Forum Discussion
Target policy to users or devices?
Hey Peter,
yes you are right, user policies will travel with the user. So if a user has an user policy to configure his background for example and the logs on to a different device it will get the policy there as well. There is no exception to this in case of shared devices because of the perspective of the user it's just another device and his user policies are flowing down. There is not a concept of primary devices and user should only get configs on primary devices or so. So if you want to clearly separate you need to use device targeting only. Back in the GPO days we could use loopback policies in replace mode but this is not available for Intune MDM managed devices. Again, clear separation without traveling user policies can be achieved with device targeting only. Normally user policies are not a big problem, as even on a shared device a user should get his experience in terms of user configurations. If the device is really special (dedicated special use case) then mostly dedicated accounts are used and they can be excluded from user config. For digital signage there is often a local account or again a dedicated special purpose account used. I see the problem only if you have the need for shared devices were people need to logon with their own account but need to have a different settings as normally in their user policy. Most of the shared device scenarios I can think of are not like this and a user can still have his user policies applied to the shared device and the device itself has some more device policies for example. This is in most of the cases a viable solution.
best,
Oliver
It doesn't appear to be possible to combine user targeting with device exclusions and vice-versa. The only solution that I can envisage right now is to create groups of devices based on users as per https://blogs.technet.microsoft.com/smeems/2018/05/11/user-based-device-groups/.
Hey Peter,
yes you are right, user policies will travel with the user. So if a user has an user policy to configure his background for example and the logs on to a different device it will get the policy there as well. There is no exception to this in case of shared devices because of the perspective of the user it's just another device and his user policies are flowing down. There is not a concept of primary devices and user should only get configs on primary devices or so. So if you want to clearly separate you need to use device targeting only. Back in the GPO days we could use loopback policies in replace mode but this is not available for Intune MDM managed devices. Again, clear separation without traveling user policies can be achieved with device targeting only. Normally user policies are not a big problem, as even on a shared device a user should get his experience in terms of user configurations. If the device is really special (dedicated special use case) then mostly dedicated accounts are used and they can be excluded from user config. For digital signage there is often a local account or again a dedicated special purpose account used. I see the problem only if you have the need for shared devices were people need to logon with their own account but need to have a different settings as normally in their user policy. Most of the shared device scenarios I can think of are not like this and a user can still have his user policies applied to the shared device and the device itself has some more device policies for example. This is in most of the cases a viable solution.
best,
Oliver
Thank you so much for taking the time to provide such an insightful response. It really is appreciated and reading your confirmation of behaviour as well as the reasoning for this has been invaluable!
Will certainly bear your words and thoughts on the behaviours in mind! :)
Thanks again! :)
Peter