Profile Type Best Practice

Iron Contributor

Hi All


Just a quick question, what do you guys do when implementing Device Configuration Profiles and what is the recommended Best Practice?


For example, 


1 X Device Restrictions Configuration Profile with multiple settings

1 X Endpoint Protection Configuration Profile with multiple settings etc


Logic: All's Device Restrictions in ONE profile




Multiple appropriately named Device Restrictions Configuration Profile with a single / specific setting

Multiple appropriately named Endpoint Protection Configuration Profile with a single / specific setting


Logic: One Device Restrictions Configuration Profile blocking the App Store, another may block Microsoft accounts etc etc


Be interested to see what methods people use.




1 Reply

I think best practice dictates to sensibly name each policy you create, but to be honest how you go about planning your Intune roll out depends on the requirements you have for your Org.


I have consulted Orgs where one policy per corporate device type is all that is necessary. They had clear guidelines that there is only one agreed corporate policy per device type. Then, if personal devices are allowed, the creation of App Protection policies to allow that BYOD scenario.


However large Orgs will normally have different requirements, so if you are facing the scenario where you need multiple policies for different departments or business units, then that's fine - simply utilise a sound naming convention and utilise the description - and push the policies out based on 'assignment', based on Azure Security Groups that are again clearly labelled for their department and Intune purpose.


Whether you ultimately have to have multiple of each policy type will come out in the wash during your requirements planning, to see if certain global policies can be supported to minimise the total amount of policies you'll be creating.


Have fun!