Forum Discussion

Copper Contributor

Jul 07, 2022

Solved

How to set Different Policy set for Different Apple Devices with Endpoint/InTune?

Hi I need to set different policies for our staff and managers in the company, for managing their iPhones/iPads. I created two Policy sets with different configuration profiles and compliance polic...

Intune

Mobile Application Management (MAM)

mobile device management (mdm)

NielsScheffers
Jul 12, 2022
So, to make sure I understand you correctly (just making things up here, it's about the structure and most how things are assigned).

Policy Set "Manager"
Assigned to the virtual "All devices" group.
Configuration Profile "Manager"
Assigned to "Managers" ("All users") group
Compliance Policy "Manager"
Assigned to "Managers" ("All users") group
Policy Set "Staff"
Assigned to the virtual "All devices" group.
Configuration Profile "Staff"
Assigned to "Staff" ("All users") group
Compliance Policy "Staff"
Assigned to "Staff" ("All users") group
You are already assigning the Configuration Profiles and Compliance Policies to the groups directly (which answers my question ).

I don't think you even need Policy Sets right now, so I suggest you remove them from the equation to reduce complexity. As you already removed the separate items from the Policy Sets and they're still not working, start troubleshooting them one by one, starting with the most simple setup.

Finally, just a little afterthought: are you sure your Apple devices are enrolled with user affinity? If not, you can't assign anything to users.

Oemgroup

Copper Contributor

Jul 11, 2022

Thank you for your reply,
Do you see the policy set and/or its content being applied in the portal at all?
- there aren't applied to the profile, when I install the profile and check, there is no policy set!

Is nothing in the set applied or are only specific policies missing?
- noting, actually the whole created 'Configuration profile' are not applied to the profile at all!

Do the policies apply if you assign them to the groups directly (circumventing Policy Sets completely)?
- I did create 2 groups (staff/managers) and assigned Azure users from 'All Users'
then 2 Compliance Policies (staff/managers) ->assigned each group to a related policy
and 2 Configuration profiles (staff/managers) ->assigned each group to related policy
the 1 policy set and assigned them to the Device management section,
then I add them to a policy set and assigned the policy set to all Devices.
not sure what I did wrong?

I did delete them from the policy set and test the profile, still not working,
I am wondering how can I assign them to the groups directly without the policy set?

NielsScheffers

Iron Contributor

Jul 12, 2022

So, to make sure I understand you correctly (just making things up here, it's about the structure and most how things are assigned).

Policy Set "Manager"

Assigned to the virtual "All devices" group.

Configuration Profile "Manager"
Assigned to "Managers" ("All users") group
Compliance Policy "Manager"
Assigned to "Managers" ("All users") group

Policy Set "Staff"

Assigned to the virtual "All devices" group.

Configuration Profile "Staff"
Assigned to "Staff" ("All users") group
Compliance Policy "Staff"
Assigned to "Staff" ("All users") group

You are already assigning the Configuration Profiles and Compliance Policies to the groups directly (which answers my question ).

I don't think you even need Policy Sets right now, so I suggest you remove them from the equation to reduce complexity. As you already removed the separate items from the Policy Sets and they're still not working, start troubleshooting them one by one, starting with the most simple setup.

Finally, just a little afterthought: are you sure your Apple devices are enrolled with user affinity? If not, you can't assign anything to users.

Oemgroup
Copper Contributor
Jul 14, 2022
Thank you NielsScheffers
all devices are enrolled without user affinity,
I did remove Policy sets, created 2 groups of devices, and add related devices to each group by setting Dynamic membership rules and using Device Category to rules, then create and assigned:
Configuration Profile for "Staff"
Assigned to ("All Staff Devices") group
Compliance Policy for "Staff"
Assigned to ("All Staff Devices") group

Configuration Profile for "Managers"
Assigned to ("All Manager Devices") group
Compliance Policy for "Managers"
Assigned to ("All Manager Devices") group
When I check enrolled devices on the endpoint device properly, Device compliance and Device configuration are set up correctly for each group, the only thing is: that all policies are not been applied to phones after more than 24 hours!
from every phone setting> profile management > restriction, there aren't some of the policies that I identified! and on the endpoint just show them as Not applicable!
- NielsScheffers
  Iron Contributor
  Jul 14, 2022
  You're going to have to go into a little more detail for that. It's probably due to specific policies but we'll need to know which specific ones (and their configured settings) to help you.
  - Oemgroup
    Copper Contributor
    Jul 15, 2022
    It's strange, that the below policies have been not applied to some devices
    (it was applied before when I tried one policy set for the first time),
    but for some devices have been applied!
    
    Block removing apps
    Block configuration profile changes
    Block users from erasing all content and settings on device
    Block modification of device name
    Block Game Center
    Block adding Game Center friends
    Block multiplayer gaming in the Game Center