Introduction
Do you need a simple, but yet effective way of forcing people into updating iOS on their company enrolled Apple devices? Simply block access to company resources if iOS is not up to date. Here is how you can do that using Microsoft Intune and Conditional Access in Microsoft Azure.
Microsoft Intune
Compliance Policy
This is all about putting the device into a non-compliant state if not running a specific iOS version. As of such, our first task is to create a compliance policy stating that rule.
- Create a new iOS Compliance Policy
- Give it a suitable name. For your inspiration, mine is called MDM – Minimum iOS Version
- Configure the Device Properties section with the minimum version required in your environment as illustrated below.
- Assign it to All Users or a group consisting of users also as illustrated below.
Conditional Access
- Next, create a new Conditional Access policy.
- This is the policy which will block the access if the device is non-compliant. In this example, the device will be non-compliant if it’s not running at least iOS 11.4
- Name: CA – All Cloud Apps – iOS – Require Compliance
- Assignment: Assign the policy single users or a group consisting of users
- Cloud apps: All cloud apps
- Conditions: iOS (I’ve configured Client apps too, but this is optional)
- This is the policy which will block the access if the device is non-compliant. In this example, the device will be non-compliant if it’s not running at least iOS 11.4
- Access controls
- Grant access: Require the device to be marked as compliant
End user experience
Once a device turns non-compliant, the Company Portal will give you a warning about the actions required on the device.
In this example, I will be required to update iOS to 11.4 or later as stated in the compliance policy but also in the illustration below.
And if trying to access company resources like Exchange Online, SharePoint Online, Skype for Business and so on, you will be met with following message:
