Nov 30 2018 08:02 AM
Hi All
Just a quick question, what do you guys do when implementing Device Configuration Profiles and what is the recommended Best Practice?
For example,
1 X Device Restrictions Configuration Profile with multiple settings
1 X Endpoint Protection Configuration Profile with multiple settings etc
Logic: All Contoso.com's Device Restrictions in ONE profile
or
Multiple appropriately named Device Restrictions Configuration Profile with a single / specific setting
Multiple appropriately named Endpoint Protection Configuration Profile with a single / specific setting
Logic: One Device Restrictions Configuration Profile blocking the App Store, another may block Microsoft accounts etc etc
Be interested to see what methods people use.
Stuart
Dec 02 2018 09:08 AM - edited Dec 02 2018 09:11 AM
I think best practice dictates to sensibly name each policy you create, but to be honest how you go about planning your Intune roll out depends on the requirements you have for your Org.
I have consulted Orgs where one policy per corporate device type is all that is necessary. They had clear guidelines that there is only one agreed corporate policy per device type. Then, if personal devices are allowed, the creation of App Protection policies to allow that BYOD scenario.
However large Orgs will normally have different requirements, so if you are facing the scenario where you need multiple policies for different departments or business units, then that's fine - simply utilise a sound naming convention and utilise the description - and push the policies out based on 'assignment', based on Azure Security Groups that are again clearly labelled for their department and Intune purpose.
Whether you ultimately have to have multiple of each policy type will come out in the wash during your requirements planning, to see if certain global policies can be supported to minimise the total amount of policies you'll be creating.
Have fun!