In one of my tenants the new compliance rules for Android arrived last night. So as from now we are able to block users to access corporate data that have Android devices that have enabled USB Debugging, enabled the installation of apps from Unknown Sources and when users have disabled the option “Scan device for security threats”.
If you ask me three of the most wanted compliance enhancements to be able to support Android devices. Let’s have a look at how it works.
In the console the Compliance policy can be configured to block access when having one of the three settings do not comply. Also the minimum Android patch level for Android 6.0+ can be configured.
The administrator is able to identify the users that have non-compliant devices and execute a selective wipe if your organization requires you to do so.
Looking at the user experience, I was tested enrollment with the non-compliant settings configured and changing the non-compliant settings when the device was already enrolled.
So after enabling USB Debugging and enabling Unknown Sources a user sees the following;
After the recheck, the users are able to see what is wrong and what they need to fix to get access again;
Tapping on How to resolve this learns you how to fix the compliance issues;
Of course Conditional Access also works for modern apps while trying to configure for instance the Outlook app;
For some reason I was not able to verify via the compliance policy if the option “Scan device for security threats” was disabled or not. Some further investigation is needed 🙂