Device Security Baseline Frequently Asked Questions (FAQs)

The Security Baseline is a set of Intune policies that will help to ensure Intune devices are equally protected at a fundamental level.  It ensures that a minimum set of controls are in place for Intune-licenced users, when consuming NHSmail services.  The baseline will not conflict with local Intune policies configured by Local Administrators.

Organisations may have different security configurations to suit their individual needs. Whilst some controls will always be determined locally, introducing the new baseline will ensure that devices belonging to Intune users and accessing NHSmail services, meet a minimum level of compliance that we should all be adhering to.

Intune App Protection Policies (APP) can be used to keep an organisation’s data safe within core Microsoft apps on mobile devices.  They Protect data at the application level, not the device level so, even if the user’s device isn’t enrolled in Intune, the App Protection Policies will still be able to manage how NHS data is shared and accessed by applications.

Intune Device Compliance Policies determine what settings are expected to be met on the devices themselves, for them to be considered compliant.  They improve the security status and compliance of managed devices by ensuring that devices adhere to specific standards.

If a user’s device does not meet one or more of the Device Compliance controls, then the device is flagged as non-compliant in Intune.

If you are using a personal (unmanaged) Android device, when you sign into Outlook for the very first time using your nhs.net account, a notification may pop up requesting that you “Activate Device Administrator”.

This is an existing NHS policy on Outlook (unrelated to the new changes). If you get this pop up, simply click ‘Activate’ to continue.

No. Users do not need to log in to the app for the new controls to work. After the broker app (Microsoft Intune Company Portal App ​for Android or Microsoft Authenticator App for iOS) has been installed on the mobile device, no further actions are required with the broker app.

The new baseline will be automatically rolled out to all Intune licensed users. This is to ensure that, in line with the NHS ‘Defend as One’ security initiative, a minimum security level is achieved across the Intune estate.

Yes, all of the Security Baseline webinars will be recorded and uploaded to the Support Site.  Intune Local Administrators will receive an email with a link to the webinar recording after each event.

For more information, please refer to the NHSmail Device Security Baseline article.