The power of third-party device compliance in Microsoft Intune

Throughout the past several years, it’s becoming increasingly common for organizations to provide and manage devices across various operating systems. Tech Orchard’s evolution to offer support for Workspace ONE, Intune and Jamf is one way we’re helping companies successfully manage more diverse device fleets. But how do IT teams address the need for third-party device compliance if Intune is their primary MDM?

While Microsoft’s Intune and Entra ID (formerly known as Azure Active Directory) inherently provide industry-standard device compliance policies and Conditional Access policies to govern them, Intune features a quick configuration option to incorporate third-party compliance on the following device operating systems:

Android

iOS/iPadOS

MacOS

(This is primarily because Microsoft has been playing catch up in device management outside Windows devices.)

Though Entra ID is now capable of protecting all devices, you may need to block access to organizational data depending on the device compliance. In these instances, compliance policies are pushed via the third-party MDM, which determine the device state that will be passed on to block or allow access within Entra ID.

By default, Intune is the primary compliance authority for the devices. However, a third-party compliance partner can govern a set of devices selected using Entra ID groups. At this time, supported third-party compliance partners include:

• Addigy
• BlackBerry UEM
• Citrix Workspace device compliance
• IBM MaaS360
• Jamf Pro

• MobileIron Device Compliance (Cloud + On-Prem)
• SOTI MobiControl
• VMware Workspace ONE UEM (formerly AirWatch)

To get started adding a third-party compliance partner, navigate to:

Intune Config > Assigning users > 3rd Party Compliance App config > Conditional Access Policy > Monitor

Within the Intune portal, you’ll then navigate to Partner Compliance Management where you can select the Partner, Platform and User Group(s). Depending on the third-party vendor, configuration steps and ports that need to be opened can be varied. We encourage customers to follow official vendor documentation for the full context.

With compliance information streaming to Intune, you can use Conditional Access Policies to manage the devices depending on the result. To incorporate any restriction, navigate to the Grant section of the Conditional Access Policy, select “Require device to be marked as compliant” and device access to corporate resources can be managed accordingly.

Contact the Tech Orchard team if you run into questions or if we can help you devise a plan to ensure your device fleet can be fully managed by Intune going forward.