Forum Discussion

PatrickF11's avatar
PatrickF11
Steel Contributor
Mar 23, 2020

User or device assignment

Hi folks,

 

i would like to discuss your experiences with user or device profile assignment.

What specific policies are you targeting to devices? What policies are you targeting to devices?

Of course I've read through the corresponding docs.

After my experiences in the last months i prefer assigning the profiles to devices.

 

- I'm able to exclude devices. (e.g. IT-Staff has one corporate device and one for testing purposes)

- The workflow when using white glove seems much more logic. (The very most config is applied while white glove process.)

 

So i would like to hear your experiences. What are advantages / disadvantages?

Thank you in advance. 🙂

What Assignments do you use for App configuration policies?

 

Patrick

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    I use devices all day long for all policies in Windows 10, because it works and applies faster than targeting the users so you’re not alone.
    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      It really depends on your environment and your use cases in my opinion.

      For Windows 10 apps, I mostly assign them to users (if the client doesn't have any kiosks). This is because a lot of apps are user/department specific.

      For configs I assign to dynamic device groups. But if there are some settings that need to be different for some users (for example, the finance department needs tighter security settings), assigning to users might be easier.

      I always advise to assess your environment and check what makes the most sense for you.
      • Oliver Kieselbach's avatar
        Oliver Kieselbach
        MVP

        Hi,

         

        so there is not definite answer to this, but there are some situations where it really makes sense to use device based assignments instead of user based assignments. In general user based assignments are faster applied as they can be evaluated instantly from the system. The user is always there and can have the relationship with policies/apps. Devices pop up dynamically and device groups need first to be evaluated and then after identifying a membership the Intune service backend is able to push out the configs or apps. This is normally not a problem as we often do wait long enough to allow this to happen. Example: ESP waits for device context app installs and so on. So, enough time to evaluate and send down policies, apps etc.

         

        So, especially for configs when dealing with exceptions like shared devices it is helpful to use device assignments as you are able then to exclude the "special" cases like shared device from regular baseline policies. e.g. you like to have different device lock timeout for them. 

        If you go for device assignments you should be aware of some behavior, like sudden logouts or restarts, my buddy Jörgen Nilsson has documented this very well here: Autopilot, ESP and extra login/reboots (https://ccmexec.com/2020/01/autopilot-esp-and-extra-login-reboots/).

         

        Apps is a different story, here we are dealing with company portal and available or required assignments. Here I do prefer user assignments if possible, but that's not a golden rule. Also for required deployments it can make sense to use device assignments. I've written a blog post about it here: Intune application targeting for Windows 10 Win32 apps explained (https://oliverkieselbach.com/2020/02/19/intune-application-targeting-for-windows-10-win32-apps-explained/)

         

        best,

        Oliver

         

         

Resources