User or device assignment

Hi folks, i would like to discuss your experiences with user or device profile assignment. What specific policies are you targeting to devices? What policies are you targeting to devices? Of co...

Intune

Mobile Application Management (MAM)

mobile device management (mdm)

Thijs Lecomte

Bronze Contributor

Mar 24, 2020

It really depends on your environment and your use cases in my opinion.

For Windows 10 apps, I mostly assign them to users (if the client doesn't have any kiosks). This is because a lot of apps are user/department specific.

For configs I assign to dynamic device groups. But if there are some settings that need to be different for some users (for example, the finance department needs tighter security settings), assigning to users might be easier.

I always advise to assess your environment and check what makes the most sense for you.

Oliver Kieselbach

MVP

Mar 25, 2020

Hi,

so there is not definite answer to this, but there are some situations where it really makes sense to use device based assignments instead of user based assignments. In general user based assignments are faster applied as they can be evaluated instantly from the system. The user is always there and can have the relationship with policies/apps. Devices pop up dynamically and device groups need first to be evaluated and then after identifying a membership the Intune service backend is able to push out the configs or apps. This is normally not a problem as we often do wait long enough to allow this to happen. Example: ESP waits for device context app installs and so on. So, enough time to evaluate and send down policies, apps etc.

So, especially for configs when dealing with exceptions like shared devices it is helpful to use device assignments as you are able then to exclude the "special" cases like shared device from regular baseline policies. e.g. you like to have different device lock timeout for them.

If you go for device assignments you should be aware of some behavior, like sudden logouts or restarts, my buddy Jörgen Nilsson has documented this very well here: Autopilot, ESP and extra login/reboots (https://ccmexec.com/2020/01/autopilot-esp-and-extra-login-reboots/).

Apps is a different story, here we are dealing with company portal and available or required assignments. Here I do prefer user assignments if possible, but that's not a golden rule. Also for required deployments it can make sense to use device assignments. I've written a blog post about it here: Intune application targeting for Windows 10 Win32 apps explained (https://oliverkieselbach.com/2020/02/19/intune-application-targeting-for-windows-10-win32-apps-explained/)

best,

Oliver

giladke
Brass Contributor
Apr 09, 2020
Hi,
1. What about org-wide app and config policies (such as tamper protection for config and company Portal for app).
Do you see any pro / cons when assigning to “all users” , “all devices“ or “all user and all devices”?
2. What about org-wide windows 10 compliance policy, in the GUI they only have the “all users” option (no “all devices), but I know I can assign compliance policy to devices group as well, any suggestions on that one (I’m referring to user driven only, no kiosk or self-deployed devices)?
Tnx,
Gilad.
- PatrickF11
  MCT
  Jun 01, 2020
  giladke
  These are exactly the questions i'm facing, too.
PatrickF11
MCT
Apr 07, 2020
@Thank you guys for your ideas regarding this topic.
I already thought there is not the one and only answer. 🙂

Any others feel free to answer later and discuss this with us.

Forum Discussion

User or device assignment

Resources