Resolving Non-Compliant Devices in Azure Active Directory with Intune
As organizations increasingly adopt Bring Your Own Device (BYOD) policies, managing device compliance becomes a critical aspect of security. In particular, Conditional Access Policies (CAPs) are essential to ensure that only compliant devices can access corporate resources. However, we recently encountered an issue where user’s iOS devices were failing the compliance check despite being Intune-managed and listed as compliant in Azure Active Directory (AzureAD). In this blog post, we will explore the root cause of this issue and provide potential solutions to resolve it.
Background
———-
Our organization uses an Account-Driven User Enrollment policy for Intune, which allows users to enroll their personally owned devices in the Intune service. We have identified that some devices are not passing the compliance check despite being Intune-managed and listed as compliant in AzureAD. This issue occurs when a user has two devices, one compliant and Intune-managed, and another non-compliant device that is not enrolled in Intune.
Issue Analysis
————–
After investigating the issue, we found that the AzureAD Device ID in Intune corresponded to the compliant Intune-managed device listed in AzureAD as expected. However, the sign-in logs indicated that the non-compliant device was failing the compliance check in the conditional access policy. We noticed that the devices were personally owned and enrolled using an Account-Driven User Enrollment policy.
Cause of the Issue
——————-
The issue arises due to the way Intune manages devices and the interaction between Intune and AzureAD. When a user enrolls their device using an Account-Driven User Enrollment policy, the device is successfully enrolled in Intune, but it is not added as a second device in AzureAD. As a result, the non-compliant device is not visible in AzureAD, and the Conditional Access Policy fails, indicating that the device is not compliant.
Potential Solutions
——————–
To resolve this issue, we have explored several potential solutions:
1. **Switch to User Enrollment with Company Portal**: We successfully reproduced the issue using a test device and account. After enrolling into Intune, there is only one device – non-MDM managed in AzureAD. Upon signing into the Company Portal app, the second Intune-managed device shows up in the AzureAD list. However, the device doesn’t pass the conditional access policy when utilizing apps such as Outlook. Switching to user enrollment with Company portal and utilizing the Company portal app to enroll resolves the issue.
2. **Use a Different Enrollment Method**: Another potential solution is to use a different enrollment method, such as User-Driven Enrollment or Device Enrollment Manager (DEM). These methods may not have the same issues as Account-Driven User Enrollment and could potentially resolve the compliance check failure.
3. **Use a Custom Policy**: We can create a custom policy that requires devices to meet specific requirements, such as having a certain version of the operating system or software installed. This can help ensure that only compliant devices can access corporate resources.
4. **Monitor Device Compliance**: Regularly monitoring device compliance and updating the Conditional Access Policy to include non-compliant devices can help prevent issues. This can also help identify any potential security risks associated with non-compliant devices.
Conclusion
———-
In conclusion, the issue of non-compliant devices failing the compliance check despite being Intune-managed and listed as compliant in AzureAD can be resolved by switching to user enrollment with Company portal, using a different enrollment method, creating a custom policy, or monitoring device compliance. These solutions can help ensure that only compliant devices can access corporate resources, thereby improving the overall security of our organization’s IT infrastructure.