# Deployment iOS MDM - Managed & Complaint Device

Implement SCA within Microsoft Endpoint Manager for you Compliant Device\
The moment a user connects with the AAD-account Access control via Azure AD Conditional Access enforces our App to require a complaint device.

### Compliance Policy

1. Login to Endpoint Manager with your Admin-Account
2. Go to Devices → Compliance policies or follow this link:\
   [Compliance policies - Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesComplianceMenu/~/policies)
3. Click on **Create policy** and select **iOS/iPadOS** as Plattform and click on **Create**
4. Enter a Name for your Policy e.g. “Secure Contacts App Compliance Policy”
5. Set necessary *Compliance settings* and *Actions for noncompliance* depending on environment
6. Confirm each **Next**
7. In *Assignments* pane, click **Add group** and search for SCA-Testgroup & confirm **Select**
8. Click on **Next**
9. Click on **Create** in *Review + create* pane

<figure><img src="https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FTXicmQYoEJmse9guwF7G%2Fimage.png?alt=media&#x26;token=a0c67ac0-c382-4d4b-b4e8-622e18c85ef4" alt=""><figcaption></figcaption></figure>

### Conditional Access Policy&#x20;

1. Go to Endpoint security → Conditional access or follow this link:\
   [Conditional Access - Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#view/Microsoft_AAD_IAM/ConditionalAccessBlade/~/Policies)
2. Click on **New policy** to create a new Conditional Access policy
3. Enter a Name for the Policy e.g. “Secure Contacts Conditional Access Policy”
4. Go to ***Users or workload identities*** in *Assignments*
5. *Include* your SCA-Testgroup to **Users and Groups**\
   \
   ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FSVrERXgtIPk4suMl3xvC%2Fimage.png?alt=media\&token=65c41b35-235f-4812-9b26-f2f8ef069bec)<br>
6. Go to ***Cloud apps or actions*** in *Assignments*
7. *Include as Cloud Apps the apps* **Office 365** and **Provectus - Secure Contacts**\
   \
   ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FB9BHez5sID1ePnSxYGrs%2Fimage.png?alt=media\&token=63807e3a-2924-4b67-9895-b28b43098c0e)<br>
8. Set mandatory Conditions for your environment e.g. tick as a Condition for Client apps the value *Mobile apps and desktop clients*
9. Go to *Grant* in the *Access controls* pane
10. Set **Require compliant device**\
    \
    ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FyhSX38x02XHTbKT5QqYV%2Fimage.png?alt=media\&token=b358d0db-1587-406c-b700-f87b778a2b6e)<br>
11. Set *Enable Policy* to **On**
12. Click on **Create**

{% hint style="info" %}
According to Microsoft, it is **mandatory** to target **Office 365** and **Secure Contacts** as Cloud App in your Conditional Access Policy in order to correctly implement SCA.\
It is required to add **Office 365** as Cloud App, because our Enterprise Application\
(Provectus - Secure Contacts) is using these data sources.
{% endhint %}