Overview of Intune Policies and Configurations

This article discusses how to create and manage assignments for compliance policies, configuration profile policies, and security policies through Nerdio Manager.

Overview

App configuration policies can help you eliminate app setup problems by allowing you to assign configuration settings to a policy that is assigned to end users before they actually run the app. You can create and use app configuration policies to provide configuration settings for various platforms such as iOS, iPadOS, macOS, Windows 10 or later, and Android apps. These configuration settings allow an app to be customized by using app configuration and management. The configuration policy settings are used when the app checks for these settings, which is typically the first time the app is run.

Intune makes it easy to deploy Windows security baselines to help you secure and protect your users and devices. Security baselines are groups of preconfigured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams.

Conditional Access policies are a key component of Azure Active Directory and are designed to work with the user identity. Based on the activities, roles, devices, and locations of a user, appropriate security policies are enacted to securely grant them access to the data they need.

Create a Policy

You can create configuration, compliance, security baseline, and conditional access policies.

Create a Configuration Policy

You can create a configuration policy in the Microsoft Endpoint Manager admin center.

To create a configuration policy:

1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

2. Navigate to Devices > Configuration.

3. Select Create policy.

4. Enter all the desired information. For example:

   

5. Once you have entered all the desired information, select Create.

Create a Compliance Policy

You can create a compliance policy in the Microsoft Endpoint Manager admin center.

To create a compliance policy:

1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

2. Navigate to Devices > Compliance.

3. Select Create policy.

4. Enter all the desired information. For example:

   

5. Once you have entered all the desired information, select Create.

Create a Security Baseline Policy

You can create a security baseline policy in the Microsoft Endpoint Manager admin center.

To create a security baseline policy:

1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

2. Navigate to Endpoint security > MDM Security Baseline > Profiles.

3. Select Create profile.

4. Enter all the desired information. For example:

   

5. Once you have entered all the desired information, select Create.

Create a Conditional Access Policy

You can create a conditional access policy in the Microsoft Endpoint Manager admin center.

To create a conditional access policy:

1. Sign in to the Microsoft Endpoint Manager admin center with your MSP Azure tenant.

2. Navigate to Endpoint security > Conditional Access > Policies.

3. Select New policy.

4. Enter all the desired information. For example:

   

5. Once you have entered all the desired information, select Create.

Manage Policies and Profiles in Nerdio Manager

In order to configure policies and profiles on devices, you need to assign policies and profiles to security groups and then manage Intune devices through security groups. You can view global policies and profiles at the MSP level and publish them down to accounts. In addition, Nerdio Manager allows partners to manage policies and profiles at the customer account level.

Import Policies and Profiles at the MSP Level

In addition to the built-in policies and profiles, Nerdio Manager allows you to import policies and profiles that are in the MSP's tenant. This provides the ability to create custom policies with advanced configurations. Once policies are imported at the global level, you can assign them to specific customer accounts.

To import policies and profiles at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Select Import.

   

4. Enter the following information:

   • From the drop-down list, select whether to view policies or profiles from the MSP tenant or a Customer Account tenant.

   • Available Policy: Select the desired policies or profiles.

   • Overwrite if already exists: Select this option to re-import a policy or profile that already exists in Nerdio Manager.

     Note: When this option is selected, all the existing assignments stay the same.

   • Tags: From the drop-down list, select optional tags for the policy or profile. These tags are used for searching and organization.

5. Once you have entered all the desired information, select Import.

   The policy or profile is added to the table.

Assign Policies and Profiles to Customers at the MSP Level

You need to sign in to the Microsoft Endpoint Manager admin center with an MSP-level Azure tenant to create global-level compliance policies, configuration profiles, or security policies. You can only view them on Nerdio Manager.

Once policies are created at the global level, you can assign them to specific customer accounts.

To assign policies and profiles to customers at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

   For example:

   

3. Locate the policy or profile you wish to work with.

4. Select Assign and then select Add assignments.

   

5. Enter the following information:

   • Select assignments: From the drop-down list, select the account(s) to assign this policy or profile to.

     Note:

     • Select All to assign this policy or profile to all accounts.

     • If an account is grayed out, Intune may not be enable for the account. Hover over the account name for more information.

     • If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.

       

   • Add: Select this option to add the selected customer account(s) to the existing assignments.

   • Overwrite: Select this option to replace the existing assignments with the new selection(s).

6. Once you have selected all the desired accounts, select Confirm.

Remove Assigned Policies and Profiles from Customers at the MSP Level

After policies and profiles have been assigned to customers, they can be removed from the customers.

To remove assigned policies and profiles from an account at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Locate the policy or profile you wish to work with.

4. Select Assign.

   

5. Locate the account you wish to remove and select Remove.

Synchronize Assigned MSP-level Policies and Profiles with Customers

Nerdio Manager allows you to easily keep MSP-level policies and profiles that have been assigned to customers in sync at the customer account level.

To remove assigned policies and profiles from an account at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Locate the policy or profile you wish to work with.

4. Select Assign.

   

5. Locate the account you wish to work with.

6. Select one of the following options:

   • Once: Select this option to perform the sync one time.

   • Keep in sync: Select this option to always keep the customer's policy or profile in sync with the MSP-level policy or profile.

7. Select Apply changes to apply the change and perform the sync.

Re-publish Policies and Profiles at the MSP Level

Once policies and profiles are created at the MSP level and assigned to customer accounts, they can be changed at the MSP level and re-published to the assigned customer accounts. This enables you to publish changes from the policies at MSP level to customer accounts.

To re-publish policies and profiles to customers at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Locate the policy or profile you wish to re-publish.

4. From the action menu, select Re-publish.

5. On the confirmation pop-up window, review the information and select Confirm.

   Note: If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.

   

Check for Configuration Drift of Policies and Profiles at the MSP Level

Once policies and profiles are created at the MSP level and assigned to customer accounts, you have the ability to check for configuration drift between the current state of Intune policies or profiles settings on the customer account level and the source policy on the MSP level.

To check for configuration drift of policies and profiles at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Locate the policy or profile you wish to work with.

4. From the action menu, select Status.

   The Configuration Drift window displays.

   

5. Optionally, for a policy or profile that has drifted, select Re-publish to publish the changes to the customer.

   

Edit or Clone Policies and Profiles at the MSP Level

Once policies and profiles are created at the MSP level, they can be edited or cloned.

To edit or clone policies and profiles to customers at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Locate the policy or profile you wish to clone.

4. From the action menu, select Edit or Clone.

5. In the Name tab, enter the following information:

   

   • Name: Type the new name of the policy or profile.

   • Description: Type the new description of the policy or profile.

   • Tags: From the drop-down list, select optional tags for the policy or profile. These tags are used for searching and organization.

6. Once you have entered all the Name information, select Next.

7. In the Settings tab, make the desired changes.

   Note: Nerdio Manager validates JSON syntax only. It does not check for valid Intune settings and values that are used in the JSON editor. Please refer to Intune documentation to validate, or use the Intune Portal to change settings using a GUI.

   

8. Once you have made all the desired changes in the Settings tab, select Finish.

   The edited policy or profile is updated with your changes. The cloned policy or profile is added to the table.

Import Built-in Device Compliance Policies at the MSP Level

By default, Intune uses a built-in compliance policy that validates the device compliancy based on the following characteristics:

• Does the user assigned to the device exist?

• Is the device in an active state?

• Are there any compliance policies assigned to the device?

By default, Intune can return a compliant state if no compliancy policies are assigned to the device based on the last of these 3 checks. However, you can change the behavior by changing the built-in policy. Besides the compliancy validation behavior, the built-in policy also allows you to specify the jailbreak detection method and compliance status validity. You can't scope the built-in policy to a group of users or devices, it's a tenant-level setting. Nerdio Manager allows you to manage this at scale by creating a built-in device compliance policy that you can apply to multiple customer accounts.

To import a built-in device Compliance Policy at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune > Compliance policies.

2. Select Add Built-in Device Compliance Policy.

3. In the Name tab, enter the following information:

   

   • Name: Type the new name of the built-in device compliance policy.

   • Description: Type the new description of the policy.

   • Tags: From the drop-down list, select optional tags for the policy. These tags are used for searching and organization.

4. Once you have entered all the Name information, select Next.

5. In the Settings tab, make the desired changes.

   

6. Once you have made all the desired changes in the Settings tab, select Next.

7. In the Assignments tab, from the drop-down list, select the account(s) to assign this policy to.

   

8. Once you have entered all the desired information on all the tabs, select Finish.

   The built-in device compliance policy is added to the table.

Bulk Actions on Policies and Profiles at the MSP Level

Nerdio Manager manager allows you to perform bulk actions on policies or profiles.

To perform bulk actions on policies and profiles at the MSP level:

1. In Nerdio Manager, at the MSP level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Select the policies or profiles you wish to perform bulk actions on.

4. Once you have selected all the desired policies or profiles, at the bottom of the table select Select bulk action, and then select any of the relevant actions that apply to the policies or profiles.

   

   Note: For example, you selected 4 Configuration Profiles, with only 2 assigned to customers. The action menu displays the following:

   • Assign selected (4)

   • Re-publish selected (2)

   That is, only the 2 profiles are assigned, so only those 2 can be re-published to the assigned customers. In addition, all 4 profiles can be assigned to customers.

Manage Policies and Profiles at the Account Level

Once policies and profiles are assigned to an account at the MSP level, Nerdio Manager allows you to include or exclude groups within the assigned policies and profiles.

To include or exclude groups to an assigned policy or profile:

1. In Nerdio Manager, at the Account level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, App Management, or Update Rings.

   For example:

   

3. Locate the policy or profile you wish to work with and select Assign.

   

4. Enter the following information:

   • Included Groups: From the drop-down list, select the groups to include.

     • All users: Select this option to create an assignment for all Intune licensed users in your organization.

       Note: You can only use the All users and All devices options for one type of assignment.

     • All devices: Select this option to create an assignment for all Intune enrolled devices.

   • Excluded Groups: From the drop-down list, select the groups to exclude.

5. Once you have made the desired selections, select Confirm.

   The assignment task starts.

6. Track the assignment task's progress in the Tasks section.

7. Once the task completes, you can view the number of assigned and excluded groups.

   

To manage Conditional Access policies:

1. In Nerdio Manager, at the Account level, navigate to Intune > Conditional access.

   

2. In the Conditional Access Policies section, locate the policy you wish to work with and select Assign.

   

3. Enter the following information:

   • Assignments: Select whether to include all users or only selected users and groups.

   • Included Users and Groups: From the drop-down list, select the users and groups to include.

   • Excluded Users and Groups: From the drop-down list, select the users and groups to exclude.

   • Enable policy: Select whether the policy should be enabled, disabled, or for reporting only.

4. Once you have entered all the desired information, selectConfirm.

To remove assigned or excluded groups from policies and profiles at the Account level:

1. In Nerdio Manager, at the Account level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Locate the policy or profile you wish to work with.

4. Select Assign.

   

5. Locate the group you wish to remove and select either X.

6. Once you have removed all the desired groups, select Confirm.

Bulk Actions on Policies and Profiles at the Account Level

Nerdio Manager manager allows you to perform bulk actions on policies or profiles.

To perform bulk actions on policies and profiles at the Account level:

1. In Nerdio Manager, at the Account level, navigate to Intune.

2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, or Update Rings.

3. Select the policies or profiles you wish to perform bulk actions on.

4. Once you have selected all the desired policies or profiles, at the bottom of the table select Select bulk action, and then select any of the relevant actions that apply to the policies or profiles.

   

Manage Policies and Profiles at the Account Level via the Microsoft Endpoint Manager admin center

You may also manage policies and profiles are assigned to an account using the Microsoft Endpoint Manager admin center.

To manage policies and profiles at the Account level via the Microsoft Endpoint Manager admin center:

1. Sign in to the Microsoft Endpoint Manager admin center with your Account Azure tenant.

   

2. Select a desired policy or profile.

   

3. Optionally, you may change the groups to include and exclude. In addition, you may create a new profile.

   Note: All changes made using the Microsoft Endpoint Manager admin center are reflected in Nerdio Manager.

Manage Intune Devices through Security Groups

Nerdio Manager allows you to associate Intune devices to security groups.

To associate Intune devices to security groups:

1. In Nerdio Manager, at the Account level, navigate to Groups.

   

2. Locate the security group you wish to work with.

   Note: The option Manage Intune Devices is not available for Microsoft 365 groups.

3. From the action menu, select Manage Intune Devices.

   

4. Select the Members to assign to the Group.

5. Once you have made all the desired selections, select Confirm.

6. Optionally, sign in to the Microsoft Endpoint Manager admin center with your Account's Azure tenant.

7. Navigate to the security group. The assigned device is shown.

   

8. Navigate to Devices > Configuration policies, in the Properties tab for "Intune data collection policy," you can see the new device.