Block access to company resources if running an out-of-date iOS version using Microsoft Intune and Conditional Access


Do you need a simple, but yet effective way of forcing people into updating iOS on their company enrolled Apple devices? Simply block access to company resources if iOS is not up to date. Here is how you can do that using Microsoft Intune and Conditional Access in Microsoft Azure.

Peek into Microsoft Intune and the device compliance policies

Microsoft Intune

Compliance Policy

This is all about putting the device into a non-compliant state if not running a specific iOS version. As of such, our first task is to create a compliance policy stating that rule.

  • Create a new iOS Compliance Policy
    • Give it a suitable name. For your inspiration, mine is called MDM – Minimum iOS Version

  • Configure the Device Properties section with the minimum version required in your environment as illustrated below.

  • Assign it to All Users or a group consisting of users also as illustrated below.

Conditional Access

  • Next, create a new Conditional Access policy.
    • This is the policy which will block the access if the device is non-compliant. In this example, the device will be non-compliant if it’s not running at least iOS 11.4
      • Name: CA – All Cloud Apps – iOS – Require Compliance
      • Assignment: Assign the policy single users or a group consisting of users
      • Cloud apps: All cloud apps
      • Conditions: iOS (I’ve configured Client apps too, but this is optional)

  • Access controls
    • Grant access: Require the device to be marked as compliant

End user experience

Once a device turns non-compliant, the Company Portal will give you a warning about the actions required on the device.

In this example, I will be required to update iOS to 11.4 or later as stated in the compliance policy but also in the illustration below.

And if trying to access company resources like Exchange Online, SharePoint Online, Skype for Business and so on, you will be met with following message:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.