The following requirements must be met on any device running Android operating system (OS) to be compliant.
- Device must be enrolled in Intune
- Device cannot be "rooted" 1)
- Device PIN is required, minimum 4 characters long
- Minimum OS version is 11.0
- Encryption of data storage on the device is required (BYOD excluded for now)
- Google Play Services must be configured
- Company Portal app runtime integrity is required 2)
- Threat scan on apps is required (i.e. Android's "Verify apps" feature must be enabled)
- Apps from unknown sources cannot be installed
- USB debugging on the device is not allowed
- Up-to-date security provider is required (BYOD excluded for now)
- Basic integrity and device integrity check is required
NOTES
1) Rooting an Android device means acquiring root access, which grants user elevated, administrator-level privileges over the operating system. While rooting provides more control, it is not recommended for most people as the risks outweigh the benefits.
2) The Company Portal app should be installed on the Android devices enrolled in Intune. It is a central hub for accessing company resources, apps, and policies. Runtime Integrity ensures that the Company Portal app meets specific requirements related to its runtime environment and installation. By enforcing runtime integrity, we can ensure that the Company Portal app functions correctly, securely, and without any unauthorized modifications. It helps protect organizational resources by ensuring that only properly configured and authorized versions of the app are used.