Submit a request

Nerdio Help Center

Overview of Intune Policies and Configurations

Applies to: Nerdio Manager for MSP (NMM) v3.0.0+


In this article, we will learn how to create and manage assignments for compliance policies, configuration profile policies, and security policies through Nerdio.

App configuration policies can help you eliminate app setup problems by letting you assign configuration settings to a policy that is assigned to end-users before they actually run the app. You can create and use app configuration policies to provide configuration settings for various platforms such as iOS/iPadOS, macOS, Windows 10 or later, and Android apps. These configuration settings allow an app to be customized by using app configuration and management. The configuration policy settings are used when the app checks for these settings, typically the first time the app is run.

Intune makes it easy to deploy Windows security baselines to help you secure and protect your users and devices. Security baselines are groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams.

Conditional Access policies are a key component of Azure Active Directory and are designed to work with the user identity. Based on the activities, roles, devices, and locations of a user, appropriate security policies are enacted to give them access only to the data they need and in a secure way.

Read further to learn how to:


Create a policy

Creating a configuration policy

You can create compliance policy, configuration profile policy, and security policies by logging onto the Microsoft Endpoint Manager admin center. Login to Microsoft Endpoint Manager admin center. Navigate to Devices >Configuration profiles and click Create policy button. Enter the relevant information and create a configuration profile policy for iOS/iPadOS, for example, as shown below:


Creating a compliance policy

Similarly, navigate to Devices >Compliance policies and click Create policy button. Enter the relevant information and create a compliance policy for Android devices as shown below:Create_Android_compliance_policy.png

Creating a security baseline policy

Similarly, navigate to Endpoint security >MDM Security Baseline and click Create profile button. Enter the relevant information and create a security profile policy as shown below:



Creating a conditional access policy

Similarly, navigate to Endpoint security >Conditional Access and click New policy button. Enter the relevant information and create a conditional access policy as shown below:


View and manage policies on NMM portal

In order to configure policies on devices, you need to assign policies to security groups. And then manage Intune devices through security groups.

NMM allows partners to manage policies and configuration settings at the (customer) account level. Starting v3.8.0, you can now view global policies at the MSP level and publish them down to accounts.

Managing policies at MSP level

Log into your NMM partner install and navigate to Intune>Global policies:


Gsecpolicies.PNGNote: You need to log into Microsoft Endpoint Manager admin center with a MSP level Azure tenant to create global level compliance, configuration profile or security policies. You can only view them on NMM. 

Once policies are created at global level, you can assign them to specific customer accounts. Click "Assign" button next to the selected policy as shown below:


Select an account say "(1) Nube Hart, Inc.demo-test" to which you wish to assign this policy and click "Confirm" button:


Note: If an account is disabled for assignment, you will see this message:


Once you click "Confirm" button, you will find that account "(1) Nube Hart, Inc.demo-test" is assigned to the selected policy:



Now log into your account "(1) Nube Hart, Inc.demo-test", navigate to Intune>Policies and look for policy "testvpn1 " under Compliance policies and Configuration profiles section:


Note: The timestamp in the "LAST MODIFIED" column indicates the time when the policy was created at MSP level. 

Click "Assign" button next to the policy "testvpn1" and you will find the pop-up below: 


Select "Included Groups" and "Excluded Groups" from the drop-down and click "Confirm" button:


You can track the progress of related tasks under "Policies tasks" section:


Once the task completes, you will find that "Included Groups" and "Excluded Groups" are updated under "Assignments" column:


Log onto Microsoft Endpoint Manager admin center with your account's Azure tenant to view the policy settings and updated assignments:


Note: Here you will find two rows for "testvpn1" policy, one created on 11/18/2022 is the policy at account level and one created on 11/17/2022 is the global policy at MSP level.

Select the one created on 11/18/2022 and click on the policy name "testvpn1":


You will find the same "Included Groups" and "Excluded Groups" settings as created on NMM portal for policy "testvpn1". 

You can also update the policy settings such as "Included Groups" and "Excluded Groups" etc. settings on Microsoft Endpoint Manager admin center, and the changes will be reflected on NMM portal. 

Similarly, you can update compliance policies, configuration profiles and security policies on NMM portal and view them on Microsoft Endpoint Manager admin center, and vice versa.

To learn about managing policies at account level, refer Managing policies at account level section.

To remove or unassign account (say account 1) from a policy (testvpn1), log into NMM portal at MSP level and navigate to Intune>Global policies and click "Assign" button next to it:


Click "x" on the account (1) Nube Hart Inc, demo-test and you will see a checkbox as shown below:


Check "Remove this policy from account's tenant when account assignment is removed" checkbox to remove policy "testvpn1" from account level. "Account (1) Nube Hart Inc, demo-test" assignment will be removed from policy "testvpn1". Also, you will no longer find policy "testvpn1" at account level. It will only be available under Intune>Global policies as shown below:


If you don't select "Remove this policy from account's tenant when account assignment is removed" checkbox and simply click "Confirm" button, only "Account (1) Nube Hart Inc, demo-test" assignment will be removed from policy "testvpn1". You can continue managing policy "testvpn1" at account level. 

Managing policies at account level

To view and manage policies on the NMM portal, log into your account. Navigate to INTUNE>Policies tab:


Viewing compliance and configuration policies

You can view all policies created on the Microsoft Endpoint admin center on this page:


Hover on the icon by the policy name to view its type:



Viewing security baseline policies

Scroll down to view the security baseline policies on the same page under Security policies section:



Viewing conditional access policies

Scroll down to view conditional access policies on the same page under Conditional Access Policies section:


Assign groups to a policy

To assign policies to security groups, navigate to INTUNE>Policies tab. Select a policy (say Intune data collection policy) and click Assign button next to it:


On the pop-up, select a security group (say 12MSecurityGroupfromOffice) and assign it to Included Groups and optionally select another security group (say DnsUpdatePolicy) and assign it to Excluded Groups. Click Confirm button:


You can track the progress of Update Policy Assignments tasks under Policies tasks section:


Manage Intune device through security groups

The next step is to associate Intune devices to security groups. Navigate to Groups section and select the same security group (say 12MSecurityGroupfromoffice) to which you want to associate an Intune device. Expand the Edit action menu and select Manage Intune Devices:


Note: The Manage Intune Devices option is not available for M365 groups:


On the "Manage Intune devices" pop-up, select the Intune device (say TESTP1) and click Confirm button:


You can track the progress of Group device assignment tasks under Group tasks section:


Once the task completes successfully, you can see that the device "TESTP1" is assigned to security group (12MSecurityGroupfromoffice) on Microsoft Endpoint Manager admin center:



Also, when you navigate to Devices>Configuration policies and view Properties tab for "Intune data collection policy", you will find device "TESTP1" associated with the "Intune data collection policy":


In this way, you can manage your Intune device settings with the help of policies and baseline configurations.

Was this article helpful?
0 out of 0 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • NFA will be fully supported until the official sunset -


Please sign in to leave a comment.