Nov 21 2021 05:48 AM
Hello,
I need help understadning Intune and how it works applying configuration profiles to users and devices. I am trying to deploy an Always on VPN for our VPN users. I created a custom configuration profile for the VPN settings and applied it to the group VPN_Users. I have everything working but the configuration profile will only apply to the device if the user is logged in who enrolled in the MDM. For example, if User A logs in the Windows 10 computer 21H2 and enrolls into MDM only that user will get the configuration profile and VPN, but if User B logs in to the same device after User A enrolled into the MDM then User B will not get the configuration profile even though both users are in the VPN_Users group. What am I missing here? Does every user have to enroll into the MDM?
Nov 21 2021 07:24 AM
From Intune point of view, it doesn't matter if you assign a policy to user or device (by Intune I’m referring to CSP – Not PowerShell scripts assignment).
The thing is the that some CSP’s are design to run on user scope and some on device scope (but still you can assign either of them to user OR device group – it doesn’t matter).
So there are 2 things to consider:
Example 1 – You configured a user scope CSP and assigned it to device group - the policy applied to any signed in user (dure to device assignment) only after they sign-in (due to user scope).
Example 2 – You configured a device scope CSP and assigned it to user group – the policy applied on device level and most likely affect all users (due to device scope) only after the first sign-in of one of users group members (due to user assignment).
In your case I suspect that your SCP run on the wrong scope level – can you share the exact CSP you are using (custom policy) – btw: for VPN you can use buit in VPN profile, you don’t have to use custm (at least in most case 😊)
For general info on CSP scope level check this link – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
Nov 21 2021 08:48 AM
I have to use a custom policy because the VPN template doesn't have the option to set IKEv2 security settings which I need set to as seen in the example below.
Nov 21 2021 10:51 AM
Nov 21 2021 11:02 AM
SolutionNov 21 2021 11:09 AM
Nov 21 2021 11:17 AM
Nov 21 2021 11:22 AM
Nov 23 2021 06:18 AM
Nov 23 2021 06:30 AM
Nov 23 2021 06:41 AM
Nov 23 2021 06:49 AM
Nov 21 2021 11:02 AM
Solution