Add a device assurance policy

You can define one or more device attributes that you want to check for each platform that you support. There’s no limit to the number of device assurance policies that you can add, but each set of device attributes must have a unique name.

  1. In the Admin Console, go to Security > Device Assurance Policies.

  2. Click Add a policy.

  3. In the Add device assurance policy dialog, enter the following information:

    • Policy name: Specify a unique name for the set of device attributes that you want to define.

    • Platform: Select the device platform that you want to set device attributes for.

  4. Select platform-specific options.

    Platform Platform-specific options
    Android
    • Minimum Android version: Select a preset version from the list, or specify a custom version.
    • Lock screen: Select the checkbox if a screen lock is required. Also, select the checkbox if biometrics is required.

    • Disk encryption: Select the checkbox if the device disk must be encrypted. Devices with Android 8 or 9 support full-disk encryption. Devices with Android 10, or later, support full-disk encryption only if upgraded from a previous version. Devices with Android 10 and later use file-based encryption.

    • Hardware keystore: Select the checkbox if the device must support hardware-backed keys.

    • Rooting: Select the checkbox if the device isn’t supposed to be rooted.

    iOS

    • Minimum iOS version: Select a preset version from the list, or specify a custom version.
    • Lock screen: Select the checkbox if a passcode is required. Also, select the checkbox if Touch ID or Face ID is required.

    • Jailbreak: Select the checkbox if the device isn’t supposed to be jailbroken.

    macOS
    • Minimum macOS version: Select a preset version from the list, or specify a custom version.

    • Lock screen: Select the checkbox if a password is required. Also, select the checkbox if Touch ID is required.

    • Disk encryption: Select the checkbox if the disk must be encrypted. Only internal and system volumes are evaluated for disk encryption. Volumes that are hidden, removable, automounted, or used for recovery aren’t evaluated for disk encryption.

    • Secure Enclave: Select the checkbox if the device must support Secure Enclave.

    Windows
    • Minimum Windows version: Select a preset version from the list, or specify a custom version.

    • Windows Hello must be enabled: If you select this option, users must have Windows Hello enabled on their devices. However, users don’t have to use Windows Hello or enter a password to sign in to apps.

    • Disk encryption: Select the checkbox if the disk must be encrypted.

    • Trusted Platform Module: Select the checkbox if the device must support a Trusted Platform Module.

  5. Click Save.

Related topics

Device assurance

Add user help for device assurance

Add device assurance to an authentication policy

Add a device assurance policy

Delete a device assurance policy