Google Play’s new strong integrity requirements for Android 13+ mandate hardware-backed security and recent patches by Sept 30, 2025. Microsoft Intune updates app protection and compliance policies to help admins enforce these changes smoothly, ensuring device security and user compliance.
Google Play Strong Integrity Update: What You Need to Know
Google rolled out a significant update in May 2025 targeting Android 13 and above. This update requires devices to use hardware-backed security signals and have a security patch released within the last 12 months to pass the strong integrity check. For organizations managing Android devices, this means adjusting compliance and app protection policies to stay compliant.
Major Changes and Deadlines
Microsoft Intune has aligned its policies with Google’s new requirements. However, the strong integrity enforcement will kick in fully by September 30, 2025. If your devices don’t meet these standards, you should have already seen a notification in your Microsoft Message Center (MC1085670).
“Microsoft Intune will enforce the strong integrity requirements by September 30, 2025.”
It’s crucial to identify non-compliant devices early to avoid disruptions. Intune admins can configure policies to warn or block users whose devices fall short.
How to Configure Compliance Policies in Intune
Setting up compliance policies is straightforward. Navigate to the Intune admin center and create or update an Android Enterprise compliance policy. You’ll find the “Minimum security patch level” setting under Device Health or System Security. Set this date to less than 12 months old, formatted as YYYY-MM-DD.
Additionally, you can configure a “grace period” by scheduling how many days after noncompliance a device is marked non-compliant. This lets you notify users before blocking access.
“By configuring the setting ‘Schedule (days after noncompliance)’, devices won’t be blocked immediately.”
App Protection Policies: Conditional Launch Settings
Beyond compliance policies, App Protection Policies (APP) can enforce minimum OS and patch versions. In the Intune admin center, create or update an APP policy targeting Android. Under Device conditions, set the minimum OS version to 13.0 or higher and the minimum patch version to a date less than 12 months old.
Actions for non-compliance can be set to block access, wipe data, or warn users. This layered approach helps maintain security without abruptly cutting off users.
Monitoring and Reporting
Intune offers detailed reports to track your device fleet’s OS and patch levels. Use the App Protection Status report to filter by platform and security patch version. For user-less devices, check the Devices view in Intune to see OS and patch details.
Final Thoughts
Preparing for Google Play’s strong integrity enforcement is essential for Android device security. Use Intune’s compliance and app protection policies to identify and manage non-compliant devices. Start notifying users early to ensure smooth transitions before the September 2025 deadline.
If you have questions or want to share feedback, reach out on Twitter @IntuneSuppTeam or LinkedIn.
From the Intune Customer Success articles
