This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 0%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
We have created a compliance policy for Android devices that blocks rooted devices and set the minimum OS to 7.0. However, when a user enrolls a device that is either below Android 7 or rooted, they are able to enroll and then the compliance policy is applied later. Is there a way to force the policy at enrollment, so that the user isn't even able to enroll if they don't meet those requirements?
Also, is there a way to log users out of corporate applications if their device isn't compliant? Teams seems to let them stay logged in even if the device is non-compliant.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Steve Stormont , Based as I know, the compliance policy will be applied to the device after it is enrolled. To block device enrollment when the OS version is low, we can try to set the maximum version under Device enrollment restriction. The following link for the reference:
https://video2.skills-academy.com/en-us/mem/intune/enrollment/enrollment-restrictions-set#create-a-device-type-restriction
In addition, to block non-compliant device to access the application like Teams, we can create a conditional access policy and configure "Require device to be marked as compliant" in Access controls. To create a conditional access policy, we can read the following article:
https://video2.skills-academy.com/en-us/mem/intune/protect/create-conditional-access-intune
The policy will be applied when the user is checked in. If the user is already login the application, the connection will be kept. And the resource is still accessible. For this scenario, we can consider sign-in frequency to force the user to sign in again. To see more details, we can read the following article:
https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Steve Stormont ,, How are things going? I am writing to see if there's anything else we can help. If yes, feel free to let us know.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for those answers. One thing that we have noticed regarding the sign in is that it seems to take 20-30 minutes between when a device is marked noncompliant and when the user session is revoked (even if we change a conditional access policy, and then sync the device). Is that expected?
The third link you provided (https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) says that sessions will be revoked when marked noncompliant, but it doesn't make any reference to time.
It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but are not limited to) a password change, an incompliant device, or account disable. You can also explicitly revoke users’ sessions using PowerShell. The Azure AD default configuration comes down to “don’t ask users to provide their credentials if security posture of their sessions has not changed”.
@Steve Stormont ,, For the non-compliant state of the device, could you confirm if it shows non-compliant in both Azure AD and intune?
Yes, they show non-compliant in both Azure and InTune
@Steve Stormont ,, Thanks for the reply. From your description, I know the state in both Intune and Azure AD are correct. That means the sync between Intune and Azure AD is working well without issue.
Given the situation, I suggest to open a case to Azure AD to look into the detailed logs to check on the latency.