The question is: When working in Microsoft Endpoint Manager (Intune), how do I determine whether to assign policies to devices or users?Microsoft Office Home and Student 2019 (1 Mac) Microsoft Office Home and Student 2019 provides classic Office apps and email for families and students who want to install them on one Mac or Windows 10 PC for use at home or school. In truth, it is not the first time I have answered this question, but I realized that I could probably repeat myself less if I simply write an article and publish it. Microsoft Office 365 Personal from Trusted Tech Team offers a full year of access to your favorite Office suite applications via your Mac, PC, Android or iOS device.Read reviews and buy Microsoft 365 Business Standard 12-Month Subscription, 1 person Premium Office Apps 1TB OneDrive cloud storage PC/Mac Keycard at.A new reader question came across my desk the other day. Microsoft Office 365 Personal PC, Mac, Android, Apple iOS - 1 PC/Mac Office 365 Personal includes: 1 Year Subscription Product Second year and all future renewals discounted.Static Security groups comprised of Devices Static Security groups comprised of Users To do to target old versions of Internet Explorer, except it targets Microsoft. Groups in Azure AD come in five flavors:Windows Outlook 2003 and above use Microsoft Word as a rendering engine.Devices.Unfortunately, there is no one size fits all here so we have to give the classic consultant answer: “It depends.” On what does it depend? A couple of factors: Eliminating that option right off the bat, let’s narrow it down further by determining when it would be best to recommend targeting Users vs. Dynamic Security groups comprised of DevicesFirst, just know that you should use Security groups to assign policies and profiles within Intune (I would not use Microsoft 365 Groups).
Microsoft Office Target Install Them OnBut I do not recommend it. Is it possible to assign a compliance policy to a security group comprised of devices? Yes. Compliance policiesWhen it comes to Compliance policies, I always target users. The type of policy or profile you are working with may answer the question for you. What type of policy or profile are we working with?Let’s start with the second question first. And so I do not have different compliance requirements for different types of devices. Also notice that we are not given the option to assign to “ All devices” but only “ All users” (unlike Configuration profiles).In general, I like to think of Compliance policies as the bare minimum that you would require for ANY endpoint to connect and start working with your systems. Because of these inconsistencies and issues, I do not recommend assigning Compliance policies to devices. I have even seen strange occurrences where both the user and the system account showed up as ‘Compliant,’ but the built-in compliance policy showed as ‘Not Compliant.’ This is even more confusing because literally the only thing that policy is measuring is whether there is a compliance policy being applied (and obviously there is). The user who signs into the device will also receive a compliance statusUnfortunately, this can lead to errors when it reports on the overall compliance of the device. The “system account” will receive a compliance status In that case, you would want to create a device-based security group and apply the profiles accordingly.Another use case for device targeting (using a Dynamic group) is where you have an organization that is managing a mix of corporate-owned and personal devices within the same device platform. And it may be a different experience than what is expected when the user is picking up their own device (even to work with the same applications). No matter who sits down and logs into that machine, you want the experience to be identical. Here we return to our first question: Are you trying to control an experience based on who the user is, or which device they are using?So the obvious use case for targeting devices is something like kiosk devices, or lab computers. Device Configuration and Endpoint Security profilesNext up: Device Configuration profiles (including Update rings) and Endpoint Security profiles. Therefore I would normally just create one compliance policy for each device platform that I support, and then assign these to All users, or at least a security group that represents all of my licensed users (the members who are licensed to use Intune). But there are likely to be some helpdesk calls in your future that are resolved by nothing more than “waiting it out.” ApplicationsPretty much the same logic can be applied when you are assigning applications to devices. This normally isn’t too big of a deal and often will go unnoticed. When you assign your BYOD profiles, you would target the former group, and when you assign company profiles, you would target the latter.One of the downsides to using dynamic security groups is that I have noticed it can sometimes take extra time (minutes to hours) for the membership to update. For example, your corporate profile might block manual unenrollment, whereas the personal profile would not.Therefore, it makes sense to create two dynamic security groups: one that applies to deviceOwnership = Personal and the other to deviceOwnership = Company. In that case, there are likely different requirements for the one group versus the other. The devices are not being targeted by my Compliance policies, and therefore I will not be targeting the devices with my Conditional Access policies. I am usually only interested in restricting access if I have less control over an endpoint (or its applications in the case of MAM).The second point is that when Conditional Access is being asked to evaluate device compliance, I like to have this tied to the same group of users for whom compliance is actually being measured. The first thing to note is that when you use the device-based controls such as Compliant device and Hybrid Azure AD Joined device, this will already cover the distinction between managed and unmanaged endpoints. Conditional AccessSimilar to Compliance and App protection policies, I always target users here, and not devices. When a user signs into an application, these policies are applied at the application layer, and the device does not really play into the equation. Mac vs windows for web design redditWhile there is a lot more to autopilot, for the purposes of this discussion, this is all we have to say about it. Autopilot is all about pre-provisioning devices. Notice again that we can select specific device groups, or just choose All devices (but there is no All users option).And that makes sense. Here, the profiles are only assigned to devices, not users. Autopilot profilesWhen you assign Autopilot profiles, the advice is the opposite from Compliance and Conditional Access. Those who are licensed to use the features). Company-owned groups, as appropriate. In those cases I would recommend using the dynamic device groups to tailor the policies to the BYOD vs.
0 Comments
Leave a Reply. |
AuthorXplosive ArchivesCategories |