IntuneDeviceCompliancePolicyAndroidWorkProfile¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
DisplayName	Key	String	Display name of the AndroidWorkProfile device compliance policy.
Description	Write	String	Description of the AndroidWorkProfile device compliance policy.
Assignments	Write	MSFT_DeviceManagementConfigurationPolicyAssignments[]	Assignments of the Intune Policy.
PasswordRequired	Write	Boolean	PasswordRequired of the AndroidWorkProfile device compliance policy.
PasswordMinimumLength	Write	UInt32	PasswordMinimumLength of the AndroidWorkProfile device compliance policy.
PasswordRequiredType	Write	String	PasswordRequiredType of the AndroidWorkProfile device compliance policy.	`deviceDefault`, `alphabetic`, `alphanumeric`, `alphanumericWithSymbols`, `lowSecurityBiometric`, `numeric`, `numericComplex`, `any`
PasswordMinutesOfInactivityBeforeLock	Write	UInt32	PasswordMinutesOfInactivityBeforeLock of the AndroidWorkProfile device compliance policy.
PasswordExpirationDays	Write	UInt32	PasswordExpirationDays of the AndroidWorkProfile device compliance policy.
PasswordPreviousPasswordBlockCount	Write	UInt32	PasswordPreviousPasswordBlockCount of the AndroidWorkProfile device compliance policy.
PasswordSignInFailureCountBeforeFactoryReset	Write	UInt32	PasswordSignInFailureCountBeforeFactoryReset of the AndroidWorkProfile device compliance policy.
SecurityPreventInstallAppsFromUnknownSources	Write	Boolean	SecurityPreventInstallAppsFromUnknownSources of the AndroidWorkProfile device compliance policy.
SecurityDisableUsbDebugging	Write	Boolean	SecurityDisableUsbDebugging of the AndroidWorkProfile device compliance policy.
SecurityRequireVerifyApps	Write	Boolean	SecurityRequireVerifyApps of the AndroidWorkProfile device compliance policy.
DeviceThreatProtectionEnabled	Write	Boolean	DeviceThreatProtectionEnabled of the AndroidWorkProfile device compliance policy.
DeviceThreatProtectionRequiredSecurityLevel	Write	String	DeviceThreatProtectionRequiredSecurityLevel of the AndroidWorkProfile device compliance policy.	`unavailable`, `secured`, `low`, `medium`, `high`, `notSet`
AdvancedThreatProtectionRequiredSecurityLevel	Write	String	AdvancedThreatProtectionRequiredSecurityLevel of the AndroidWorkProfile device compliance policy.	`unavailable`, `secured`, `low`, `medium`, `high`, `notSet`
SecurityBlockJailbrokenDevices	Write	Boolean	SecurityBlockJailbrokenDevices of the AndroidWorkProfile device compliance policy.
OsMinimumVersion	Write	String	OsMinimumVersion of the AndroidWorkProfile device compliance policy.
OsMaximumVersion	Write	String	OsMaximumVersion of the AndroidWorkProfile device compliance policy.
MinAndroidSecurityPatchLevel	Write	String	MinAndroidSecurityPatchLevel of the AndroidWorkProfile device compliance policy.
StorageRequireEncryption	Write	Boolean	StorageRequireEncryption of the AndroidWorkProfile device compliance policy.
SecurityRequireSafetyNetAttestationBasicIntegrity	Write	Boolean	SecurityRequireSafetyNetAttestationBasicIntegrity of the AndroidWorkProfile device compliance policy.
SecurityRequireSafetyNetAttestationCertifiedDevice	Write	Boolean	SecurityRequireSafetyNetAttestationCertifiedDevice of the AndroidWorkProfile device compliance policy.
SecurityRequireGooglePlayServices	Write	Boolean	SecurityRequireGooglePlayServices of the AndroidWorkProfile device compliance policy.
SecurityRequireUpToDateSecurityProviders	Write	Boolean	SecurityRequireUpToDateSecurityProviders of the AndroidWorkProfile device compliance policy.
SecurityRequireCompanyPortalAppIntegrity	Write	Boolean	SecurityRequireCompanyPortalAppIntegrity of the AndroidWorkProfile device compliance policy.
SecurityRequiredAndroidSafetyNetEvaluationType	Write	String	Require a specific SafetyNet evaluation type for compliance.	`basic`, `hardwareBacked`
RoleScopeTagIds	Write	String	RoleScopeTagIds of the AndroidWorkProfile device compliance policy.
Ensure	Write	String	Present ensures the policy exists, absent ensures it is removed.	`Present`, `Absent`
Credential	Write	PSCredential	Credentials of the Intune Admin
ApplicationId	Write	String	Id of the Azure Active Directory application to authenticate with.
TenantId	Write	String	Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret	Write	PSCredential	Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint	Write	String	Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity	Write	Boolean	Managed ID being used for authentication.
AccessTokens	Write	StringArray[]	Access token used for authentication.

MSFT_DeviceManagementConfigurationPolicyAssignments¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
dataType	Write	String	The type of the target assignment.	`#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget`
deviceAndAppManagementAssignmentFilterType	Write	String	The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude.	`none`, `include`, `exclude`
deviceAndAppManagementAssignmentFilterId	Write	String	The Id of the filter for the target assignment.
groupId	Write	String	The group Id that is the target of the assignment.
groupDisplayName	Write	String	The group Display Name that is the target of the assignment.
collectionId	Write	String	The collection Id that is the target of the assignment.(ConfigMgr)

Description¶

This resource configures the settings of Android Work Profile device compliance policies in your cloud-based organization.

Parameters¶

Microsoft Defender for Endpoint - for Personally-Owned Work Profile¶

Require the device to be at or under the machine risk score Select the maximum allowed machine risk score for devices evaluated by Microsoft Defender for Endpoint. Devices which exceed this score get marked as noncompliant.
Not configured (default)
Clear
Low
Medium
High

Device Health - for Personally-Owned Work Profile¶

Rooted devices
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Block - Mark rooted (jailbroken) devices as not compliant.
Require the device to be at or under the Device Threat Level Select the maximum allowed device threat level evaluated by your mobile threat defense service. Devices that exceed this threat level are marked noncompliant. To use this setting, choose the allowed threat level:
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Secured - This option is the most secure, and means that the device can't have any threats. If the device is detected with any level of threats, it's evaluated as noncompliant.
Low - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
Medium - The device is evaluated as compliant if the threats that are present on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be noncompliant.
High - This option is the least secure, as it allows all threat levels. It may be useful if you're using this solution only for reporting purposes.

Google Play Protect - for Personally-Owned Work Profile¶

Google Play Services is configured
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Require - Require that the Google Play services app is installed and enabled. Google Play services allows security updates, and is a base-level dependency for many security features on certified-Google devices.
Up-to-date security provider
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Require - Require that an up-to-date security provider can protect a device from known vulnerabilities.
SafetyNet device attestation Enter the level of SafetyNet attestation that must be met. Your options:
Not configured (default) - Setting isn't evaluated for compliance or non-compliance.
Check basic integrity
Check basic integrity & certified devices

Note: * On Android Enterprise devices, Threat scan on apps is a device configuration policy. Using a configuration policy, administrators can enable the setting on a device. See Android Enterprise device restriction settings.

Device Properties - for Personally-Owned Work Profile¶

Operating System Version - for Personally-Owned Work Profile
Minimum OS version When a device doesn't meet the minimum OS version requirement, it's reported as non-compliant. A link with information on how to upgrade is shown. The end user can upgrade their device, and then access organization resources.

By default, no version is configured.

Maximum OS version When a device is using an OS version later than the version in the rule, access to organization resources is blocked. The user is asked to contact their IT administrator. Until a rule is changed to allow the OS version, this device can't access organization resources.

By default, no version is configured.

System security - for Personally-Owned Work Profile¶

Require a password to unlock mobile devices
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Require - Users must enter a password before they can access their device.

This setting applies at the device level. If you only need to require a password at the Personally-Owned Work Profile level, then use a configuration policy. See Android Enterprise device configuration settings.

Required password type Choose if a password should include only numeric characters, or a mix of numerals and other characters. Your options:
Device Default
Low security biometric
At least numeric (default): Enter the minimum password length a user must enter, between 4 and 16 characters.
Numeric complex: Enter the minimum password length a user must enter, between 4 and 16 characters.
At least alphabetic: Enter the minimum password length a user must enter, between 4 and 16 characters.
At least alphanumeric: Enter the minimum password length a user must enter, between 4 and 16 characters.
At least alphanumeric with symbols: Enter the minimum password length a user must enter, between 4 and 16 characters.

Depending on the password type you select, the following settings are available: * Maximum minutes of inactivity before password is required Enter the idle time before the user must reenter their password. Options include the default of Not configured, and from 1 Minute to 8 hours. * Number of days until password expires Enter the number of days, between 1-365, until the device password must be changed. For example, to change the password after 60 days, enter 60. When the password expires, users are prompted to create a new password. * Minimum password length Enter the minimum length the password must have, between 4 and 16 characters. * Number of previous passwords to prevent reuse Enter the number of recent passwords that can't be reused. Use this setting to restrict the user from creating previously used passwords.

Encryption - for Personally-Owned Work Profile¶

Encryption of data storage on device
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Require - Encrypt data storage on your devices.

You don't have to configure this setting because Android Enterprise devices enforce encryption.

Device Security - for Personally-Owned Work Profile¶

Block apps from unknown sources
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Block - Block devices with Security > Unknown Sources enabled sources (supported on Android 4.0 through Android 7.x. Not supported by Android 8.0 and later).

To side-load apps, unknown sources must be allowed. If you're not side-loading Android apps, then set this feature to Block to enable this compliance policy.

Company portal app runtime integrity
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Require - Choose Require to confirm the Company Portal app meets all the following requirements:
- Has the default runtime environment installed
- Is properly signed
- Isn't in debug-mode
- Is installed from a known source
Block USB debugging on device
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Block - Prevent devices from using the USB debugging feature.

You don't have to configure this setting because USB debugging is already disabled on Android Enterprise devices.

Minimum security patch level Select the oldest security patch level a device can have. Devices that aren't at least at this patch level are noncompliant. The date must be entered in the YYYY-MM-DD format.

By default, no date is configured.

Permissions¶

Microsoft Graph¶

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions¶

Read
- Group.Read.All, DeviceManagementConfiguration.Read.All
Update
- Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Application permissions¶

Read
- Group.Read.All, DeviceManagementConfiguration.Read.All
Update
- Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Examples¶

Example 1¶

This example creates a new Device Compliance Policy for iOs devices

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneDeviceCompliancePolicyAndroidWorkProfile 'ConfigureAndroidDeviceCompliancePolicyWorkProfile'
        {
            DisplayName                                        = 'Test Policy'
            Description                                        = ''
            DeviceThreatProtectionEnabled                      = $False
            DeviceThreatProtectionRequiredSecurityLevel        = 'unavailable'
            PasswordExpirationDays                             = 90
            PasswordMinimumLength                              = 6
            PasswordMinutesOfInactivityBeforeLock              = 5
            PasswordRequired                                   = $True
            PasswordRequiredType                               = 'numericComplex'
            SecurityBlockJailbrokenDevices                     = $True
            SecurityDisableUsbDebugging                        = $False
            SecurityPreventInstallAppsFromUnknownSources       = $False
            SecurityRequireCompanyPortalAppIntegrity           = $False
            SecurityRequireGooglePlayServices                  = $False
            SecurityRequireSafetyNetAttestationBasicIntegrity  = $False
            SecurityRequireSafetyNetAttestationCertifiedDevice = $False
            SecurityRequireUpToDateSecurityProviders           = $False
            SecurityRequireVerifyApps                          = $False
            StorageRequireEncryption                           = $True
            Ensure                                             = 'Present'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}

Example 2¶

This example creates a new Device Compliance Policy for iOs devices

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneDeviceCompliancePolicyAndroidWorkProfile 'ConfigureAndroidDeviceCompliancePolicyWorkProfile'
        {
            DisplayName                                        = 'Test Policy'
            Description                                        = ''
            DeviceThreatProtectionEnabled                      = $False
            DeviceThreatProtectionRequiredSecurityLevel        = 'unavailable'
            PasswordExpirationDays                             = 90
            PasswordMinimumLength                              = 8 # Updated Property
            PasswordMinutesOfInactivityBeforeLock              = 5
            PasswordRequired                                   = $True
            PasswordRequiredType                               = 'numericComplex'
            SecurityBlockJailbrokenDevices                     = $True
            SecurityDisableUsbDebugging                        = $False
            SecurityPreventInstallAppsFromUnknownSources       = $False
            SecurityRequireCompanyPortalAppIntegrity           = $False
            SecurityRequireGooglePlayServices                  = $False
            SecurityRequireSafetyNetAttestationBasicIntegrity  = $False
            SecurityRequireSafetyNetAttestationCertifiedDevice = $False
            SecurityRequireUpToDateSecurityProviders           = $False
            SecurityRequireVerifyApps                          = $False
            StorageRequireEncryption                           = $True
            Ensure                                             = 'Present'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}

Example 3¶

This example creates a new Device Compliance Policy for iOs devices

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneDeviceCompliancePolicyAndroidWorkProfile 'ConfigureAndroidDeviceCompliancePolicyWorkProfile'
        {
            DisplayName                                        = 'Test Policy'
            Ensure                                             = 'Absent'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}