Target policy to users or devices?

Hey Peter,

yes you are right, user policies will travel with the user. So if a user has an user policy to configure his background for example and the logs on to a different device it will get the policy there as well. There is no exception to this in case of shared devices because of the perspective of the user it's just another device and his user policies are flowing down. There is not a concept of primary devices and user should only get configs on primary devices or so. So if you want to clearly separate you need to use device targeting only. Back in the GPO days we could use loopback policies in replace mode but this is not available for Intune MDM managed devices. Again, clear separation without traveling user policies can be achieved with device targeting only. Normally user policies are not a big problem, as even on a shared device a user should get his experience in terms of user configurations. If the device is really special (dedicated special use case) then mostly dedicated accounts are used and they can be excluded from user config. For digital signage there is often a local account or again a dedicated special purpose account used. I see the problem only if you have the need for shared devices were people need to logon with their own account but need to have a different settings as normally in their user policy. Most of the shared device scenarios I can think of are not like this and a user can still have his user policies applied to the shared device and the device itself has some more device policies for example. This is in most of the cases a viable solution.

best,

Oliver