✅ Define baseline device compliance for Android Enterprise Work Profile devices, aligned to Essential Eight – COMPLY (IBP / Maturity Level 1).

➡️ Ensures only compliant Android devices can access corporate resources when paired with Conditional Access.

✅ Users: All licensed users
🚫 Exclusions: None

➡️ Users must access corporate resources from a compliant Android Work Profile device.

✅ Applications: Microsoft 365 and other Entra‑integrated cloud apps
✅ Device type: Android Enterprise — Work Profile

➡️ Access is granted only when the device reports as compliant.

✅ Storage encryption is required
✅ Non‑compliant devices are blocked after a grace period
✅ Enforcement occurs through Intune Compliance + Conditional Access

➡️ Devices that do not meet compliance requirements lose access.

ℹ️ Note:
Other controls (OS versioning, passwords, threat protection) are intentionally minimal to maintain compatibility and reduce onboarding friction at IBP/M1.

🚫 Minimum OS version
🚫 Android security patch level
🚫 Password or screen‑lock complexity
🚫 Threat protection / SafetyNet / Play Integrity checks

➡️ This is intentional for a light‑touch M1 compliance posture.

✅ Enabled
✅ Enforced via Intune Compliance
✅ Conditional Access blocks access after 24‑hour grace period

✅ Supports Essential Eight – COMPLY
✅ Enforces encrypted work profiles
✅ Uses Conditional Access to restrict access from non‑compliant devices
ℹ️ Stronger compliance requirements are introduced at higher maturity levels

This compliance policy ensures that:

✅ Android work data is encrypted
✅ Only compliant devices can access corporate resources
✅ Users have time to remediate issues before access is blocked

This establishes a baseline mobile compliance posture for Essential Eight Maturity Level 1 while allowing flexibility for future uplift.