More Android Compliance rules arrived in Intune

android-compl-00In one of my tenants the new compliance rules for Android arrived last night. So as from now we are able to block users to access corporate data that have Android devices that have enabled USB Debugging, enabled the installation of apps from Unknown Sources and when users have disabled the option “Scan device for security threats”.

If you ask me three of the most wanted compliance enhancements to be able to support Android devices. Let’s have a look at how it works.

Admin experience

In the console the Compliance policy can be configured to block access when having one of the three settings do not comply. Also the minimum Android patch level for Android 6.0+ can be configured.


The administrator is able to identify the users that have non-compliant devices and execute a selective wipe if your organization requires you to do so.

Compliance settings that may not confirm of a device

User experience

Looking at the user experience, I was tested enrollment with the non-compliant settings configured and changing the non-compliant settings when the device was already enrolled.

So after enabling USB Debugging and enabling Unknown Sources a user sees the following;

Hey not compliant, let’s recheck

After the recheck, the users are able to see what is wrong and what they need to fix to get access again;

Ow no! Not Compliant!

Tapping on How to resolve this learns you how to fix the compliance issues;

User is guided the right way
User is guided the right way

Of course Conditional Access also works for modern apps while trying to configure for instance the Outlook app;

CA works for Outlook

For some reason I was not able to verify via the compliance policy if the option “Scan device for security threats” was disabled or not. Some further investigation is needed 🙂

Till later!


  1. After searching on the web and stumbled here….I was curious did you actually test the Selective Wipe on Android? It appears it still doesn’t work correct for us and we’ve seen all sorts of issues.

    Note: This is testing done with all Nexus devices, 5, 6, 5x

    First: Selective Wipe with the Outlook app still does not remove the existing mail on the phone and it only prevented the ability to receive mail. I could however still send mail from the device after the selective wipe process. I can still view and read the cached email on the phone

    Second: Initial enrollment prompted to install Intune and worked as intended. However, with re-testing we are able to configure the outlook app at will and connect to send/receive mail without the intune app at will

    Third: MS documentation shows that MDM works with the built in Exchange support for the GMail app. However, we have yet to get it working with the GMail app. It says it is trying to connect via ActiveSync and is denied due to external MDM

    Fourth: INtune app mistakenly found my device to be rooted which it is not.

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Link Updates and Servicing session at System Center Summer Night

Next Post

New Updates Intune coming up -July update-

Related Posts