Intune - Jailbroken or rooted device accessing corporate resources
Intune Jailbroken Rooted Device
Query
// Mobile-only: jailbreak/root signals are meaningful only on iOS/iPadOS/Android.
// Windows/macOS/Linux endpoints can report Jail="Unknown" and would otherwise
// generate false positives, so they are filtered out in both branches with an
// explicit allow-list AND an explicit deny-list (belt-and-suspenders).
let MobileOS = dynamic(["iOS","iPadOS","Android"]);
let DesktopOS = dynamic(["Windows","macOS","Mac OS","Linux"]);
let risky =
IntuneDevices
| where TimeGenerated > ago(1d)
| extend Jail = tostring(column_ifexists("JailBroken", ""))
| where Jail =~ "True" or Jail =~ "Yes" or Jail =~ "Unknown"
| extend OS = tostring(OS)
| where OS has_any (MobileOS) and not(OS has_any (DesktopOS))
// Drop the noisy "Unknown" status unless we have a confirmed mobile OS string
| where Jail !~ "Unknown" or OS in~ ("iOS","iPadOS","Android")
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| project DeviceId, DeviceName = tostring(DeviceName),
UPN = tolower(tostring(UPN)), OS,
OSVersion = tostring(OSVersion), Jail;
let compRisky =
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(1d)
| where ComplianceState in~ ("Jailbroken","Rooted")
| extend OS = tostring(OSDescription)
| where OS has_any (MobileOS) and not(OS has_any (DesktopOS))
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| project DeviceId, DeviceName = tostring(DeviceName),
UPN = tolower(tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", "")))),
OS, OSVersion = "",
Jail = ComplianceState;
union isfuzzy=true risky, compRisky
| where OS has_any (MobileOS) and not(OS has_any (DesktopOS))
| summarize arg_max(DeviceName, *) by DeviceId
| extend AccountCustomEntity = UPN, HostCustomEntity = DeviceNameExplanation
This query is designed to identify mobile devices that are jailbroken (iOS) or rooted (Android) and are accessing corporate resources. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to detect devices that have compromised security models (jailbroken or rooted) and should not be allowed to access corporate tokens.
-
Severity: The issue is considered high severity, indicating a significant security risk.
-
Data Sources: It uses data from Intune logs, specifically focusing on device information and compliance status.
-
Frequency and Duration: The query runs every hour and looks at data from the past day.
-
Logic:
- It first defines which operating systems are considered mobile (iOS, iPadOS, Android) and which are desktop (Windows, macOS, Linux).
- It checks two data sets:
- IntuneDevices: Looks for devices marked as jailbroken or rooted.
- IntuneDeviceComplianceOrg: Looks for devices with compliance states indicating they are jailbroken or rooted.
- It filters out non-mobile devices to avoid false positives.
- It combines results from both data sets to identify risky devices.
- It ensures that only confirmed mobile devices with a jailbroken or rooted status are flagged.
-
Output: The query outputs a list of devices with details like device ID, name, user principal name (UPN), operating system, and jailbroken/rooted status.
-
Entity Mappings: It maps the results to account and host entities for further analysis.
-
Version and Status: The query is version 1.0.2 and is currently available as a scheduled task.
Overall, this query helps organizations monitor and manage security risks associated with compromised mobile devices accessing corporate resources.
Details

David Alonso
Released: April 28, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d