Set up an Intune Compliance Policy baseline for work phones.
Compliance is not on/off, it is a list of checks (encrypted, recent OS, no jailbreak, passcode). Devices that fail are blocked from work mail via Conditional Access. Keep the first bar low: too strict and the whole company is locked out Friday afternoon.
Try this first
- 1Intune admin center > Devices > Compliance > Create policy, pick platform (iOS, Android, Windows).
- 2First checks: device encryption on, lock screen with passcode, OS version no more than two behind, no jailbreak/root.
- 3Hook to Conditional Access (Entra ID > Conditional Access) in report-only mode until you see how many devices fail.
- 4Turn on user notifications: mail when device goes non-compliant, with fix instructions, before actually blocking.
When to bring us in
We design the policy with your helpdesk pain threshold, run a report-only week, and only then move to block.
See also
- Work and personal apps blur together on the same phoneAndroid Enterprise and iOS-with-Intune can enforce a work profile, isolating business apps in a separate container.
- Setting up Microsoft 365 on a new phoneOutlook, Teams, and OneDrive run smoothest if you install Authenticator first and sign the others in afterwards.
- Moving Authenticator to a new phoneMicrosoft Authenticator has built-in cloud backup. Run it before wiping the old device, otherwise everything has to be re-added by hand.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.