Manage device compliance policies
Once you have created compliance policies within MDM, you can enforce the protection of your organizational data by requiring users and devices to meet business requirements. You have seen that the rules and settings available are extensive; when combined with conditional access, these rules and settings allow administrators to block users and devices that don’t meet the rules.
Whenever a device has a compliance policy assigned, a compliance status will be determined, as shown in Table 2-3.
TABLE 2-3 Compliance policy status
| Status | Severity |
| Unknown | 1 |
| NotApplicable | 2 |
| Compliant | 3 |
| InGracePeriod | 4 |
| NonCompliant | 5 |
| Error | 6 |
You can see that the severity increases when the device is in an error state or is noncompliant. The severity is reported to Microsoft Intune and is used when determining access to your organizational data.
When a device has multiple policies assigned, the device may have different compliance statuses. In these situations, Intune assigns a single resulting compliance status, which is based on the highest severity level of all the policies that are assigned to that device.
Note When Policies Conflict
If a device has two policies applied and one is compliant and the other noncompliant, the resulting status for the device will be noncompliant.
Policy refresh cycle times
Devices connect to Intune on a periodic basis and the compliance status is checked. The refresh cycle is the same as configuration profiles and can be found in Table 2-4. You will notice that if a device has been recently enrolled, the compliance check-in runs more frequently during this initial period.
TABLE 2-4 Compliance policy refresh cycle
| Platform | Initial Check-in Frequency | Ongoing Refresh cycle |
| iOS/iPadOS | Every 15 minutes for 1 hour, and then every 8 hours | 8 hours |
| macOS | Every 15 minutes for 1 hour, and then every 8 hours | 8 hours |
| Android | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours | 8 hours |
| Windows 10 (enrolled as a device) | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours | 8 hours |
| Windows 8.1 | Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours | 8 hours |
If users open the Company Portal app on their device, they can sync the device to immediately check for new or updated policies. The Company Portal app also shows the compliance status of the managed device. For scenarios that include urgent compliance actions, such as Wipe, Lock, Passcode Reset, New App Deployment, New Profile Deployment, or New Policy Deployment, Intune will immediately notify the devices to perform a sync.
