11-30-2018 08:02 AM
11-30-2018 08:02 AM
Just a quick question, what do you guys do when implementing Device Configuration Profiles and what is the recommended Best Practice?
1 X Device Restrictions Configuration Profile with multiple settings
1 X Endpoint Protection Configuration Profile with multiple settings etc
Logic: All Contoso.com's Device Restrictions in ONE profile
Multiple appropriately named Device Restrictions Configuration Profile with a single / specific setting
Multiple appropriately named Endpoint Protection Configuration Profile with a single / specific setting
Logic: One Device Restrictions Configuration Profile blocking the App Store, another may block Microsoft accounts etc etc
Be interested to see what methods people use.
12-02-2018 09:08 AM - edited 12-02-2018 09:11 AM
I think best practice dictates to sensibly name each policy you create, but to be honest how you go about planning your Intune roll out depends on the requirements you have for your Org.
I have consulted Orgs where one policy per corporate device type is all that is necessary. They had clear guidelines that there is only one agreed corporate policy per device type. Then, if personal devices are allowed, the creation of App Protection policies to allow that BYOD scenario.
However large Orgs will normally have different requirements, so if you are facing the scenario where you need multiple policies for different departments or business units, then that's fine - simply utilise a sound naming convention and utilise the description - and push the policies out based on 'assignment', based on Azure Security Groups that are again clearly labelled for their department and Intune purpose.
Whether you ultimately have to have multiple of each policy type will come out in the wash during your requirements planning, to see if certain global policies can be supported to minimise the total amount of policies you'll be creating.