Notify end-user about non-compliant device

This week is all about device compliance policies. Well, actually it’s all about what actions can be triggered for non-compliant devices. Since recently it’s possible to configure actions for non-compliance. Previously the action for non-compliant devices was that the device would be marked as non-compliant. That action is still configured by default, but it’s now also possible to configure additional end-user notifications. In this blog post I’ll provide a short introduction to the actions for non-compliant devices, followed by the required configurations. I’ll end this post with the end-user experience.

Introduction

Let’s start with a short introduction. Device compliance policies now contains configuration properties for the configuration of Actions for noncompliance. The Actions for noncompliance allows administrators to configure a time-ordered sequence of actions that are applied to devices that don’t meet the device compliance policy criteria. By default, when a device does not meet the device compliance policy, Intune immediately marks it as non-compliant. The Actions for noncompliance gives administrators more flexibility to decide what to do when a device is non-compliant. There are two types of actions:

  • Send email to end user: Administrators can customize an email notification that can be sent to the end-users. Intune provides customization of the subject, message body, company logo, company name and contact information. A schedule can be defined to determine how many days after non-compliance the e-mail notification should be sent;
  • Mark device noncompliant: Administrators can define a schedule to determine how many days after non-compliance the device should actually be marked as non-compliant.

This combination enables the IT organization to decide not to block the device immediately. Instead, immediately sent the end-user a notification via e-mail and give the end-user a grace period to become compliant. A good use case for that configuration would be to force end-users to upgrade to the latest version of the platform.

Configuration

Now let’s continue by looking at the configuration. The configuration contains two required steps. The first step is to configure the actual notification and the second step is to configure the device compliance policy to actually use the created notification.

Step 1: Configure notification

The first step is to create the device compliance notification. That notification will contain the message that will be sent to the end-users. To create the notification, follow the next three steps.

1 Open the Azure portal and navigate to Intune > Device compliance > Notifications;
2 On the Device compliance – Notifications blade, click Create notification to open the Create Notification blade;
3

Intune_DevComNotificationOn the Create notification blade, provide the following information and click Create.

  • Name: Provide a name for the policy;
  • Subject: Provide a subject for the notification email;
  • Message: Provide a message that is part of the notification email;
  • Select Enable with Email header – Include company logo;
  • Select Enable with Email footer – Include company name;
  • Select Enable with Email footer – Include contact information.

Note: The last three settings use the information as configured with Intune > Mobile apps > Company Portal branding.

Step 2: Configure device compliance policy

The second step is to configure the actual Actions for noncompliance for a device compliance policy. Let’s do that by looking at an existing device compliance policy. To configure a notification for non-compliant devices, in an existing device compliance policy, follow the next 5 steps.

1 Open the Azure portal and navigate to Intune > Device compliance > Policies;
2 On the Device compliance – Policies blade, select an existing device compliance policy and click Properties to open the {PolicyName} – Properties blade;
3 On the {PolicyName} – Properties blade, click Actions for noncompliance to open the Actions blade;
4

On the Actions blade, click Add to open the Action parameters blade;

Note: By default this blade also shows the standard action named Mark device noncompliant. This action can not be deleted, but the schedule when it’s triggered can be configured (in days).

5

Intune_DevComActionOn the Action parameters blade, provide the following information and click Add.

  • Action: Select Send email to end user;
  • Message template: Select the just create notification;
  • Schedule (days after noncompliance): Specify how many days after non-compliance this notification should be send.

Note: Make sure that the notification message matches with the configured schedule for marking the device as noncompliant.

End-user experience

Now let’s end this post by looking at the end-user experience. Below is an example of an non-compliant iOS device and the notification e-mail that was received. The different section of the notification e-mail can be matched with the configuration (step 1.3), by looking at the numbers below.

  1. Email header – Include company logo;
  2. Message;
  3. Email footer – Include company name;
  4. Email footer – Include contact information;
  5. Subject.

IMG_0120

More information

For more information about notifying end-users about non-compliant devices, please refer to this article Automate actions for noncompliance.

Note: While I was writing this blog post, my colleague Arjan Vroege posted his version about this same subject. For his version, please have a look at this blog post.

14 thoughts on “Notify end-user about non-compliant device”

  1. Hi Peter,
    Does a compliance policy only check if a configuration is set, or does it also set the configuration? I mean if we configure a compliance policy with 28 character password does it also set this or do we also need a configuration policy for setting a 28 character password?

    Reply
    • Hi Arjan,
      It’s a compliance policy, it doesn’t force a user to make adjustments. It does provide users with information about non-compliance, as non-compliance can prevent access to company data.
      Peter

      Reply
  2. Hi Peter,

    Under “Step 2: Configure device compliance policy”, you say Note: Make sure that the notification message matches with the configured schedule for marking the device as noncompliant.”

    By this you mean, when your device is marked as noncomplaint after 1 day, the mail option also has to be set at 1 day? (so you have 2 compliance rules?)

    Best regards,

    Leon

    Reply
    • Hi Leon,
      No. I mean that you’ve got one compliance rule with multiple actions. For example when the device is not compliant the user will immediately recieve an email and the device will be marked noncompliant after a few days.
      Regards, Peter

      Reply
  3. Hi Peter,

    Would you know if there are placeholders available like %devicename%, for users which work on multiple devices?

    I am currently testing these notifications for corporate owned personal devices and corporate shared devices.
    The latter might be confusing as a user will not know which devices were used during the day.

    Regards,

    Micha

    Reply
  4. Hello Peter-

    Noticed that the compliance notification template is very restrictive and one can’t use specific fonts and can’t remove Microsoft privacy statement either in the footer section. We tried to customize , but our business groups doesn’t approve sending to end users yet as they might think non-complaint message is not coming from legit source. Do you know if one can customize the notification message template, with different fonts/fonts size, customize sender, using 3rd party tool/app or Azure logic app , probably integrate with endpoint manager and send to end users. Let me know if you are aware of other options to send non-compliant device messages to iOS/Android device users

    IJ

    Reply
  5. hi

    is there anyway to not send the non compliance email to end users but to rather send to a group of users on the service desk ?

    Reply
  6. Hello,
    how often will user receive the email notification?
    Maybe every couple days, for example?
    Does it depend on how long computer is online?

    Thanks

    Reply

Leave a Reply to RKast Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.