Sign In
In this module

AD3.4 macOS, iOS, and Android Compliance

5-6 hours · Module 3 · Free
Operational Objective
Your Windows compliance policy covers the majority of your device fleet, but most organizations also have macOS laptops, iOS phones/tablets, and Android devices accessing M365 data. Each platform has different compliance checks, different capabilities, and different limitations. A macOS device can require FileVault encryption (the equivalent of BitLocker) but checks the macOS version differently. An iOS device can detect jailbreaking but can't check for antivirus (iOS doesn't support traditional antivirus). An Android device can verify encryption and screen lock but the compliance landscape varies by manufacturer. This subsection builds compliance policies for each platform — covering what each platform CAN check and the appropriate response when it can't check something Windows handles easily.
Deliverable: Compliance policies for macOS, iOS, and Android devices deployed alongside the Windows policy — ensuring every platform accessing your M365 data meets appropriate security requirements.
Estimated completion: 30 minutes
COMPLIANCE CHECKS BY PLATFORM WINDOWS ✓ BitLocker encryption ✓ Minimum OS version ✓ Firewall enabled ✓ Defender AV active ✓ Secure Boot ✓ Code integrity Built in AD3.3 macOS ✓ FileVault encryption ✓ Minimum OS version ✓ Firewall enabled ✓ System Integrity Protection ✓ Password complexity ✗ No Defender AV check (optional) Build in this sub iOS ✓ Minimum OS version ✓ Jailbreak detection ✓ Passcode required ✓ Managed email profile ✗ No encryption check (always on) ✗ No firewall check (not applicable) Build in this sub Android ✓ Minimum OS version ✓ Encryption required ✓ Root detection ✓ Screen lock required ✓ Google Play Protect ⚠ Varies by manufacturer Build in this sub

Figure AD3.4 — Compliance checks available by platform. Windows has the most granular checks. macOS covers encryption and OS version but has fewer security-specific checks. iOS always encrypts and detects jailbreaking but has no traditional AV check. Android supports encryption and root detection but enforcement consistency varies by manufacturer. Each platform gets a tailored policy.

Building the macOS compliance policy

Navigate to intune.microsoft.com → Devices → Compliance → Create policy → Platform: macOS.

Name: "macOS Security Compliance"

System Security:

  • Require a password: Required (minimum 6 characters, alphanumeric)
  • Firewall: Enable
  • Incoming connections: Block (blocks unsolicited inbound connections)
  • Stealth Mode: Enable (hides the Mac from responding to probing requests)

Device Health:

  • Require System Integrity Protection: Required (SIP prevents modification of protected system files — disabling it is a red flag for compromise or unsanctioned development tools)

Device Properties:

  • Minimum OS version: Set to the current macOS version minus one (e.g., if the current release is macOS 15 Sequoia, set the minimum to 14.x Sonoma). This gives users one version of flexibility while keeping them on supported releases.

Encryption:

  • Require FileVault: Required (FileVault is the macOS equivalent of BitLocker — full disk encryption using XTS-AES-128 with a 256-bit key)

Set the same grace period and notification actions as the Windows policy: 7-day grace period, email notification on non-compliance.

Building the iOS compliance policy

Navigate to intune.microsoft.com → Devices → Compliance → Create policy → Platform: iOS/iPadOS.

Name: "iOS Security Compliance"

Device Health:

  • Jailbroken devices: Block (a jailbroken iOS device has bypassed Apple's security controls — it can run unsigned code, has disabled sandboxing, and is fundamentally untrustworthy for corporate data)

Device Properties:

  • Minimum OS version: Set to the current iOS version minus one (e.g., iOS 17.x if iOS 18 is current). Apple's update cadence means older versions lose security patches quickly.

System Security:

  • Require a passcode: Required
  • Minimum passcode length: 6
  • Maximum minutes of inactivity before passcode is required: 5

iOS devices are encrypted by default when a passcode is set — you don't need a separate encryption check. The passcode requirement effectively ensures encryption is active.

Building the Android compliance policy

Navigate to intune.microsoft.com → Devices → Compliance → Create policy → Platform: Android Enterprise (work profile).

Name: "Android Security Compliance"

Device Health:

  • Rooted devices: Block (equivalent to jailbreak detection on iOS)
  • Google Play Services is configured: Required
  • Up-to-date security provider: Required
  • SafetyNet device attestation: Check basic integrity and certified devices

Device Properties:

  • Minimum OS version: Set to Android 13 or later (older versions lack critical security features and don't receive regular patches)

System Security:

  • Require a password: Required (minimum 6 characters)
  • Encryption of data storage on device: Required

Android compliance varies by manufacturer. Samsung Knox devices support additional compliance checks (firmware integrity, TIMA attestation). Standard Android Enterprise devices support the basic checks above. If you have a mix of manufacturers, the compliance policy should target the common denominator — checks that work on all Android Enterprise devices.

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'macOS'" |
    Select-Object DeviceName, IsEncrypted, ComplianceState, UserPrincipalName |
    Format-Table -AutoSize
Expand for Deeper Context

The BYOD challenge is most acute on iOS and Android. Corporate-owned phones can be fully managed through Intune with a supervised (iOS) or fully managed (Android Enterprise) enrollment. But personal phones used for email access are a different story — users resist enrolling personal devices because Intune enrollment gives the organization visibility into personal apps, location, and usage patterns (even though Intune doesn't actually collect most of this data on personal devices with work profile enrollment).

For BYOD mobile devices, App Protection Policies (MAM — Mobile Application Management) provide an alternative to full device enrollment. MAM protects corporate data within the Outlook, Teams, and OneDrive apps without enrolling the device. The data inside the app container is encrypted, copy/paste between corporate and personal apps is restricted, and the corporate data can be remotely wiped without affecting personal data. This is a pragmatic middle ground: the device isn't "compliant" in the Intune compliance sense, but corporate data is protected at the app level.

If you have BYOD users who refuse enrollment, configure conditional access to allow app-protected access as an alternative to device compliance: "Require compliant device OR require app protection policy." This lets BYOD users access M365 through Outlook/Teams with MAM protection, while requiring full compliance from corporate devices.

Creating an App Protection Policy for iOS and Android

Navigate to intune.microsoft.com → Apps → App protection policies → Create policy → iOS/iPadOS (then repeat for Android).

Name: "BYOD App Protection — iOS"

Apps: Select the apps to protect: Microsoft Outlook, Microsoft Teams, Microsoft OneDrive, Microsoft SharePoint. These are the apps that access corporate data on personal devices.

Data protection settings: - Send org data to other apps: Policy managed apps (blocks copy/paste to unmanaged apps like personal WhatsApp or Notes) - Receive data from other apps: All apps (allows users to share content into managed apps) - Restrict cut, copy, and paste between other apps: Policy managed apps with paste in - Save copies of org data: Block (prevents saving corporate documents to personal cloud storage) - Encrypt org data: Require - Print org data: Allow (restrictive environments may block this)

Access requirements: - PIN for access: Require (a separate PIN for the app, distinct from the device passcode) - Minimum PIN length: 6 - Biometric instead of PIN: Allow (Face ID, Touch ID) - PIN reset after number of days: 365 (annual rotation is sufficient for app PIN)

Conditional launch: - Max OS version: Set to block jailbroken/rooted devices (set an unrealistically high version for current OS — if the device reports a version higher than what Apple has released, it's jailbroken) - Offline grace period: 720 minutes (12 hours — after 12 hours without internet connection, corporate data is wiped from the app)

Click "Create." Repeat for Android with the same settings.

After creating the app protection policy, verify it's applying to BYOD users. Have a test user with a personal phone sign into the Outlook app. After signing in with their corporate account, the app should prompt them to set an app PIN — this confirms the app protection policy is active.

Verifying multi-platform compliance policies

After creating compliance policies for all platforms, verify they're evaluating correctly. Navigate to intune.microsoft.com → Devices → Compliance → Monitor → Device compliance status. Filter by platform to see the compliance rate for each OS separately.

For macOS specifically, FileVault enforcement requires an additional step. Unlike BitLocker on Windows (which can be enabled silently via Intune profile), FileVault on macOS requires user interaction — the user must enter their password to enable FileVault, and they need to choose whether to store the recovery key in iCloud or as a personal key. Intune can prompt the user to enable FileVault via a configuration profile, but it can't enable it silently.

Navigate to intune.microsoft.com → Devices → Configuration → Create profile → macOS → Endpoint protection. Under FileVault, configure: enable FileVault, escrow personal recovery key (this stores the recovery key in Intune for admin access), and set the number of times the user can skip the FileVault prompt (set to 0 for mandatory — the user must enable FileVault before they can dismiss the prompt).

After deploying, verify FileVault status across your macOS fleet:

Any macOS device showing IsEncrypted = False hasn't completed FileVault setup. Contact the user — they may have dismissed the prompt or not understood what it was asking. Walk them through: System Preferences → Security & Privacy → FileVault → Turn On FileVault.

Compliance Myth: "iOS devices don't need compliance policies because Apple's security is good enough"
Apple's security model is strong, but it's not infallible. Jailbroken iOS devices have disabled the security controls Apple built. Outdated iOS versions have known vulnerabilities that are actively exploited. A device without a passcode has no encryption (iOS encryption depends on the passcode). The compliance policy verifies that the user hasn't undermined the platform's security — not that the platform is inherently insecure. Even the best platform needs verification that its security features are actually enabled.
Decision point

Your organization has 20 employees who use personal iPhones to access company email through the Outlook mobile app. You want to enforce device compliance via CA003, but these users refuse to enroll their personal phones in Intune. How do you protect corporate data on these devices?

Option A: Exempt personal devices from compliance — they access email through the app, not the device.

Option B: Configure an App Protection Policy for Outlook and Teams that encrypts corporate data within the app, restricts copy/paste to other managed apps, and allows remote wipe of corporate data only. Modify CA003 to accept either device compliance OR app protection policy.

Option C: Block all mobile access — users can only access email from compliant laptops.

The correct answer is Option B. App Protection Policies provide data protection at the application level without requiring device enrollment. Corporate data inside Outlook is encrypted, isolated from personal apps, and remotely wipeable without touching personal photos or messages. Modifying CA003 to accept "compliant device OR app protection policy" allows both paths: corporate laptops use device compliance, personal phones use app protection. Option C (blocking mobile access) is disproportionate and creates shadow IT risk — users will forward email to personal accounts if you block mobile access entirely.

Try it: Create compliance policies for your non-Windows devices

Check how many non-Windows devices access your M365 data: navigate to intune.microsoft.com → Devices → All devices and filter by OS. Note the count for macOS, iOS, and Android.

If you have macOS devices: create the macOS compliance policy with FileVault, SIP, and OS version checks. If you have iOS devices: create the iOS policy with jailbreak detection and passcode requirements. If you have Android devices: create the Android Enterprise policy with root detection and encryption.

For BYOD devices not enrolled in Intune: navigate to intune.microsoft.com → Apps → App protection policies. Check if any app protection policies exist. If not, create one for iOS and Android targeting Outlook and Teams with these settings: encrypt app data, block copy/paste to unmanaged apps, require PIN for app access, enable remote wipe of corporate data.

A user's iPhone is running iOS 15 (your compliance policy requires iOS 17 minimum). The user says they can't update because their iPhone 7 doesn't support iOS 17. What do you do?
Exempt the iPhone 7 from the iOS version requirement — No. iOS 15 is out of support and has known security vulnerabilities. An exemption creates a permanent gap.
If it's a corporate device, replace it with a supported model. If it's a personal device, configure an app protection policy for Outlook so the user can access email through MAM without device compliance, and recommend they upgrade their phone — Correct. The hardware limitation is real — you can't install iOS 17 on an iPhone 7. For corporate devices, hardware refresh is justified by the security requirement. For personal devices, you can't mandate hardware purchases, but you can protect corporate data through app protection policies while the user uses their existing phone.
Lower the minimum iOS version to 15 for all users — No. Lowering the standard for the entire fleet because one device is old weakens protection for everyone.
Block the user from all mobile access — Disproportionate. App protection policies provide a workable middle ground.
Operational Artifact — Multi-Platform Compliance Policy Reference
Your compliance policy set: Windows (BitLocker, OS, firewall, AV, Secure Boot), macOS (FileVault, SIP, OS, firewall), iOS (jailbreak detection, passcode, OS), Android (root detection, encryption, passcode, OS). Each policy with 7-day grace period and email notification. BYOD alternative: App Protection Policies for Outlook and Teams with encryption, copy/paste restrictions, and remote wipe. Document all four platform policies in your configuration register. Update OS version minimums annually as new versions release and old versions lose support.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →