Learn how to set up a configuration policy for iOS or Android that solves for common business and security requirements.
- [Narrator] The next thing we're going to need to do is create configuration profile that tells us how we want to manage a device, and what settings we want to put on that. And to that we start in the device configuration section. To push device configurations, we create what are called device configuration profiles and we can do that in the profiles area. And finally, we're going to go ahead and create a profile for managing iOS devices. We'll call this our iOS configuration profile. And then under platform, we'll select iOS.
You can see there's a whole bunch of different choices here, whether we are doing Android devices or Windows devices. Based on the platform you select, the settings you'll have to choose from are what's applicable to that platform. And finally the type of profile, again there's a number of different choices here, device features and devices restrictions really control how the device works. E-mail polices let us automatically configure the built-in Apple mail client. Certificate policies let us push certificates to the devices or configure them to request the certificate. This can be really useful if you need special certificates, client certificates to connect to Wifi.
And then VPN and Wifi let us push profiles to provide a VPN connection or automatically connect to a wireless network. We'll go ahead and do device restrictions. And the device restrictions will apply here. We'll go ahead and require a password on this device. We'll require a numeric password and let's say that it needs to be at least four characters long and after 11 sign-in failures in a row, we'll automatically wipe the device.
That's a setting you typically want to be careful with because if someone accidentally enters a bunch of wrong passwords in a row, it can wipe the device that really wasn't compromised. But many people require this from a compliance or policy or so forth. And then we'll automatically lock the screen after one minute. And finally, you can do things like require people to change their PIN periodically or prevent them from reusing certain passwords, or block the fingerprint unlock feature. We'll leave all those to the defaults.
There's all sorts of other settings in here you could literally spend a day going through all these different choices. We're going to leave the rest of these set to the defaults and we'll just set password in there, and that'll be something you'll be able to see when we enroll this device. We'll create the policy. And then, now that we've created the policy, we actually have to assign it to a group of users in order for it to apply to someone. To do that, as the directions say, we'll click assignments, we'll select a group, and we're going to use this All Users group.
In reality, changes are you'd have different policies for different groups of users or types of users. You might use a bunch of different groups. We're going to keep this simple. We'll Save. And now when someone enrolls in the iOS device, go get our restrictions, specifically the one's that require that four digit PIN. The other thing that we need to do, is create what's called a compliance policy. These configuration policies or profiles, they enforce settings, whereas you can think of compliance profiles as something that measures settings. The compliance profile will make sure that our device is compliant with our requirements and that compliance will be reported back to Azure active directory, so that we can use conditional access to require access to an application only from a compliant device.
To create a compliance profile, click device compliance, click polices, and then let's create a new policy. We'll call this the iOS compliance policy. Again, we have to pick a platform. And this time what we want to do is we have to choose which settings we want to measure or test to determine if this device is compliant. We'll make sure our password policy is enforced. We'll require a password that's at least four characters long and is at least numeric.
You can set other settings here based on the settings that you pushed down in your configuration policy, but we'll disclose the basics here to determine whether or not our device is compliant. We'll also go under device health and we'll make sure that a jail broken device isn't allowed. Jail broken devices are ones where someone has compromised it and we're going to have to remove some of the built-in restrictions that iOS enforces, which might also put our device at risk of not enforcing our corporate restrictions.
We'll save this. Now we have a compliance policy that requires our device not to be jail broken and to have at least a four digit numeric PIN. Much like the configuration profile, until we deploy this, it doesn't actually do anything. We'll go to assignments, and we'll include the All Users group. We'll save this. At this point, once we enroll the device. It'll enforce the settings in our configuration profile and then it'll determine it's compliance based on this compliance policy that we've just deployed.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security