Skip to content

Commit 3482c06

Browse files
committed
PM feedback, changes, and JSON edits
1 parent c858b32 commit 3482c06

5 files changed

Lines changed: 33 additions & 45 deletions

File tree

memdocs/intune/protect/compliance-custom-json.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -27,17 +27,17 @@ ms.custom: intune-azure
2727
ms.collection: M365-identity-device-management
2828
---
2929

30-
# Custom compliance JSON files
30+
# Custom compliance JSON files for Microsoft Intune
3131

32-
To support [custom settings for compliance](../protect/compliance-use-custom-settings.md), you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a PowerShell discovery script will evaluate for compliance on the device.
32+
To support [custom settings for compliance](../protect/compliance-use-custom-settings.md) for Microsoft Intune, you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a discovery script will evaluate for compliance on the device.
3333

34-
You’ll upload the JSON file when you create a compliance policy that includes custom compliance settings.
34+
You’ll upload the JSON file when you create a compliance policy that includes custom compliance settings.
3535

3636
A correctly formatted JSON file must include the following information:
3737

3838
- **SettingName** - The name of the custom setting to use for base compliance.
39-
- **Operator** - Represents a specific action that is used to build a compliance rule. For options, see the following list of supported operators.
40-
- **DataType** - The type of data that you can use to build your compliance rule. For options, see the following list of supported DataTypes.
39+
- **Operator** - Represents a specific action that is used to build a compliance rule. For options, see the following list of *supported operators*.
40+
- **DataType** - The type of data that you can use to build your compliance rule. For options, see the following list of *supported DataTypes*.
4141
- **Operand** - Represent the values that the operator works on.
4242
- **MoreInfoURL** - A URL that’s shown to device users so they can learn more about the compliance requirement when their device is noncompliant for a setting. You can also use this to link to instructions to help users bring their device into compliance for this setting.
4343
- **RemediationStrings** - Information that gets displayed in the Company Portal when a device is noncompliant to a setting. This information is intended to help users understand the remediation options to bring a device to a compliant state.
@@ -84,7 +84,7 @@ A correctly formatted JSON file must include the following information:
8484

8585
For more information, see [Available languages for Windows](/windows-hardware/manufacture/desktop/available-language-packs-for-windows).
8686

87-
## Example JSON file
87+
## Example JSON file for Windows devices
8888

8989
```json
9090
{

memdocs/intune/protect/compliance-policy-monitor.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,10 +39,10 @@ Compliance reports help you understand when devices fail to meet your [complianc
3939
This article applies to:
4040

4141
- Android device administrator
42-
- Android (AOSP) (preview)
42+
- Android (AOSP) (*preview*)
4343
- Android Enterprise
4444
- iOS/iPadOS
45-
- Linux (Ubuntu Desktop, version 20.04 LTS)
45+
- Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
4646
- macOS
4747
- Windows 10 and later
4848

memdocs/intune/protect/compliance-use-custom-settings.md

Lines changed: 8 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -33,14 +33,14 @@ To expand on Intune’s built-in device compliance options, you can add custom c
3333

3434
This feature applies to:
3535

36-
- Linux – Ubuntu Desktop, version 20.04 LTS
36+
- Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
3737
- Windows 10/11
3838

39-
Before you can add custom settings to a policy, you’ll need to prepare a JSON file and a detection script for use with each supported platform. Both the script and JSON become part of the compliance policy. Each compliance policy supports a single script, and each script can detect multiple settings:
39+
Before you can add custom settings to a policy, you’ll need to prepare a JSON file, and a detection script for use with each supported platform. Both the script and JSON become part of the compliance policy. Each compliance policy supports a single script, and each script can detect multiple settings:
4040

4141
- The JSON file defines the custom settings and the values that are considered as compliant. You can also configure messages for users to tell them how to restore compliance for each setting. You add your JSON file while creating a compliance policy, just after you select a discovery script for that policy.
4242

43-
- Scripts are specific to different platforms and delivered to devices through the compliance policy. When policy is evaluated, the script detects the settings from the JSON file and then reports the results to Intune. Windows uses a PowerShell script and Linux uses a Bash script.
43+
- Scripts are specific to different platforms and delivered to devices through the compliance policy. When policy is evaluated, the script detects the settings from the JSON file, and then reports the results to Intune. Windows uses a PowerShell script and Linux uses a Bash script.
4444

4545
The scripts must be uploaded to the Microsoft Endpoint Manager admin center before you create a compliance policy. You select the script when you’re configuring a policy to support custom settings.
4646

@@ -140,9 +140,9 @@ Policies support the use of a single script. However, each script supports check
140140

141141
## Additional troubleshooting for Linux devices
142142

143-
To identify settings that are not compliant for a device:
143+
To identify settings that aren't compliant for a device:
144144

145-
- [In the Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can identify devices that are not compliant with policy. **Navigate** to **Reports** > **Device compliance**, select the *Reports* tab, and then select the tile for **Noncompliant devices and settings**. Use the drop-downs to configure the report you want, and then select **Generate** report.
145+
- [In the Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can identify devices that aren't compliant with policy. **Navigate** to **Reports** > **Device compliance**, select the *Reports* tab, and then select the tile for **Noncompliant devices and settings**. Use the drop-downs to configure the report you want, and then select **Generate** report.
146146

147147
The admin center displays a separate line for each setting that isn’t compliant on a device.
148148

@@ -165,15 +165,6 @@ To be compliant with *Password Policy* settings, configure the Linux system to u
165165
- Passwords that include a minimum number of letters, digits, or special characters
166166
- Passwords of a minimum length
167167

168-
Intune uses the **pam_pwquality** module to ensure password rules meet your organization’s standards. For more information on how to configure the parameters in **pam_pwquality**, refer to the Ubuntu documentation. As an example, following is a sample configuration line from the */etc/pam.d/common-password* file that enforces passwords that have at least one digit, one uppercase letter, and are at least twelve characters long: `password required pam_pwquality.so dcredit=-1 ucredit=-1 ocredit=-1 minlen=12`
169-
170-
We recommend you update the pwquality file before you run the pam-auth-update tool:
171-
172-
1. First *edit /usr/share/pam-configs/pwquality* to have the right password policy settings.
173-
2. Save the file.
174-
3. Run `sudo pam-auth-update --enable pwquality`
175-
4. Verify that the common password file at /etc/pam.d/common-password has updated to match the update made in the pwquality file.
176-
177168
#### Device encryption
178169

179170
Users of devices that don’t meet compliance settings for disk and partition encryption might receive a message that they must encrypt the device drives.
@@ -185,7 +176,7 @@ There are several options for disk and partition encryption on Linux operating s
185176
The following is general guidance when encrypting disk and partitions:
186177

187178
- Encrypting Linux system volumes after installation is possible, but potentially time consuming. We recommend setting up disk encryption while installing the operating system.
188-
- Not all filesystem partitions need to be encrypted for a device to meet organizational standards. The following are not evaluated by the built-in device encryption settings:
179+
- Not all filesystem partitions need to be encrypted for a device to meet organizational standards. The following aren't evaluated by the built-in device encryption settings:
189180
- Read-only partitions
190181
- Pseudo-filesystems, like `/proc` or `tmpfs`
191182
- The `/boot` or `/boot/efi` partitions
@@ -194,8 +185,8 @@ The following is general guidance when encrypting disk and partitions:
194185

195186
After making changes to a device to bring it into compliance, refresh the device status with Intune:
196187

197-
- If the Microsoft Intune app is still running, select **Refresh** on either the device details page or the compliance issues page to start a new check-in with Intune.
198-
- If the Microsoft Intune app is not running, sign into the app, which will start a new check-in.
188+
- If the Microsoft Intune app is still running, select **Refresh** on the device details page, or on the compliance issues page to start a new check-in with Intune.
189+
- If the Microsoft Intune app isn't running, sign into the app, which will start a new check-in.
199190
- After installation, the Microsoft Intune app periodically checks-in with Intune on its own, so long as the device is on, and a user is signed in to it.
200191

201192
## Next steps

memdocs/intune/protect/create-compliance-policy.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -55,17 +55,17 @@ To use device compliance policies, be sure you:
5555
- Android AOSP
5656
- Android Enterprise
5757
- iOS
58-
- Linux - Ubuntu Desktop, version 20.04 LTS
58+
- Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
5959
- macOS
6060
- Windows 10/11
6161

6262
- Enroll devices in Intune (required to see the compliance status)
6363

6464
- Enroll devices to one user, or enroll without a primary user. Single devices cannot be enrolled to multiple users.
6565

66-
In addition to compliance settings that are built-in to Intune, the following platforms support adding custom compliance settings to compliance policies:
66+
In addition to compliance settings that are built in to Intune, the following platforms support adding custom compliance settings to compliance policies:
6767

68-
- Ubuntu Desktop, version 20.04 LTS
68+
- Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
6969
- Windows 10/11
7070

7171
Before you can add custom settings, you must prepare a custom JSON file that defines the settings you want to base your custom compliance on, and a script that runs on devices to detect the settings defined in the JSON.
@@ -83,7 +83,7 @@ For more information about using custom compliance settings, including supported
8383
- *Android (AOSP)*
8484
- *Android Enterprise*
8585
- *iOS/iPadOS*
86-
- Linux (Ubuntu Desktop, version 20.04 LTS)
86+
- Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS)
8787
- *macOS*
8888
- *Windows 8.1 and later*
8989
- *Windows 10 and later*
@@ -116,14 +116,14 @@ For more information about using custom compliance settings, including supported
116116
- Device Encryption
117117
- Password Policy
118118

119-
Dedicated content for the settings in the settings catalog is not available.
119+
Dedicated content for the settings in the settings catalog isn't available.
120120

121121
6. Add custom settings to policies for supported platforms.
122122

123123
> [!TIP]
124124
> This is an optional step that’s supported only for the following platforms:
125125
>
126-
> - Linux - Ubuntu Desktop, version 20.04 LTS
126+
> - Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
127127
> - Windows 10/11
128128
> Before you can add custom settings to a policy, you must have uploaded a detection script to Intune, and have ready a JSON file that defines the settings you want to use for compliance. See [Custom compliance settings](../protect/compliance-use-custom-settings.md) for more information.
129129
@@ -159,7 +159,7 @@ For more information about using custom compliance settings, including supported
159159

160160
Select **+ Select groups to include** and then assign the policy to one or more groups. The policy will apply to these groups when you save the policy after the next step.
161161

162-
Policies for Linux do not support user-based assignments and can only be assigned to device groups.
162+
Policies for Linux don't support user-based assignments and can only be assigned to device groups.
163163

164164
10. On the **Review + create** tab, review the settings and select **Create** when ready to save the compliance policy.
165165

memdocs/intune/protect/device-compliance-get-started.md

Lines changed: 10 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -128,19 +128,16 @@ The following subjects link to dedicated articles for different aspects of devic
128128
- [iOS](compliance-policy-create-ios.md)
129129
- [macOS](compliance-policy-create-mac-os.md)
130130
- [Windows Holographic for Business](compliance-policy-create-windows.md#windows-holographic-for-business)
131-
<<<<<<< HEAD
132-
=======
133131
- [Windows 8.1 and later](compliance-policy-create-windows-8-1.md)
134132
[!INCLUDE [windows-phone-81-windows-10-mobile-support](../includes/windows-phone-81-windows-10-mobile-support.md)]
135-
>>>>>>> d7c6a99745ea32a9d4ab606446c93a1c32ea0490
136133
- [Windows 10/11](compliance-policy-create-windows.md)
137134

138-
Intune also supports compliance policy for Linux (Ubuntu Desktop, version 20.04 LTS), which uses the Settings catalog format instead of templates. Dedicated content for the settings in the settings catalog is not available, but information is available from within the Settings catalog.
135+
Intune also supports compliance policy for Linux (Ubuntu Desktop, version 20.04 LTS and 22.04 LTS), which use the Settings catalog format instead of templates. Dedicated content for the settings in the settings catalog isn't available, but information is available from within the Settings catalog.
139136

140137
- [**Custom compliance settings**](compliance-use-custom-settings.md) – With custom compliance settings you can expand on Intune’s built-in device compliance options. Custom settings provide flexibility to base compliance on the settings that are available on a device without having to wait for Intune to add those settings.
141138

142139
You can use custom compliance settings with the following platforms:
143-
- Linux – Ubuntu Desktop, version 20.04 LTS
140+
- Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
144141
- Windows 10/11
145142

146143
## Monitor compliance status
@@ -176,14 +173,14 @@ The following table describes how noncompliant settings are managed when a compl
176173

177174
|**Policy setting**| **Platform** |
178175
| --- | ----|
179-
| **PIN or password configuration** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined <br> <br>- **iOS 8.0 and later**: Remediated<br>- **macOS 10.11 and later**: Remediated <br> <br>- **Windows 10/11**: Remediated|
180-
| **Device encryption** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined<br><br>- **iOS 8.0 and later**: Remediated (by setting PIN)<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 10/11**: Quarantined|
181-
| **Jailbroken or rooted device** | - **Android 4.0 and later**: Quarantined (not a setting)<br>- **Samsung Knox Standard 4.0 and later**: Quarantined (not a setting)<br>- **Android Enterprise**: Quarantined (not a setting)<br><br>- **iOS 8.0 and later**: Quarantined (not a setting)<br>- **macOS 10.11 and later**: Not applicable<br><br>- **Windows 10/11**: Not applicable |
182-
| **Email profile** | - **Android 4.0 and later**: Not applicable<br>- **Samsung Knox Standard 4.0 and later**: Not applicable<br>- **Android Enterprise**: Not applicable<br><br>- **iOS 8.0 and later**: Quarantined<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 10/11**: Not applicable |
183-
| **Minimum OS version** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined<br><br>- **iOS 8.0 and later**: Quarantined<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 10/11**: Quarantined|
184-
| **Maximum OS version** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined<br><br>- **iOS 8.0 and later**: Quarantined<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 10/11**: Quarantined |
185-
| **Windows health attestation** | - **Android 4.0 and later**: Not applicable<br>- **Samsung Knox Standard 4.0 and later**: Not applicable<br>- **Android Enterprise**: Not applicable<br><br>- **iOS 8.0 and later**: Not applicable<br>- **macOS 10.11 and later**: Not applicable<br><br>- **Windows 10/11**: Quarantined<br>- **Windows 10/11**: Quarantined |
186-
176+
| **Allowed Distros** | **Linux** *(only)* - Quarantined |
177+
| **Device encryption** | - **Android 4.0 and later**: Quarantined <br>- **Samsung Knox Standard 4.0 and later**: Quarantined <br>- **Android Enterprise**: Quarantined <br><br>- **iOS 8.0 and later**: Remediated (by setting PIN) <br>- **macOS 10.11 and later**: Quarantined <br><br>- **Linux**: Quarantined <br><br>- **Windows 10/11**: Quarantined|
178+
| **Email profile** | - **Android 4.0 and later**: Not applicable<br>- **Samsung Knox Standard 4.0 and later**: Not applicable<br>- **Android Enterprise**: Not applicable<br><br>- **iOS 8.0 and later**: Quarantined <br>- **macOS 10.11 and later**: Quarantined <br><br>- **Linux**: Not applicable <br><br>- **Windows 10/11**: Not applicable |
179+
| **Jailbroken or rooted device** | - **Android 4.0 and later**: Quarantined (not a setting) <br>- **Samsung Knox Standard 4.0 and later**: Quarantined (not a setting)<br>- **Android Enterprise**: Quarantined (not a setting) <br><br>- **iOS 8.0 and later**: Quarantined (not a setting) <br>- **macOS 10.11 and later**: Not applicable <br><br>- **Linux**: Not applicable <br><br>- **Windows 10/11**: Not applicable |
180+
| **Maximum OS version** | - **Android 4.0 and later**: Quarantined <br>- **Samsung Knox Standard 4.0 and later**: Quarantined <br>- **Android Enterprise**: Quarantined <br><br>- **iOS 8.0 and later**: Quarantined <br>- **macOS 10.11 and later**: Quarantined <br><br>- **Linux**: See *Allowed Distros* <br><br>- **Windows 10/11**: Quarantined |
181+
| **Minimum OS version** | - **Android 4.0 and later**: Quarantined <br>- **Samsung Knox Standard 4.0 and later**: Quarantined <br>- **Android Enterprise**: Quarantined <br><br>- **iOS 8.0 and later**: Quarantined <br>- **macOS 10.11 and later**: Quarantined <br><br>- **Linux**: See *Allowed Distros* <br><br>- **Windows 10/11**: Quarantined|
182+
| **PIN or password configuration** | - **Android 4.0 and later**: Quarantined <br>- **Samsung Knox Standard 4.0 and later**: Quarantined <br>- **Android Enterprise**: Quarantined <br><br>- **iOS 8.0 and later**: Remediated <br>- **macOS 10.11 and later**: Remediated <br><br>- **Linux**: Quarantined <br> <br>- **Windows 10/11**: Remediated|
183+
| **Windows health attestation** | - **Android 4.0 and later**: Not applicable <br>- **Samsung Knox Standard 4.0 and later**: Not applicable <br>- **Android Enterprise**: Not applicable <br><br>- **iOS 8.0 and later**: Not applicable <br>- **macOS 10.11 and later**: Not applicable <br><br>- **Linux**: Not applicable <br><br>- **Windows 10/11**: Quarantined |
187184

188185

189186
> [!NOTE]

0 commit comments

Comments
 (0)