Intune Policy: MSP-level Advanced Management

Intune Policy: MSP-level Advanced Management

This topic discusses advanced Intune policy management at the MSP level.

Check for Configuration Drift of Policies and Profiles at the MSP Level

Note: This feature is in Private Preview.

Once policies and profiles are created at the MSP level and assigned to customer accounts, you have the ability to check for configuration drift between the current state of Intune policies or profiles settings on the customer account level and the source policy on the MSP level.

Note: This option is only available for policies and profiles that are assigned to customer(s). In addition, this feature ignores the account-level Inherited variables because you have intentionally created drift by defining different variables for each account.

To check for configuration drift of policies and profiles at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, Update Rings, MAM, or Endpoint Security Policies.

  3. Locate the policy or profile you wish to work with.

  4. From the action menu, select Status.

    The Configuration Drift window displays.

  5. Optionally, for a policy or profile that has drifted, select Re-publish to publish the changes to the customer.

Rollback Policies and Profiles at the MSP Level

Once policies and profiles assigned to customer accounts, you have the ability to rollback the version assigned to a customer account.

To rollback of policies and profiles at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, Update Rings, MAM, or Endpoint Security Policies.

  3. Locate the policy or profile you wish to work with.

  4. From the action menu, select Status.

    The Configuration Drift window displays.

  5. Locate the customer account you wish to work with and select Rollback.

  6. From the drop-down list, select the new Version to assign to the customer account and then select Confirm.

Edit or Clone Policies and Profiles at the MSP Level

Once policies and profiles are created at the MSP level, they can be edited or cloned.

To edit or clone policies and profiles to customers at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, Update Rings, MAM, or Endpoint Security Policies.

  3. Locate the policy or profile you wish to clone.

  4. From the action menu, select Edit or Clone.

  5. In the Name tab, enter the following information:

    • Name: Type the new name of the policy or profile.

    • Description: Type the new description of the policy or profile.

    • Platform: For configuration policies, type the platform.

    • Tags: From the drop-down list, select optional tags for the policy or profile. These tags are used for searching and organization.

    • Include Entra built-in roles while publishing: For conditional access policies, select this option to include built-in Entra roles when you publish.

    • Evaluate user/group assignments: Select this option to load user/group assignments on the status page.

  6. Once you have entered all the Name information, select Next.

  7. In the Settings tab, make the desired changes.

    Notes:

    • Nerdio Manager validates JSON syntax only. It does not check for valid Intune settings and values that are used in the JSON editor. Please refer to Intune documentation to validate, or use the Intune Portal to change settings using a GUI.

    • Inherited variables can be passed using the $InheritedVars.Variable_Name variable name.

  8. Once you have made all the desired changes in the Settings tab, select Next.

  9. In the Change Log tab, make the desired selection and type the change log information.

  10. Once you have made all the desired changes in the Change Log tab, select Save & close.

    The edited policy or profile is updated with your changes. The cloned policy or profile is added to the table.

Import Built-in Device Compliance Policies at the MSP Level

By default, Intune uses a built-in compliance policy that validates the device compliancy based on the following characteristics:

  • Does the user assigned to the device exist?

  • Is the device in an active state?

  • Are there any compliance policies assigned to the device?

By default, Intune can return a compliant state if no compliancy policies are assigned to the device based on the last of these 3 checks. However, you can change the behavior by changing the built-in policy. Besides the compliancy validation behavior, the built-in policy also allows you to specify the jailbreak detection method and compliance status validity. You can't scope the built-in policy to a group of users or devices, it's a tenant-level setting. Nerdio Manager allows you to manage this at scale by creating a built-in device compliance policy that you can apply to multiple customer accounts.

To import a built-in device Compliance Policy at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy ManagementCompliance policies.

  2. Select Add Built-in Device Compliance Policy.

  3. In the Name tab, enter the following information:

    • Name: Type the new name of the built-in device compliance policy.

    • Description: Type the new description of the policy.

    • Tags: From the drop-down list, select optional tags for the policy. These tags are used for searching and organization.

  4. Once you have entered all the Name information, select Next.

  5. In the Settings tab, make the desired changes.

  6. Once you have made all the desired changes in the Settings tab, select Next.

  7. In the Assignments tab, from the drop-down list, select the account(s) to assign this policy to.

  8. Once you have entered all the desired information on all the tabs, select Finish.

    The built-in device compliance policy is added to the table.

Bulk Actions on Policies and Profiles at the MSP Level

Nerdio Manager manager allows you to perform bulk actions on policies or profiles.

To perform bulk actions on policies and profiles at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select Configuration profiles, Compliance policies, Security baselines, Conditional access, App Management, Update Rings, MAM, or Endpoint Security Policies.

  3. Select the policies or profiles you wish to perform bulk actions on.

  4. Once you have selected all the desired policies or profiles, at the bottom of the table select Select bulk action, and then select any of the relevant actions that apply to the policies or profiles.

    Note: For example, you selected 4 Configuration Profiles, with only 2 assigned to customers. The action menu displays the following:

    • Assign selected (4)

    • Re-publish selected (2)

    That is, only the 2 profiles are assigned, so only those 2 can be re-published to the assigned customers. In addition, all 4 profiles can be assigned to customers.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.