Overview of Intune Policies and Configurations

Overview of Intune Policies and Configurations

This article discusses how to create and manage assignments for compliance policies, configuration profile policies, and security policies through Nerdio Manager.

Overview

App configuration policies can help you eliminate app setup problems by allowing you to assign configuration settings to a policy that is assigned to end users before they actually run the app. You can create and use app configuration policies to provide configuration settings for various platforms such as iOS, iPadOS, macOS, Windows 10 or later, and Android apps. These configuration settings allow an app to be customized by using app configuration and management. The configuration policy settings are used when the app checks for these settings, which is typically the first time the app is run.

Intune makes it easy to deploy Windows security baselines to help you secure and protect your users and devices. Security baselines are groups of preconfigured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams.

Conditional Access policies are a key component of Azure Active Directory and are designed to work with the user identity. Based on the activities, roles, devices, and locations of a user, appropriate security policies are enacted to securely grant them access to the data they need.

Create a Policy

You can create configuration, compliance, security baseline, and conditional access policies.

Create a Configuration Policy

You can create a configuration policy in the Microsoft Endpoint Manager admin center.

To create a configuration policy:

  1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

  2. Navigate to DevicesConfiguration.

  3. Select Create policy.

  4. Enter all the desired information. For example:

  5. Once you have entered all the desired information, select Create.

Create a Compliance Policy

You can create a compliance policy in the Microsoft Endpoint Manager admin center.

To create a compliance policy:

  1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

  2. Navigate to DevicesCompliance.

  3. Select Create policy.

  4. Enter all the desired information. For example:

  5. Once you have entered all the desired information, select Create.

Create a Security Baseline Policy

You can create a security baseline policy in the Microsoft Endpoint Manager admin center.

To create a security baseline policy:

  1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

  2. Navigate to Endpoint securityMDM Security BaselineProfiles.

  3. Select Create profile.

  4. Enter all the desired information. For example:

  5. Once you have entered all the desired information, select Create.

Create a Conditional Access Policy

You can create a conditional access policy in the Microsoft Endpoint Manager admin center.

To create a conditional access policy:

  1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

  2. Navigate to Endpoint securityConditional AccessPolicies.

  3. Select New policy.

  4. Enter all the desired information. For example:

  5. Once you have entered all the desired information, select Create.

Manage Policies in Nerdio Manager

In order to configure policies on devices, you need to assign policies to security groups and then manage Intune devices through security groups. You can view global policies at the MSP level and publish them down to accounts. In addition, Nerdio Manager allows partners to manage policies and configuration settings at the customer account level.

Manage Policies and Profiles at the MSP Level

You need to sign in to the Microsoft Endpoint Manager admin center with an MSP-level Azure tenant to create global-level compliance policies, configuration profiles, or security policies. You can only view them on Nerdio Manager.

Once policies are created at the global level, you can assign them to specific customer accounts.

To assign policies and profiles to customers at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to IntuneGlobal policies.

  2. In the Compliance Policies and Configuration Profiles section, locate the policy or profile you wish to work with.

  3. Select Assign.

  4. From the drop-down list, select the account(s) to assign this policy or profile to.

    Note:

    • Select All to assign this policy or profile to all accounts.

    • If an account is grayed out, Intune may not be enable for the account. Hover over the account name for more information.

    • If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.

  5. Once you have selected all the desired accounts, select Confirm.

  6. Similarly, in the Security Policies section, locate the policy you wish to work with.

  7. From the action menu, select Assign.

  8. From the drop-down list, select the account(s) to assign this policy.

    Note: Select All to assign this policy to all accounts.

  9. Once you have selected all the desired accounts, select Confirm.

Note:

Nerdio Manager shows the current assignments in the policy/profile list.

To remove assigned policies and profiles from an account at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to IntuneGlobal policies.

  2. Locate the policy or profile you wish to work with.

  3. Select Assign.

  4. Locate the account you wish to remove and select either X.

  5. When prompted, select Remove this policy from account's tenant when account assignment is removed to remove the policy or profile from the account.

    Note: If you do not select Remove this policy from account's tenant when account assignment is removed, the account is removed from the policy or profile, but you can continue to manage the policy or profile at the account level.

  6. Once you have entered all the desired information, select Confirm.

Re-publish Policies and Profiles at the MSP Level

Once policies and profiles are created at the MSP level and assigned to customer accounts, they can be changed at the MSP level and re-published to the assigned customer accounts. This enables you to keep the policies and profiles synchronized.

Note: This option is only available for policies and profiles that are assigned to customer(s).

To re-publish policies and profiles to customers at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to IntuneGlobal policies.

  2. Locate the policy or profile you wish to re-publish.

  3. From the action menu, select Re-publish.

  4. On the confirmation pop-up window, review the information and select Confirm.

    Note: If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.

Manage Policies and Profiles at the Account Level

Once policies and profiles are assigned to an account at the MSP level, Nerdio Manager allows you to include or exclude groups within the assigned policies and profiles.

To include or exclude groups to an assigned policy or profile:

  1. In Nerdio Manager, at the Account level, navigate to IntunePolicies.

  2. Locate the policy or profile you wish to work with and select Assign.

  3. Enter the following information:

    • Included Groups: From the drop-down list, select the groups to include.

      • All users: Select this option to create an assignment for all Intune licensed users in your organization.

        Note: You can only use the All users and All devices options for one type of assignment.

      • All devices: Select this option to create an assignment for all Intune enrolled devices.

    • Excluded Groups: From the drop-down list, select the groups to exclude.

  4. Once you have made the desired selections, select Confirm.

    The assignment task starts.

  5. Track the assignment task's progress in the Policies Tasks section.

  6. Once the task completes, you can view the number of assigned and excluded groups.

To include or exclude groups to a Conditional Access policy:

  1. In Nerdio Manager, at the Account level, navigate to IntunePolicies.

  2. In the Conditional Access Policies section, locate the policy you wish to work with and select Assign.

  3. Enter the following information:

    • Assignments: Select whether to include all users or only selected users and groups.

    • Included Users and Groups: From the drop-down list, select the users and groups to include.

    • Excluded Users and Groups: From the drop-down list, select the users and groups to exclude.

  4. Once you have entered all the desired information, selectConfirm.

To remove assigned or excluded groups from policies and profiles at the Account level:

  1. In Nerdio Manager, at the Account level, navigate to IntunePolicies.

  2. Locate the policy or profile you wish to work with.

  3. Select Assign.

  4. Locate the group you wish to remove and select either X.

  5. Once you have removed all the desired groups, select Confirm.

Manage Policies and Profiles at the Account Level via the Microsoft Endpoint Manager admin center

You may also manage policies and profiles are assigned to an account using the Microsoft Endpoint Manager admin center.

Note: All changes made using the Microsoft Endpoint Manager admin center are reflected in Nerdio Manager. Conversely, all changes made in Nerdio Manager are reflected in the Microsoft Endpoint Manager admin center.

To manage policies and profiles at the Account level via the Microsoft Endpoint Manager admin center:

  1. Sign in to the Microsoft Endpoint Manager admin center with your Account Azure tenant.

  2. Select a desired policy or profile.

  3. Optionally, you may change the groups to include and exclude. In addition, you may create a new profile.

    Note: All changes made using the Microsoft Endpoint Manager admin center are reflected in Nerdio Manager.

Manage Intune Devices through Security Groups

Nerdio Manager allows you to associate Intune devices to security groups.

To associate Intune devices to security groups:

  1. In Nerdio Manager, at the Account level, navigate to Groups.

  2. Locate the security group you wish to work with.

    Note: The option Manage Intune Devices is not available for Microsoft 365 groups.

  3. From the action menu, select Manage Intune Devices.

  4. Select the Members to assign to the Group.

  5. Once you have made all the desired selections, select Confirm.

  6. Optionally, sign in to the Microsoft Endpoint Manager admin center with your Account's Azure tenant.

  7. Navigate to the security group. The assigned device is shown.

  8. Navigate to Devices > Configuration policies, in the Properties tab for "Intune data collection policy," you can see the new device.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.