-->
This case examines the best practices in human resource management at the US based Microsoft corporation. The company was ranked 38th in the Fortune's list of '100 Best Companies to Work For' published in January 2009. Microsoft had a strong organisational culture which supported work / life balance and helped boost employee morale. Compliance policy settings – Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven't received any device compliance policies are compliant or noncompliant. Of course, HR employees use tools such as Office 365, Skype for Business, and LinkedIn as essential to getting their work completed. The new emphasis on data is key to how Microsoft's HR department is transforming itself and working in new ways. 'HR employees need different skills today,' says Klinghoffer.
Local and Global HR Policies and Directives. As part of the employment there are Human Resources policies and directives that govern the way a company works. These policies could include: Workplace Policies: Nondiscrimination and Anti-harassment. Threats and Acts of violence in the workplace. Health Policies: Substance Abuse Prevention. The HR audit is the process of examining intensely and objectively the organization's HR policies, procedures, documentation, systems, practices and strategies to protect the organization from litigation.
Mobile device management (MDM) solutions like Intune can help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called compliance policies.
Usb drivers for mac os x. Download driver hp laserjet 1020 for mac. Compliance policies in Intune:
- Define the rules and settings that users and devices must meet to be compliant.
- Include actions that apply to devices that are noncompliant. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on noncompliant devices.
- Can be combined with Conditional Access, which can then block users and devices that don't meet the rules.
There are two parts to compliance policies in Intune:
Hr Policies Of Microsoft Company Pdf
Compliance policy settings – Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven't received any device compliance policies are compliant or noncompliant.
Device compliance policy – Platform-specific rules you configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant.
Like other Intune policies, compliance policy evaluations for a device depend on when the device checks-in with Intune, and policy and profile refresh cycles.
Compliance policy settings
Compliance policy settings are tenant-wide settings that determine how Intune's compliance service interacts with your devices. These settings are distinct from the settings you configure in a device compliance policy.
To manage the compliance policy settings, sign in to Microsoft Endpoint Manager admin center and go to Endpoint security > Device compliance > Compliance policy settings.
Compliance policy settings include the following settings:
Mark devices with no compliance policy assigned as
This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values:
- Compliant (default): This security feature is off. Devices that aren't sent a device compliance policy are considered compliant.
- Not compliant: This security feature is on. Devices that haven't received a device compliance policy are considered noncompliant.
If you use Conditional Access with your device compliance policies, we recommended you change this setting to Not compliant to ensure that only devices that are confirmed as compliant can access your resources.
If an end user isn't compliant because a policy isn't assigned to them, then the Company Portal app shows No compliance policies have been assigned.
Enhanced jailbreak detection (applies only to iOS/iPadOS)
This setting works only with devices that you target with a device compliance policy that blocks jailbroken devices. (See Device Health settings for iOS/iPadOS).
This setting has two values:
- Disabled (default): This security feature is off. This setting has no effect on your devices that receive device compliance policy that blocks jailbroken devices.
- Enabled: This security feature is on. Devices that receive device compliance policy to block jailbroken devices use the Enhanced jailbreak detection.
When enabled on an applicable iOS/iPadOS device, the device:
- Enables location services at the OS level.
- Always allows the Company Portal to use location services.
- Uses its location services to trigger jailbreak detection more frequently in the background. The user location data isn't stored by Intune.
Enhanced jailbreak detection runs an evaluation when:
- The Company Portal app opens
- The device physically moves a significant distance, which is approximately 500 meters or more. Intune can't guarantee that each significant location change results in a jailbreak detection check, as the check depends on a device's network connection at the time.
On iOS 13 and higher, this feature requires users to select Always Allow whenever the device prompts them to continue allowing Company Portal to use their location in the background. If enabled, this will allow more frequent jailbreak detection checks.
Compliance status validity period (days)
Specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant.
By default, the period is set to 30 days. You can configure a period from 1 to 120 days.
You can view details about device compliance to the validity period setting. Sign in to Microsoft Endpoint Manager admin center and go to Devices > Monitor > Setting compliance. This setting has a name of Is active in the Setting column. For more information about this and related compliance status views, see Monitor device compliance.
Device compliance policies
Intune device compliance policies:
- Define the rules and settings that users and managed devices must meet to be compliant. Examples of rules include requiring devices run a minimum OS version, not being jail-broken or rooted, and being at or under a threat level as specified by threat management software you've integrated with Intune.
- Support actions that apply to devices that don't meet your compliance rules. Examples of actions include being remotely locked, or sending a device user email about the device status so they can fix it.
- Deploy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance. Using device groups in this scenario helps with compliance reporting.
If you use Conditional Access, your Conditional Access policies can use your device compliance results to block access to resources from noncompliant devices.
The available settings you can specify in a device compliance policy depend on the platform type you select when you create a policy. Different device platforms support different settings, and each platform type requires a separate policy.
Google calendar widget for mac. The following subjects link to dedicated articles for different aspects of device configuration policy.
Hr Policies Of Microsoft Company Pdf
Actions for noncompliance - Each device compliance policy includes one or more actions for noncompliance. These actions are rules that get applied to devices that don't meet the conditions you set in the policy.
By default, each device compliance policy includes the action to mark a device as noncompliant if it fails to meet a policy rule. The policy then applies to the device any additional actions for noncompliance that you've configured, based on the schedules you set for those actions.
Actions for noncompliance can help alert users when their device isn't compliant, or safeguard data that might be on a device. Examples of actions include:
- Sending email alerts to users and groups with details about the noncompliant device. You might configure the policy to send an email immediately upon being marked as noncompliant, and then again, periodically, until the device becomes compliant.
- Remotely lock devices that have been noncompliant for some time.
- Retire devices after they've been noncompliant for some time. This action removes the device from Intune management and removes all company data from the device.
Configure network locations - Supported by Android devices, you can configure network locations and then use those locations as a device compliance rule. This type of rule can flag a device as noncompliant when it's outside of or leaves a specified network. Before you can specify a Location rule, you must configure the network locations.
Create a policy – With the information in this article, you can review prerequisites, work through the options to configure rules, specify actions for noncompliance, and assign the policy to groups. This article also includes information about policy refresh times.
View the device compliance settings for the different device platforms:
Monitor compliance status
Intune includes a device compliance dashboard that you use to monitor the compliance status of devices, and to drill-in to policies and devices for more information. To learn more about this dashboard, see Monitor device compliance.
Integrate with Conditional Access
When you use Conditional Access, you can configure your Conditional Access policies to use the results of your device compliance policies to determine which devices can access your organizational resources. This access control is in addition to and separate from the actions for noncompliance that you include in your device compliance policies.
When a device enrolls in Intune it registers in Azure AD. The compliance status for devices is reported to Azure AD. If your Conditional Access policies have Access controls set to Require device to be marked as compliant, Conditional access uses that compliance status to determine whether to grant or block access to email and other organization resources.
If you'll use device compliance status with Conditional Access policies, review how your tenant has configured Mark devices with no compliance policy assigned as, which you manage under Compliance policy settings.
For more information about using Conditional Access with your device compliance policies, see Device-based Conditional Access
Learn more about Conditional Access in the Azure AD documentation:
Reference for non-compliance and Conditional Access on the different platforms
Hr Policies Of Microsoft Pdf Free
The following table describes how noncompliant settings are managed when a compliance policy is used with a Conditional Access policy.
Hr Policies Of Microsoft Company Pdf
Compliance policy settings – Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven't received any device compliance policies are compliant or noncompliant.
Device compliance policy – Platform-specific rules you configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant.
Like other Intune policies, compliance policy evaluations for a device depend on when the device checks-in with Intune, and policy and profile refresh cycles.
Compliance policy settings
Compliance policy settings are tenant-wide settings that determine how Intune's compliance service interacts with your devices. These settings are distinct from the settings you configure in a device compliance policy.
To manage the compliance policy settings, sign in to Microsoft Endpoint Manager admin center and go to Endpoint security > Device compliance > Compliance policy settings.
Compliance policy settings include the following settings:
Mark devices with no compliance policy assigned as
This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values:
- Compliant (default): This security feature is off. Devices that aren't sent a device compliance policy are considered compliant.
- Not compliant: This security feature is on. Devices that haven't received a device compliance policy are considered noncompliant.
If you use Conditional Access with your device compliance policies, we recommended you change this setting to Not compliant to ensure that only devices that are confirmed as compliant can access your resources.
If an end user isn't compliant because a policy isn't assigned to them, then the Company Portal app shows No compliance policies have been assigned.
Enhanced jailbreak detection (applies only to iOS/iPadOS)
This setting works only with devices that you target with a device compliance policy that blocks jailbroken devices. (See Device Health settings for iOS/iPadOS).
This setting has two values:
- Disabled (default): This security feature is off. This setting has no effect on your devices that receive device compliance policy that blocks jailbroken devices.
- Enabled: This security feature is on. Devices that receive device compliance policy to block jailbroken devices use the Enhanced jailbreak detection.
When enabled on an applicable iOS/iPadOS device, the device:
- Enables location services at the OS level.
- Always allows the Company Portal to use location services.
- Uses its location services to trigger jailbreak detection more frequently in the background. The user location data isn't stored by Intune.
Enhanced jailbreak detection runs an evaluation when:
- The Company Portal app opens
- The device physically moves a significant distance, which is approximately 500 meters or more. Intune can't guarantee that each significant location change results in a jailbreak detection check, as the check depends on a device's network connection at the time.
On iOS 13 and higher, this feature requires users to select Always Allow whenever the device prompts them to continue allowing Company Portal to use their location in the background. If enabled, this will allow more frequent jailbreak detection checks.
Compliance status validity period (days)
Specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant.
By default, the period is set to 30 days. You can configure a period from 1 to 120 days.
You can view details about device compliance to the validity period setting. Sign in to Microsoft Endpoint Manager admin center and go to Devices > Monitor > Setting compliance. This setting has a name of Is active in the Setting column. For more information about this and related compliance status views, see Monitor device compliance.
Device compliance policies
Intune device compliance policies:
- Define the rules and settings that users and managed devices must meet to be compliant. Examples of rules include requiring devices run a minimum OS version, not being jail-broken or rooted, and being at or under a threat level as specified by threat management software you've integrated with Intune.
- Support actions that apply to devices that don't meet your compliance rules. Examples of actions include being remotely locked, or sending a device user email about the device status so they can fix it.
- Deploy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance. Using device groups in this scenario helps with compliance reporting.
If you use Conditional Access, your Conditional Access policies can use your device compliance results to block access to resources from noncompliant devices.
The available settings you can specify in a device compliance policy depend on the platform type you select when you create a policy. Different device platforms support different settings, and each platform type requires a separate policy.
Google calendar widget for mac. The following subjects link to dedicated articles for different aspects of device configuration policy.
Hr Policies Of Microsoft Company Pdf
Actions for noncompliance - Each device compliance policy includes one or more actions for noncompliance. These actions are rules that get applied to devices that don't meet the conditions you set in the policy.
By default, each device compliance policy includes the action to mark a device as noncompliant if it fails to meet a policy rule. The policy then applies to the device any additional actions for noncompliance that you've configured, based on the schedules you set for those actions.
Actions for noncompliance can help alert users when their device isn't compliant, or safeguard data that might be on a device. Examples of actions include:
- Sending email alerts to users and groups with details about the noncompliant device. You might configure the policy to send an email immediately upon being marked as noncompliant, and then again, periodically, until the device becomes compliant.
- Remotely lock devices that have been noncompliant for some time.
- Retire devices after they've been noncompliant for some time. This action removes the device from Intune management and removes all company data from the device.
Configure network locations - Supported by Android devices, you can configure network locations and then use those locations as a device compliance rule. This type of rule can flag a device as noncompliant when it's outside of or leaves a specified network. Before you can specify a Location rule, you must configure the network locations.
Create a policy – With the information in this article, you can review prerequisites, work through the options to configure rules, specify actions for noncompliance, and assign the policy to groups. This article also includes information about policy refresh times.
View the device compliance settings for the different device platforms:
Monitor compliance status
Intune includes a device compliance dashboard that you use to monitor the compliance status of devices, and to drill-in to policies and devices for more information. To learn more about this dashboard, see Monitor device compliance.
Integrate with Conditional Access
When you use Conditional Access, you can configure your Conditional Access policies to use the results of your device compliance policies to determine which devices can access your organizational resources. This access control is in addition to and separate from the actions for noncompliance that you include in your device compliance policies.
When a device enrolls in Intune it registers in Azure AD. The compliance status for devices is reported to Azure AD. If your Conditional Access policies have Access controls set to Require device to be marked as compliant, Conditional access uses that compliance status to determine whether to grant or block access to email and other organization resources.
If you'll use device compliance status with Conditional Access policies, review how your tenant has configured Mark devices with no compliance policy assigned as, which you manage under Compliance policy settings.
For more information about using Conditional Access with your device compliance policies, see Device-based Conditional Access
Learn more about Conditional Access in the Azure AD documentation:
Reference for non-compliance and Conditional Access on the different platforms
Hr Policies Of Microsoft Pdf Free
The following table describes how noncompliant settings are managed when a compliance policy is used with a Conditional Access policy.
Remediated: The device operating system enforces compliance. For example, the user is forced to set a PIN.
Quarantined: The device operating system doesn't enforce compliance. For example, Android and Android Enterprise devices don't force the user to encrypt the device. When the device isn't compliant, the following actions take place:
- If a Conditional Access policy applies to the user, the device is blocked.
- The Company Portal app notifies the user about any compliance problems.
Hr Policies Of Microsoft Pdf Download
Policy setting | Platform |
---|---|
PIN or password configuration | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Remediated - macOS 10.11 and later: Remediated - Windows 8.1 and later: Remediated |
Device encryption | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Remediated (by setting PIN) - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Not applicable |
Jailbroken or rooted device | - Android 4.0 and later: Quarantined (not a setting) - Samsung Knox Standard 4.0 and later: Quarantined (not a setting) - Android Enterprise: Quarantined (not a setting) - iOS 8.0 and later: Quarantined (not a setting) - macOS 10.11 and later: Not applicable - Windows 8.1 and later: Not applicable |
Email profile | - Android 4.0 and later: Not applicable - Samsung Knox Standard 4.0 and later: Not applicable - Android Enterprise: Not applicable - iOS 8.0 and later: Quarantined - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Not applicable |
Minimum OS version | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Quarantined - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Quarantined |
Maximum OS version | - Android 4.0 and later: Quarantined - Samsung Knox Standard 4.0 and later: Quarantined - Android Enterprise: Quarantined - iOS 8.0 and later: Quarantined - macOS 10.11 and later: Quarantined - Windows 8.1 and later: Quarantined |
Windows health attestation | - Android 4.0 and later: Not applicable - Samsung Knox Standard 4.0 and later: Not applicable - Android Enterprise: Not applicable - iOS 8.0 and later: Not applicable - macOS 10.11 and later: Not applicable - Windows 10: Quarantined - Windows 8.1 and later: Quarantined |
Hr Policies Of Microsoft Pdf File
Next steps
- Configure Locations for use with Android devices
- Create and deploy policy and review prerequisites
- Reference for policy entities has information about the Intune Data Warehouse policy entities