOS/iPadOS - macOS - Windows 10 and later - Then, click **Save** to open the configuration page.

  1. In the Basics step, enter a display name and optional description for the policy, and click Next.

  2. In the Compliance settings step, configure settings of the available categories for your policy, and click Next.

  3. In the Actions for noncompliance step, select a sequence of actions to apply automatically to devices that do not meet this compliance policy. You can add multiple actions, and configure schedules and details for some actions.

    Following are the available actions for noncompliance:

    • Mark device noncompliance – By default, this action is set for each compliance policy and has a schedule of zero day, marking devices as noncompliant immediately. When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as noncompliant.

    • Send email to end user – This action sends an email notification to the user. When you enable this action, you can select a notification message template that this action sends, and choose to send the message to more recipients by selecting one or more Microsoft Entra groups.

    • Send push notification to end user– Configure this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device.

      *Note: The following platforms support this action: Android device administrator, Android Enterprise, and iOS/iPadOS.

    • Remotely lock the noncompliant device – Use this action to issue a remote lock of a device. The user is then prompted for a PIN or password to unlock the device.

    • Add device to retire list – When this action is performed on a device, the device is added to a list of retired, noncompliant devices. However, the device is not retired until an administrator explicitly initiates the retirement process. When an admin retires the device from that list, retirement removes all company data off the device and removes that device from management.

  4. In the Scope tags step, select tags to help filter policies to specific groups. After you add the settings, you can also add a scope tag to your compliance policies.

  5. In the Assignments step, assign the policy to your groups.

    • Add groups – Click Add groups and the Add groups window appears. Select the assignment type as Included or Excluded, select groups, and click Select to include or exclude the groups for this compliance policy.

    • Add all users – Click Add all users to add all users to the assignment scope.

    • Add all devices – Click Add all devices to add all devices to the assignment scope.

    • Remove – Click the remove (image207) button to the right of a group, All users, or All devices to remove the group, all users, all devices from the assignment scope.

    • Change assignment – Select Included or Excluded in the Group mode column for a group to change the group assignment.

  6. Click Create to create the compliance policy.

Configuration profiles

In the Configuration tab, you can view the configuration profiles with their basic information. Configuration profiles allow you to add and configure settings, and then push these settings to devices in the organization.

Click the name of a configuration profile of which the platform is Windows to access the Configuration profile details page. You can view the profile name and created time on the top of this page. Click Delete configuration profile in the upper-right corner to delete this configuration profile.

- In the **Basics** tab, you can view the general information of the configuration profile. - In the **Assignments** tab, you can manage the group assignment for the configuration profile. > ***Note**: You cannot mix user and device groups across include and exclude when excluding groups. Refer to for more information. - **Add groups** – Click **Add groups** and the **Add groups** window appears. Select the assignment type as **Included** or **Excluded**, select groups, and click **Add** to include or exclude the groups for this configuration profile. - **Include all users** – Click **Include all users** to add all users to the assignment scope. - **Include all devices** – Click **Include all devices** to add all devices to the assignment scope. - **Remove** – Select one or multiple groups and click **Remove** to remove the groups from the assignment scope. - **Export** – Click **Export** to export the group assignment of the configuration profile. - View group details – Clicking a group name allows you to view the detailed information of the group in the **Group details** window. Refer to [View and Manage Groups](#missing-link) for more details. - Change assignment – Select **Included** or **Excluded** in the **Assignment** column for a group to change the group assignment. - In the **Audit logs** tab, all actions performed to the current profile within Elements are listed in the table. You can click **Refresh** to view the latest records, or click **Export** to export the audit logs.

Conditional access policies

In the Conditional access tab, you can view the conditional access policies with their basic information. Conditional access policies can specify the apps or services you want to protect, the conditions under which the apps or services can be accessed, and the users that the policy applies to.

You can manage conditional access policies as follows:

- **Delete** – Select one or multiple policies and click **Delete** to delete the conditional access policies. - **Enable policy** – Select a conditional access policy, click **Enable policy** and click **On** or **Off** from the drop-down list to update the state of the policy. - **Refresh** – Click **Refresh** to view the latest conditional access policies.

Click the name of a conditional access policy to access the Conditional access policy details page. You can view the profile name, status (Report-only, On, and Off), and created time on the top of this page.

- In the **Basics** tab, you can view the basic information of the policy. - In the **Assignments** tab, you can view and configure the user assignment, and view the assignments of target resources, network, and conditions. - **Users** – Configure users to select the identities in the directory that the policy applies to. Click the value link to open the **Users** window. Configure the users and groups you want to include in the **Include** section. - **None** – No users selected. - **All users** – All users that exist in the directory including B2B guests. - **Select users and groups** – Specific users and groups. - **Guest or external users** – **B2B collaboration guest users**, **B2B collaboration member users**, **B2B direct connect users**, **Local guest users** (for example, any user belonging to the home tenant with the user type attribute set to guest), **Service provider users** (for example, a Cloud Solution Provider), and **Other external users** can be used to target the policy to specific guest or external user types containing those types of users. One or multiple tenants can be specified for the selected user types, or you can specify all tenants. - **Directory roles** – You can select specific used to determine policy assignment. - **Users and groups** – This allows targeting of specific sets of users. > ***Note**: There is a limit to the number of individual users that can be added directly to a Conditional Access policy. If there are a large amount of individual users that are needed to be added to directly, we recommend placing the users in a group, and assigning the group to the policy instead. If there are any users, roles, or groups you want to exclude from this policy, configure settings in the **Exclude** section. - **Target resources** – Control access based on all or specific apps, internet resources, actions, or authentication context. - **Network** – Control user access based on their network or physical location. - **Conditions** – The signals that are used as conditions for this policy. - **User risk** – User risk represents the probability that a given identity or account is compromised. - **Sign-in risk** – Sign-in risk represents that probability that a given authentication request was not made by the identity owner. - **Insider risk** – Insider risk takes into account your data governance, data security, and risk and compliance configurations from Microsoft Purview. This condition allows you to take actions like blocking access, requiring stronger authentication methods, or requiring terms of use acceptance. You can tailor access permissions based on contextual factors such as user behavior, historical patterns, and anomaly detection. - **Device platforms** – Apply policy to selected device platforms. - **Locations** – Control user access based on their network or physical location. - **Client apps** – Control user access to target specific client applications not using modern authentication. - **Filter for devices** – Control filters to apply to devices based on their attributes. - **Authentication flows** – Control how your organization uses certain authentication and authorization protocols and grants. - In the **Access controls** tab, you can view the grant and session controls of the policy. - **Grant** **access** – Control access enforcement to block or grant access. - **Session** **control** – Control access based on session controls to enable limited experiences within specific cloud applications. - In the **Audit logs** tab, all actions performed to the current policy within Elements are listed in the table. You can click **Refresh** to view the latest records, or click **Export** to export the audit logs.