This is part of a continuing series about Windows Intune. This section will focus on creating policies for the different types of clients. If you are familiar with setting client policies in SCCM, this will be very similar.
To add a policy, click “Add Policy” under Tasks in the Policy node of the web interface. There will be four options. We are going to focus primarily on Mobile Device Security Policy and Windows Intune Agent Settings.
Mobile Device Security Policy
To begin, select “Mobile Device Security Policy” and select the “Create and Deploy a Custom Policy” button. To begin, give your policy a name. Next, take a look through the security section. Most of these policies apply to Windows Phone, Window RT, iOS, and Android. There are a few exceptions, so be sure to note those. Some key policies to pay attention to are “Require a password to unlock mobile devices”, “Require a password type”, and “Minimum password length”. All of these are important if mobile devices can access company data.
If you wish to let the end user decide on any of these, simply click the switch to off. Anything that is switched off will appear greyed out and will not say which operating system this applies too. As soon as you turn it on, you are given that information. One of the security policies that is disabled by default is “Allow fingerprint unlock”. I would suggest thinking about this option, especially with new iOS and Android devices supporting this feature.
The next section is encryption. There are two setting available – encrypt the device and encrypt the storage cards. I would carefully weigh these options and decide what is best for your organization. If you mouse over the information icon, Microsoft has a recommended setting, and some more information about what the policy does.
I am going to skip over the Malware section, as these policies only apply to Windows RT. Next is the System section. This section deals with a lot of iOS-specific items, though there are some Windows Phone and RT settings available. Two things that you should think about here are “Require Automatic Updates” and “User Account Control”. Both of these apply to Windows 8.1 RT or Pro. The User Account Control option provides the same levels as Windows.
Next is Cloud, which deals mostly with iCloud and iOS. Set these as your organization would like. Two things that deal with Windows are providing the URL for Work Folders, and allowing Microsoft accounts.
Next are some general email settings. One important one here is allowing the download of email attachments. This setting could be important for organizations that are concerned about virus being delivered via email. Also, you elect to specify whether or not “other” email accounts are allowed on the device, thereby preventing users from receiving personal email on company devices.
Next are various application settings, such as allowing a web browser, enabling a pop-up blocker, or allowing active scripting. All of these settings can be configured for Windows 8.1, and a few can be set for iOS. Further down are more apps options, such as disabling the app store (available for iOS and Windows Phone 8.1), and whether or not to allow in-app purchases. Finally, you can disable Game Center and multiplayer games on iOS.
Finally, we have Device Capabilities. Here we disable the devices camera, Wi-Fi, Wi-Fi tethering, etc. Further, we can disable roaming and voice assistants. All of this should be configured to meet your company’s policies.
Once you have your policy set, create it. You deploy it to a group during the creation process, or from the “All Policies” screen.
Windows Intune Agent Settings
These settings will apply to computers. First, we have Endpoint Protection. You can elect to install and enable it. Various settings can also be defined, such as enabling real-time protection (and what it looks at), to defining daily scans. As with Endpoint Protection in SCCM, we can also exclude files, folders, and processes from the scan process.
Next, we can define update settings. You will want to pay attention to these, especially the ones about computer restarts. I would recommend keeping the “Allow logged on user to control Windows restart after installation of scheduled updates” set to “Yes” so that the computer does not automatically restart.
Finally, you can define whether or not a user can define there one user-device link. This works similarly to User/Device Affinity in SCCM. I would recommend keeping this set as “No”.
One neat feature of Windows Intune is the ability to show you conflicts between policies. You can click on “Policy Conflicts” to view any and remediate them.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.