SOLVED

How to set Different Policy set for Different Apple Devices with Endpoint/InTune?

Occasional Contributor

Hi

I need to set different policies for our staff and managers in the company, for managing their iPhones/iPads.

I created two Policy sets with different configuration profiles and compliance policies,

and assign one of the policy sets to the staff group and the other one to the Managers group,

then I added users from Azure into each group, but it's not working when I install the profile!

 

I am wondering how can I set different policy sets for 2 groups of users and assign them to the same profile and install them on the Apple devices?

10 Replies

Hello @Oemgroup ,

 

Are those devices enrolled to Intune MDM?

Is there a chance that you are trying to deploy MDM policies to MAM devices?

Hi @Oemgroup, can you check one single device if you can see here the assignments of the policy set.
Can you share some more information on what does and doesn't work? For instance:
Do you see the policy set and/or its content being applied in the portal at all?
Is nothing in the set applied or are only specific policies missing?
Do the policies apply if you assign them to the groups directly (circumventing Policy Sets completely)?
Thank you for your reply,
Are those devices enrolled to Intune MDM?
yes, I have enrolled them via the profile with 2 policy sets, but there weren't the policy sets that I added to the managers group.
Is there a chance that you are trying to deploy MDM policies to MAM devices?
don't think, as it is working perfectly with one policy set.
Hi Jannik,
I have checked that, the issue is coming from the policy set, when I defined one policy set and assigned it to all users/all devices it's fine, but when I define 2 policy sets and assigned it to 2 groups of users which one of them are managers users group ( selected some Azure's user emails) it's not working! it' means the profile is fine but the policy set hasn't added to the profile!
Thank you for your reply,
Do you see the policy set and/or its content being applied in the portal at all?
- there aren't applied to the profile, when I install the profile and check, there is no policy set!

Is nothing in the set applied or are only specific policies missing?
- noting, actually the whole created 'Configuration profile' are not applied to the profile at all!

Do the policies apply if you assign them to the groups directly (circumventing Policy Sets completely)?
- I did create 2 groups (staff/managers) and assigned Azure users from 'All Users'
then 2 Compliance Policies (staff/managers) ->assigned each group to a related policy
and 2 Configuration profiles (staff/managers) ->assigned each group to related policy
the 1 policy set and assigned them to the Device management section,
then I add them to a policy set and assigned the policy set to all Devices.
not sure what I did wrong?

I did delete them from the policy set and test the profile, still not working,
I am wondering how can I assign them to the groups directly without the policy set?
best response confirmed by Oemgroup (Occasional Contributor)
Solution

So, to make sure I understand you correctly (just making things up here, it's about the structure and most how things are assigned). 

 

Policy Set "Manager"

Assigned to the virtual "All devices" group.

  • Configuration Profile "Manager"
    Assigned to "Managers" ("All users") group
  • Compliance Policy "Manager"
    Assigned to "Managers" ("All users") group

Policy Set "Staff"

Assigned to the virtual "All devices" group.

  • Configuration Profile "Staff"
    Assigned to "Staff" ("All users") group
  • Compliance Policy "Staff"
    Assigned to "Staff" ("All users") group

You are already assigning the Configuration Profiles and Compliance Policies to the groups directly (which answers my question :smile:).

 

I don't think you even need Policy Sets right now, so I suggest you remove them from the equation to reduce complexity. As you already removed the separate items from the Policy Sets and they're still not working, start troubleshooting them one by one, starting with the most simple setup.

 

Finally, just a little afterthought: are you sure your Apple devices are enrolled with user affinity? If not, you can't assign anything to users. 

Thank you @NielsScheffers 

all devices are enrolled without user affinity,

I did remove Policy sets, created 2 groups of devices, and add related devices to each group by setting Dynamic membership rules and using Device Category to rules, then create and assigned:

  • Configuration Profile for "Staff"
    Assigned to ("All Staff Devices") group
  • Compliance Policy for "Staff"
    Assigned to ("All Staff Devices") group
 
  • Configuration Profile for "Managers"
    Assigned to ("All Manager Devices") group
  • Compliance Policy for "Managers"
    Assigned to ("All Manager Devices") group

When I check enrolled devices on the endpoint device properly, Device compliance and Device configuration are set up correctly for each group, the only thing is: that all policies are not been applied to phones after more than 24 hours!

from every phone setting> profile management > restriction, there aren't some of the policies that I identified! and on the endpoint just show them as Not applicable!

 

 
 
You're going to have to go into a little more detail for that. It's probably due to specific policies but we'll need to know which specific ones (and their configured settings) to help you.
It's strange, that the below policies have been not applied to some devices
(it was applied before when I tried one policy set for the first time),
but for some devices have been applied!

Block removing apps 
Block configuration profile changes 
Block users from erasing all content and settings on device 
Block modification of device name 
Block Game Center 
Block adding Game Center friends 
Block multiplayer gaming in the Game Center