Fix Device Compliance Errors on Your Phone for Work Apps (Intune and Workspace)

Facing a seemingly endless wall of “device not compliant” messages when you try to open work apps like Outlook or Teams on your phone can be frustrating. This guide walks you through the common causes and quick fixes you can try now. It covers both Android and iOS, focusing on how Intune and Google Workspace manage device checks.

First, a quick look at what you’re seeing. A device must pass company security checks to access work apps. If your phone misses a required policy, certificate, or recent check-in, access is blocked. In practice, you’ll often fix these issues with a few small steps rather than a full reset.

If you want fast wins, start with the basics. Make sure your phone can reach the management service and that the Company Portal app is up to date. A simple sync from the app or system settings can refresh the device’s compliance status. Verify your account is active and that your license for work apps is still valid.

Next, check the core policy and trust settings. Reapply or update the compliance policy in your management console and re-sync. On Android, verify work profile settings and ensure background processes are allowed; on iOS, confirm the device’s OS version meets policy requirements. If there’s a certificate issue, reimport the certificate or remove expired ones.

If problems persist, there are a few more focused moves. Look for conflicts between Workspace and Intune policies, especially for iOS devices. Temporarily disable nonessential conditional access rules to identify the blocker. When in doubt, reach out to IT with the exact error codes and device details. These steps align with the latest official guidance and are designed to get most users back to work quickly, with a clear path for escalation if needed. Smartphone usage is common here, and with the right checks, access can be restored smoothly.

What Are Device Compliance Errors and Why Do They Happen?

Device compliance errors pop up when your phone doesn’t pass the security checks your company enforces. These checks ensure work apps like Outlook and Teams stay protected and data stays secure. If you see a “not compliant” message, it usually means one of a few common issues is at play. The good news is that most problems have quick, actionable fixes you can try without drastic changes. Below are the most frequent causes and practical steps to resolve them.

Photo by Polina Zimmerman

No Compliance Policy or Device Not Active

If there is no compliance policy assigned to your device, Intune won’t mark it as compliant. This happens when IT has not set a rule that your device must meet. It can also occur if the device hasn’t checked in for some time. In practice, you’ll often see this as a blockage that points to a missing policy or an inactive device.

• No policy assigned: Your IT admin must publish a compliance policy and assign it to your group or device. Until then, your device won’t be considered compliant, and access to work apps may be blocked.
• Device inactive (check-in ≈ 30 days): If you haven’t signed in to the Company Portal in about a month, the system may flag you as inactive. A simple sync from the Company Portal app or a manual check-in can refresh the status.

Signs you’re in this scenario include a clear message in the Company Portal app about missing policy or a note that the device is not active. If you see these, contact IT to confirm policy enrollment and to re-establish a healthy check-in cadence.

To fix:

• Open the Company Portal app and force a sync.
• Ensure the device has network access and can reach your management service.
• Ask IT to confirm or re-issue the compliance policy and re-assign it to your device.
• Verify your device has a recent check-in and can receive new policy updates.

User Account or License Problems

Your ability to pass compliance can hinge on your user account or the licenses attached to it. If your account is deleted, disabled, or missing the right license, the device will be flagged non-compliant even if the device itself is healthy.

• Deleted or disabled account: If your account is no longer active in the directory, you’ll lose access to required services and compliance checks will fail.
• Missing licenses: Some work apps require specific licenses, such as Microsoft 365 E3 or Enterprise Mobility + Security. Without the correct license, access is blocked and devices can appear non-compliant.

What to do:

• Check your account status with IT. If you recently changed roles or left the company, your access may need updating.
• Confirm your license assignments. If a license is missing or expired, ask IT to reassign or renew it.
• After licensing is corrected, re-run a device sync and verify compliance in the Company Portal.

Jailbreak, Root, or Outdated OS Issues

Security gains come with risks. If a device is jailbroken or rooted, or if the operating system is out of date, it can trigger compliance failures. These practices bypass built-in protections and open doors to threats, so forms of tampering are usually blocked by policy.

• Jailbreak or root: Many policies explicitly disallow modifications that bypass security controls. Detection mechanisms flag these devices as non-compliant and block access to work apps.
• Outdated OS: Running an older OS version can fail minimum security requirements. Vendors push updates to patch vulnerabilities; missing updates can trigger compliance blocks.
• OS update interactions: On Android, especially Samsung devices loading Knox-related updates, a mismatch between the OS, Knox, and policy can cause enforcement to fail. Timely updates matter for continued compliance.

To fix:

• Remove any jailbreak or root modifications and restore the device to a standard, manufacturer-supported state.
• Update the OS to the latest stable version approved by your IT policy.
• Check security features (firewall, encryption, screen lock) are enabled and compliant with policy requirements.
• If Samsung devices show Knox-related blocks, install the latest Android and Knox updates and confirm policy compatibility after the updates finish.

Plain-language guide for quick checks:

• Ensure the phone’s security settings align with policy, including device encryption and a strong screen lock.
• Confirm no management profiles or third-party apps are circumventing protections.
• Reboot the device after updates and re-run a policy sync to confirm the status.

Engaging takeaway: a smartphone that’s up to date and free from non-standard tweaks is far less likely to trip compliance checks. If you’re unsure about modifications, contact IT to review policy compatibility before you try more invasive steps.

If issues persist after these checks, your next move is to coordinate with IT for a deeper review. Share the exact error codes, OS version, and device model to help them pinpoint the root cause quickly. This collaborative approach keeps you moving with clear steps and a reliable path back to access.

Note: The sections above align with typical enterprise guidance and reflect common, actionable fixes. Always verify eligibility and policy specifics with your IT team to avoid unintended policy violations.

Quick Steps to Check and Sync Your Phone First

When you’re facing device compliance blocks, a quick check and sync often clears the path. Start with the basics to confirm connectivity, policy enrollment, and the latest settings. Treat this like a preflight checklist for your smartphone before digging into deeper fixes. These steps apply to both Android and iOS devices and set a solid foundation for any work app troubleshooting.

How to Force a Sync on Android Phones

A manual sync can refresh your device’s compliance status and pull in the latest policies. Here’s a straightforward path you can follow on most Android phones:

• Open the Settings app and go to Accounts.
• Tap your Work account (the account tied to Intune or your enterprise).
• Tap Sync now to force the device to check in with the management service.
• If you don’t see immediate results, open the Company Portal app and initiate a sync from there as well.

While you’re syncing, verify that the phone can reach the management service. A quick check is to try loading the company portal or a known management URL such as manage.microsoft.com. If the page or the portal won’t load, the issue might be network related or blocked by a firewall. A simple reboot after the sync often helps. If you still encounter problems, confirm that the device has a recent check-in and that the policy is assigned to your user group. Remember, a healthy smartphone is one that stays connected and responsive to policy updates.

Sync Tips for iOS Devices

iOS devices need a clean, reliable bridge to the management system. Start with the basics and then drill into the details if needed:

• Check the MDM profile status in Settings > General > Device Management (or Profiles & Device Management on older iOS versions). Ensure the profile shows as trusted and active.
• If the profile appears missing or untrusted, remove it and reinstall it through the Company Portal or your IT’s enrollment flow. Reinstalling often resolves stale or corrupted profile data.
• Make sure the device has the latest iOS version that your organization supports. An OS mismatch can trigger compliance blocks.
• Verify network connectivity. A stable Wi‑Fi or cellular connection is essential for the device to reach the management service and complete a policy check.
• After any change, trigger a sync from the Company Portal app or perform a manual policy check in the iOS settings where available.

If problems persist, consider a fresh enrollment. Remove the management profile, reboot the device, and re-enroll with the correct work account. This can reset the compliance state and clear stubborn policy conflicts. In some cases, small differences in policy interpretation between Workspace and Intune can cause friction on iOS devices; re-enrollment aligns the device with the current policy bundle.

Engaging takeaway: keep the phone up to date, ensure the MDM profile is active, and verify connectivity. A well‑connected smartphone with current software makes compliance checks much more reliable. If you’re unsure about the enrollment status, contact IT with the exact error codes and device details for targeted help.

Fix Specific Compliance Problems on Android and iOS

When work apps refuse to open on your phone, it often comes down to a few concrete compliance gaps. This section zeroes in on practical fixes you can apply quickly, with steps tailored for both Android and iOS devices. The goal is to restore access to apps like Outlook and Teams without a full reset. Follow these focused remedies in order, and reach out to IT if you still see blocking errors.

Photo by Stefan Coders

Update Your OS and Remove Root or Jailbreak

Keeping the operating system current and removing any device tampering is one of the fastest ways to clear compliance blocks. Here’s how to approach it cleanly for both platforms.

• Android update path
  • Connect to Wi-Fi and charge your phone to at least 75 percent before starting.
  • Open the Settings app, then go to System or Software update.
  • Tap Check for update. If an update is available, follow the prompts to download and install.
  • After installation, reboot if prompted. This step often resolves minor policy mismatches that block check-ins.
  • Check also for Google Play system updates under Security and Privacy, then System and Updates. Install any available updates.
  • If there is a work profile, ensure it remains intact after the OS update. Some devices necessitate re-enabling the work profile post-update.
  • If you previously rooted the device, reflash the stock firmware and remove any Magisk modules. The goal is a clean, manufacturer-supported state.
• iOS restore via Finder or iTunes
  • Back up your data first. A fresh restore will replace the current OS image with a clean version.
  • On a Mac, use Finder to restore the device. On Windows or older macOS, use iTunes.
  • Put the device in recovery mode if needed, then choose “Restore.” This erases all data and reinstalls iOS with the latest signed firmware.
  • After the restore, set up your device as new or restore from a backup issued before any compliance issues appeared.
  • Re-enroll your device in the company portal or MDM enrollment flow exactly as IT instructs.
• General checks after OS updates
  • Confirm that security features required by policy are enabled (device encryption, screen lock, and trusted credentials).
  • Reinstall the Company Portal app and recheck in with your work account.
  • Ensure any previously installed management profiles or certificates are valid and active.

Why this helps: many compliance failures trace back to outdated security baselines or tampering. A clean OS and a fresh enrollment reduce the chances of mismatched policies causing blocks.

Handle License and Policy Assignment Issues

Licensing and policy assignments sit at the heart of access to work apps. If these aren’t aligned with your user account, you’ll see compliance errors even on a healthy device.

• User side actions
  • Re-sign in to the Company Portal or your work app. A fresh sign-in often pulls the latest policy bundle and licenses.
  • Confirm with IT that your account is active and the group membership still grants the necessary rights to enroll devices.
  • Verify that the correct license is assigned to your user. If licenses were recently changed, IT may need to reapply or reassign the license to your account.
• What to tell IT if you’re stuck
  • Your device model, OS version, and current app versions.
  • Exact error messages or codes you’re seeing.
  • Whether the issue started after a change in role, a policy update, or a license renewal.
• After IT updates licenses or policies
  • Force a sync from the Company Portal app or the device settings.
  • Check that the policy status shows as compliant in the portal.
  • Attempt to access the apps again to verify the issue is resolved.

Why this helps: licenses and policy assignments can drift, especially after role changes or policy refreshes. A quick re-auth and re-authorization step aligns the device with the current rules.

Clear Sync Blocks and Bad Certificates

Sometimes the problem is a stuck sync or a bad certificate that prevents the device from proving its compliance. This can appear as a policy update not applying or a certificate error when establishing a secure session.

• Android/Windows services
  • Ensure the device can reach management services. A blocked DNS or firewall rule can prevent policy updates from arriving.
  • In Android, verify work profile status and background app permissions. Some policies require background activity to stay enabled for ongoing checks.
  • Check the Event Viewer on Windows devices (if applicable) for authentication or certificate errors linked to the device’s enrollment.
• Certificates
  • Reimport or reissue the required certificates. Expired or revoked certificates frequently cause access denial.
  • Remove any old or duplicate certificates that might confuse the trust chain.
  • Ensure the root and intermediate certificates that sign your management server’s cert are trusted on the device.
• Steps you can take now
  • Force a policy refresh in the Company Portal app and perform a manual check-in with IT.
  • Reboot the device after a certificate update to ensure the trust chain is re-established.
  • If a certificate is tied to a VPN or Wi-Fi profile, confirm those profiles are still valid and not expired.
• Practical follow-up
  • After updating certificates or completing a policy refresh, try opening the work apps again.
  • If the problem persists, collect the exact policy or certificate error text and share it with IT for targeted troubleshooting.

Why this helps: stale policies or invalid certificates block secure app access immediately. A clean refresh often clears the block in minutes.

Engaging takeaway: a quick check of sync status, profile health, and certificate validity can resolve many compliance blocks. If you’re unsure about any certificate changes, coordinate with IT to verify the trust chain and policy alignment.

If issues linger after these steps, set up a direct line with IT. Provide the device model, OS version, and the exact error messages to speed up remediation. A coordinated approach keeps you moving and reduces downtime.

Note: The guidance above mirrors typical enterprise practices and is designed for rapid recovery. Always verify policy specifics with your IT team to avoid policy violations.

Prevention Tips and When to Get IT Help

Staying ahead of device compliance issues saves time and keeps work apps running smoothly. This section shares practical, quick-to-implement strategies to prevent problems and clear guidance on when it’s best to involve IT. Think of it as a frontline checklist you can run weekly to keep smartphones and tablets in good standing with Intune and Workspace policies.

Build a solid foundational policy plan

A strong policy baseline reduces surprises. Start with clear requirements that balance security with user productivity. Focus on essential controls like encryption, strong passcodes, and up-to-date OS versions, while avoiding over‑restrictive rules that create friction.

• Define minimum standards: device encryption, password length, screen lock timing, and required app versions.
• Align with platform best practices: separate work and personal data where possible on Android, and minimize risky app exposure on iOS.
• Schedule regular policy reviews: a quarterly refresh ensures rules match evolving threats and product updates.

Why it helps: a clear, stable baseline makes it easier for users to stay compliant and for IT to diagnose drift before it blocks access.

Prioritize platform‑specific maintenance

Intune and Workspace work best when you treat Android and iOS as distinct ecosystems. Small, targeted checks for each platform prevent cross‑policy conflicts that trigger blocks.

• Android: verify work profiles stay intact after updates, and ensure background processes needed for compliance aren’t blocked.
• iOS: keep the OS within policy limits, monitor profile health, and verify trusted certificates are current.

What to do now: set up a quick weekly health check for profiles and check‑ins. A 10‑minute routine beats hours of troubleshooting later.

Regular enrollment and certificate hygiene

Enrollment health and certificate validity are often the silent blockers. When these are off, even a perfectly healthy device can look non-compliant.

• Re-enroll devices if enrollment data looks stale or profiles show as not trusted.
• Reissue or reimport certificates before they expire. Check for revocation lists and ensure the root authority is trusted.
• Keep Company Portal or MDM apps up to date. Modern clients fix many problems automatically.

Tip: create a simple certificate expiry alert for IT and end users. Proactive reminders stop last‑minute scrambles.

Keep licenses and user status synced

Licensing gaps or account issues surface as compliance blocks. Regular checks here prevent mid‑workday roadblocks.

• Confirm licenses for work apps are active and assigned to your user.
• Verify group memberships that grant device enrollment rights stay intact.
• Re-authenticate when roles change to refresh policy bundles and access rights.

How to act: if you notice a license lapse, report it to IT with your device model, OS version, and current app versions. A quick re-sync often fixes the root cause.

Streamline user and IT collaboration

A smooth feedback loop reduces downtime. End users should know exactly what to report, and IT should have a fast path to triage.

• Standardize error reporting: capture the exact message, device model, OS version, and app versions.
• Create a fast‑lane contact for urgent blocks: a short email template or a dedicated chat channel helps speed up resolution.
• Track the ticket with a basic status update. Visibility keeps everyone aligned and reduces back-and-forth.

Why this matters: clear communication shortens repair time and minimizes repeated issues across devices.

Implement a lightweight preflight for new devices

Preflight checks catch problems before devices hit users’ hands. This reduces disruption in onboarding and rollout waves.

• Use a zero‑touch setup where possible to push policy basics to new devices.
• Validate network reachability to management services during provisioning.
• Verify essential apps install and enroll successfully in the first run.

Result: fewer post‑deployment surprises and steadier user experience from day one.

Do a quick quarterly tech health audit

A short audit keeps compliance from slipping. It’s not a full rebuild, just a focused health check across key areas.

• Policy alignment: confirm current rules match security goals.
• Device health: verify encryption, passcodes, and OS versions.
• Certificate status: ensure all certificates are current and trusted.
• Access controls: test a compliant device can access a sample work app.

Outcome: a simple report highlights gaps and assigns owners for fixes, preventing bigger outages.

When to escalate to IT: clear signals

Know when to involve IT for faster, precise help. Escalation saves time and reduces frustration.

• Repeated noncompliance across multiple devices from different users.
• Clear error codes or messages that point to server or certificate issues.
• Policy drift after a platform update or license change.
• Enrollments that fail to push policies or profiles to devices.

If you’re unsure, share the exact error text, device model, and OS version with IT. A concise bug report accelerates resolution.

Quick takeaways you can apply today

• Keep a simple, well-documented baseline policy and review it regularly.
• Treat Android and iOS separately to avoid cross‑policy conflicts.
• Maintain fresh enrollment data and valid certificates; renew before expiration.
• Align licenses and user groups to prevent access blocks.
• Establish a fast IT feedback loop to cut downtime when issues arise.

By building discipline around these practices, you reduce the chance of compliance errors and keep your staff productive. If problems surface, your first move should be a quick check of enrollment health, policy status, and certificate validity. If those basics check out but issues persist, the path to resolution becomes a collaboration with IT.

In the next section, we’ll walk through a practical, step by step checklist to verify and restore access quickly when a device slips out of compliance. This practical guide pairs with the prevention tips to keep your team moving without lengthy outages.

Conclusion

Most device compliance blocks come down to a simple, repeatable sequence. Start with a quick sync, then update the OS if needed, and check the basics like network access and policy enrollment. These steps fix the majority of issues without a full reset.

Keep the process orderly. If the device still shows not compliant, recheck the policy assignment and reissue any expired certificates. A clean OS and fresh enrollment often clear stubborn blocks. In practice, a smartphone that stays connected and updated is far less likely to trip these checks.

The real value is in building a small, repeatable routine. Run the steps in order, verify the result, and involve IT only when a step reveals a specific error code or gap. Clear communication speeds up resolution and reduces downtime for everyone involved.

Final tip: test your setup on a reliable Wi-Fi network before switching to mobile data. A stable connection helps policy updates land correctly and avoids false negatives. If you’ve fixed the issue, drop a note in the comments to share what worked for you and help others.

Thank you for reading. If you found this guide helpful, consider leaving feedback or a quick update in the comments so future readers can benefit from your experience.