Forum Discussion

Oemgroup's avatar
Oemgroup
Copper Contributor
Jul 08, 2022

How to set Different Policy set for Different Apple Devices with Endpoint/InTune?

Hi I need to set different policies for our staff and managers in the company, for managing their iPhones/iPads. I created two Policy sets with different configuration profiles and compliance polic...
Intune
Mobile Application Management (MAM)
Mobile Device Management (MDM)
  • NielsScheffers's avatar
    NielsScheffers
    Jul 12, 2022

    So, to make sure I understand you correctly (just making things up here, it's about the structure and most how things are assigned). 

     

    Policy Set "Manager"

    Assigned to the virtual "All devices" group.

    • Configuration Profile "Manager"
      Assigned to "Managers" ("All users") group
    • Compliance Policy "Manager"
      Assigned to "Managers" ("All users") group

    Policy Set "Staff"

    Assigned to the virtual "All devices" group.

    • Configuration Profile "Staff"
      Assigned to "Staff" ("All users") group
    • Compliance Policy "Staff"
      Assigned to "Staff" ("All users") group

    You are already assigning the Configuration Profiles and Compliance Policies to the groups directly (which answers my question :smile:).

     

    I don't think you even need Policy Sets right now, so I suggest you remove them from the equation to reduce complexity. As you already removed the separate items from the Policy Sets and they're still not working, start troubleshooting them one by one, starting with the most simple setup.

     

    Finally, just a little afterthought: are you sure your Apple devices are enrolled with user affinity? If not, you can't assign anything to users. 

NielsScheffers's avatar
NielsScheffers
Iron Contributor
Can you share some more information on what does and doesn't work? For instance:
Do you see the policy set and/or its content being applied in the portal at all?
Is nothing in the set applied or are only specific policies missing?
Do the policies apply if you assign them to the groups directly (circumventing Policy Sets completely)?
Oemgroup's avatar
Oemgroup
Copper Contributor
Jul 12, 2022
Thank you for your reply,
Do you see the policy set and/or its content being applied in the portal at all?
- there aren't applied to the profile, when I install the profile and check, there is no policy set!

Is nothing in the set applied or are only specific policies missing?
- noting, actually the whole created 'Configuration profile' are not applied to the profile at all!

Do the policies apply if you assign them to the groups directly (circumventing Policy Sets completely)?
- I did create 2 groups (staff/managers) and assigned Azure users from 'All Users'
then 2 Compliance Policies (staff/managers) ->assigned each group to a related policy
and 2 Configuration profiles (staff/managers) ->assigned each group to related policy
the 1 policy set and assigned them to the Device management section,
then I add them to a policy set and assigned the policy set to all Devices.
not sure what I did wrong?

I did delete them from the policy set and test the profile, still not working,
I am wondering how can I assign them to the groups directly without the policy set?
  • NielsScheffers's avatar
    NielsScheffers
    Iron Contributor
    Jul 12, 2022

    So, to make sure I understand you correctly (just making things up here, it's about the structure and most how things are assigned). 

     

    Policy Set "Manager"

    Assigned to the virtual "All devices" group.

    • Configuration Profile "Manager"
      Assigned to "Managers" ("All users") group
    • Compliance Policy "Manager"
      Assigned to "Managers" ("All users") group

    Policy Set "Staff"

    Assigned to the virtual "All devices" group.

    • Configuration Profile "Staff"
      Assigned to "Staff" ("All users") group
    • Compliance Policy "Staff"
      Assigned to "Staff" ("All users") group

    You are already assigning the Configuration Profiles and Compliance Policies to the groups directly (which answers my question :smile:).

     

    I don't think you even need Policy Sets right now, so I suggest you remove them from the equation to reduce complexity. As you already removed the separate items from the Policy Sets and they're still not working, start troubleshooting them one by one, starting with the most simple setup.

     

    Finally, just a little afterthought: are you sure your Apple devices are enrolled with user affinity? If not, you can't assign anything to users. 

    • Oemgroup's avatar
      Oemgroup
      Copper Contributor
      Jul 15, 2022

      Thank you NielsScheffers 

      all devices are enrolled without user affinity,

      I did remove Policy sets, created 2 groups of devices, and add related devices to each group by setting Dynamic membership rules and using Device Category to rules, then create and assigned:

      • Configuration Profile for "Staff"
        Assigned to ("All Staff Devices") group
      • Compliance Policy for "Staff"
        Assigned to ("All Staff Devices") group
       
      • Configuration Profile for "Managers"
        Assigned to ("All Manager Devices") group
      • Compliance Policy for "Managers"
        Assigned to ("All Manager Devices") group

      When I check enrolled devices on the endpoint device properly, Device compliance and Device configuration are set up correctly for each group, the only thing is: that all policies are not been applied to phones after more than 24 hours!

      from every phone setting> profile management > restriction, there aren't some of the policies that I identified! and on the endpoint just show them as Not applicable!

       

       
       
      • NielsScheffers's avatar
        NielsScheffers
        Iron Contributor
        Jul 15, 2022
        You're going to have to go into a little more detail for that. It's probably due to specific policies but we'll need to know which specific ones (and their configured settings) to help you.

Resources