A method to designing an effective compliance policy design
Published: May 04, 2023 | Author: René Laas
The purpose of this blog post is to inform you about designing a compliance policy and why you need a compliance policy and how to create the right compliance policy.
I think we all agree on configuring a compliance policy is essential for several reasons. I have done several Intune implementations, for enterprise organizations but also small environments. I always advised implementing compliance policies because it helps to protect users to get access to data on non-corporate devices via Conditional Access. But never thought about why they even need a compliance policy. So this blog post goes about designing a compliance policy design.
What is a compliance policy?
Intune compliance policy is a security feature of Microsoft Intune. Intune compliance policies are used to ensure that mobile devices that access company data are secure and meet certain security requirements.
Intune compliance policies are used to enforce settings on devices such as encryption, password requirements, device enrollment, jailbreak detection, and more. Compliance policies also enable administrators to specify rules for devices based on their ownership type (company-owned vs. personal), device platform (Android, iOS, Windows), and device state (compliant vs. non-compliant).
By setting up Intune compliance policies, organizations can ensure that their devices are secure, and that they are in compliance with regulations and policies. Compliance policies can help protect company data, as well as ensure that employees are following best practices for device security.
Why do you even need a compliance policy design?
What is the problem you want to solve here with the compliance policy?
Firstly, it can help to protect your organization from potential legal and financial consequences that could result from non-compliance. Failure to comply with laws and regulations can result in costly fines and legal action, which can seriously impact an organization’s reputation and financial stability.
But before you can design a proper compliance policy, you must understand the business needs.
Why do they even care about compliance? Do they want, for example, to lower the risk of data leakage? Or do they want to apply any additional Azure AD capabilities and features to block admin tasks on non-compliant devices?
So, before you configure your compliance policies in Intune. Understand the needs of your organization. Identify the right stakeholders (not only IT, but compliance is also more of a business thing). Host a compliance policy workshop with your stakeholders. Document all the compliance requirements.
|IT||to ensure compliance policy is enforced and implemented effectively across all digital platforms and devices.|
|Legal||to ensure that the compliance policy is in line with legal requirements and regulations, and to mitigate any legal risks associated with non-compliance.|
|Security||to identify potential security threats, develop and implement measures to prevent security breaches, and respond to security incidents to protect sensitive data and ensure compliance with security standards.|
|HR||to ensure that the compliance policy is communicated effectively to all employees, to address any compliance-related issues or concerns, and to ensure that employee actions are aligned with the compliance policy and overall company culture.|
|Works Council||To ensure that the compliance policy and related practices do not violate employee rights or labor laws, to represent and protect the interests of employees, and to provide input and feedback on how the compliance policy can be improved to better serve employees.|
Is your organization ready?
During the workshop you will get the requirements for compliance. But you also have to know, is your organization even ready to apply compliance policy?
You can use the following questions to get insights if your organization is ready to implement a Compliance Policy:
- Are there any policies made about different type of devices like BYOD or only Corporate, VDI, etc.
- Are there any risks when you do not apply compliance?
- Do they accept to lose productivity when a device become not compliant?
- Do you have any procedures available?
- Do you need to train our support desk?
- Are there any FAQ documents available?
- Do you know how our end-users will respond if they lose access to cloud resources because of a non-compliant device?
- Do our end-users know the importance of a compliant device?
Designing a compliance policy – Business requirements
The following example business requirements can be applicable for your organization:
Compliance with GPDR and AVG and other laws and regulations:
- The organization must take technical and organizational measures to protect data, such as access controls.
- The organization must ensure compliance with GPDR, HIPPA, SOX, AVG or BIO.
Protection of sensitive data and privacy:
- The organization must take physical, technical, and organizational measures to protect sensitive data.
- The organization should conduct regular security assessments to identify potential vulnerabilities and address them immediately
Risk reduction of security incidents:
- The organization should implement appropriate technical controls such as firewalls to prevent unauthorized access and detect potential security incidents.
- The organization should maintain an inventory of all IT assets and ensure that they are properly configured and patched.
Designing a compliance policy – Technical requirements
Now you have your business requirements, you and your team must translate the business requirements to technical requirements.
The following example technical requirements can be applicable for your organization.
- All devices must be encrypted
- A firewall must be enabled on all devices
- Devices must have a TPM chip and use the secure boot to ensure that the operating system and firmware are not tampered with during the boot process.
Designing a compliance policy – Configuration options
Global Compliance policy settings are tenant-wide settings that determine how Intune’s compliance service interacts with your devices. These settings are distinct from the settings you configure in a device compliance policy.
Global Compliance policy settings include the following settings:
- Mark devices with no compliance policy assigned as
- Enhanced jailbreak detection
- Compliance status validity period (days)
Create compliance policy
Device compliance policies are a key feature when using Intune to protect your organization’s resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version. If the device isn’t compliant, you can then block access to data and resources using Conditional Access.
As part of a compliance policy that protects your organizations resources from devices that don’t meet your security requirements, compliance policies also include Actions for noncompliance. Actions for noncompliance are one or more time-ordered actions that are taken by a policy to help protect devices and your organization. As an example, an action for noncompliance can remotely lock a device to ensure it’s protected, or send a notification to devices or users to help them understand and resolve the noncompliant status.
Following are the available actions for noncompliance:
- Mark device non-compliant:
- Send email to end user:
- Remotely lock the noncompliant device
- Retire the noncompliant device
- Send push notification to end user
Custom Compliance script
Expanding on Intune’s built-in device compliance options, use policies for custom compliance settings for managed Linux and Windows devices. Custom settings provide flexibility to base compliance on the settings that are available on a device without having to wait for Intune to add these settings.To add custom settings to a policy, you’ll need to prepare a JSON file, and a detection PowerShell script. Both the script and JSON become part of the compliance policy.
More information about Compliance policies can be found here.
Designing a compliance policy – Integration with Defender for Endpoint
By integrating Intune with Defender for Endpoint, you can better protect your devices. Defender for Endpoint provides advanced threat protection against a range of cyberattacks, including malware, ransomware, and phishing attacks. By integrating Intune’s compliance policies with Defender for Endpoint, you can ensure that your devices and app conform to specific security requirements while also having access to the advanced threat protection capabilities of Defender for Endpoint.
The integration of Intune’s compliance policies with Defender for Endpoint is a powerful combination that allows you to effectively manage your devices and reduces the cybersecurity risks and prevents and helps your organization against access data and performing admin tasks on insecure and vulnerable devices.