ASD's Blueprint for Secure Cloud

Device Compliance

This section describes the design decisions associated with Device Compliance for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Device Compliance Policies are rules, such as device PIN length or encryption requirements, that are applied to devices. These policies must be met before a device is considered compliant, the device compliance status can then be used by services such as Conditional Access to grant or disallow access to applications or services.

Microsoft Intune can control access to resources by interrogating endpoints and determining whether they meet a minimum list of features and are judged as “compliant”. Compliance can be assigned a grace period where a non-compliant device can still access resources for a period, or the device can be blocked immediately. Each compliance policy can be edited to ensure that devices are tested before being allowed access to corporate resources.

Deployed device compliance profiles ensure a strong security posture for the entire Windows and iOS fleet. Compliance policies allow the organisation to ensure that baselines are met prior to access being granted to any corporate applications or data. The Windows 10 / 11 compliance policy settings include:

  • Device Health - This includes BitLocker status and whether code integrity is enabled.
  • Device Properties - Including a minimum and maximum operating system version.
  • Configuration Manager Compliance - Whether the endpoint is compliant with all Configuration Manager evaluations. This is especially applicable in a co-managed scenario such as this deployment.
  • System Security - Password compliance, standards, length and complexity. Also includes device level firewall, Trusted Platform Module (TPM), Antivirus, Anti-spyware and Microsoft Defender Antimalware settings.
  • Microsoft Defender for Endpoint - Configures the maximum allowed machine risk score, if exceeded the device is marked as non-compliant.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra