Intune Policy: MSP-level Advanced Management
This topic discusses advanced Intune policy management at the MSP level.
Check for Configuration Drift of Policies and Profiles at the MSP Level
Note: This feature is in Private Preview.
Once policies and profiles are created at the MSP level and assigned to customer accounts, you have the ability to check for configuration drift between the current state of Intune policies or profiles settings on the customer account level and the source policy on the MSP level.
Note: This option is only available for policies and profiles that are assigned to customer(s). In addition, this feature ignores the account-level Inherited variables because you have intentionally created drift by defining different variables for each account.
To check for configuration drift of policies and profiles at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Locate the policy or profile you wish to work with.
From the action menu, select Status.
The Configuration Drift window displays.
Optionally, for a policy or profile that has drifted, from the action menu, select Fix drift to publish the changes to the customer.
Optionally, for a policy or profile that has drifted, from the action menu, select Rollback to rollback to a specific version that is assigned to the customer.
From the drop-down menu, select the specific Version to rollback to for the customer.
Once you have selected the desired version, select Confirm.
Optionally, for a policy or profile that has drifted, from the action menu, select Accept drift to accept the drift.
Enter the following information:
Drift acceptance expires after: From the drop-down list, select the drift expiration. Alternatively, type a date.
Description: Optionally, type a description about why this drift was accepted.
Allow processing: Select this option for the next republishing to try to sync the policy.
Once you have entered the desired information, select Accept.
Hover over Accepted drift to see its details.
Select the remove icon next to Accepted drift to remove the acceptance.
Edit or Clone Policies and Profiles at the MSP Level
Once policies and profiles are created at the MSP level, they can be edited or cloned.
To edit or clone policies and profiles to customers at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Locate the policy or profile you wish to clone.
From the action menu, select Edit or Clone.
In the Name tab, enter the following information:
Name: Type the new name of the policy or profile.
Description: Type the new description of the policy or profile.
Platform: For configuration policies, type the platform.
Tags: From the drop-down list, select optional tags for the policy or profile. These tags are used for searching and organization.
Include Entra built-in roles while publishing: For conditional access policies, select this option to include built-in Entra roles when you publish.
Include enable policy state while publishing: For conditional access policies, select this option to include the enable policy state when you publish.
Evaluate user/group assignments: Select this option to load user/group assignments on the status page.
Once you have entered all the Name information, select Next.
In the Settings tab, make the desired changes.
Notes:
Nerdio Manager validates JSON syntax only. It does not check for valid Intune settings and values that are used in the JSON editor. Please refer to Intune documentation to validate, or use the Intune Portal to change settings using a GUI.
Inherited variables can be passed using the $InheritedVars.Variable_Name variable name.
Once you have made all the desired changes in the Settings tab, select Next.
In the Change Log tab, make the desired selection and type the change log information.
Once you have made all the desired changes in the Change Log tab, select Save & close.
The edited policy or profile is updated with your changes. The cloned policy or profile is added to the table.
Import Policies and Profiles at the MSP Level
Policies and profiles can be imported at the MSP level.
To import policies and profiles to customers at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Select Import.
At the top left, from the drop-down list, select the source, which is either MSP or a specific tenant.
From the list of available policies or profiles, select the items you wish to import.
Enter the following information:
Tags: From the drop-down list, select optional tags for the policy or profile. These tags are used for searching and organization.
Changelog: Type the change log information.
Include Entra built-in roles while publishing: For conditional access policies, select this option to include built-in Entra roles when you publish.
Include enable policy state while publishing: For conditional access policies, select this option to include the enable policy state when you publish.
Evaluate user/group assignments: Select this option to load user/group assignments on the status page.
Once you have entered all the desired information, select Import.
Manual Source Tenant Check at the MSP Level
You may manually check all policies in the source tenant for changes that have not been imported yet. This is an automatic process that occurs every 4 hours but can be manually initiated.
To perform a source tenant check at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
From the Import action menu, select Source tenant check.
On the confirmation pop-up, select OK.
Import Built-in Device Compliance Policies at the MSP Level
By default, Intune uses a built-in compliance policy that validates the device compliancy based on the following characteristics:
Does the user assigned to the device exist?
Is the device in an active state?
Are there any compliance policies assigned to the device?
By default, Intune can return a compliant state if no compliancy policies are assigned to the device based on the last of these 3 checks. However, you can change the behavior by changing the built-in policy. Besides the compliancy validation behavior, the built-in policy also allows you to specify the jailbreak detection method and compliance status validity. You can't scope the built-in policy to a group of users or devices, it's a tenant-level setting. Nerdio Manager allows you to manage this at scale by creating a built-in device compliance policy that you can apply to multiple customer accounts.
To import a built-in device Compliance Policy at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management > Compliance policies.
Select Add Built-in Device Compliance Policy.
In the Name tab, enter the following information:
Name: Type the new name of the built-in device compliance policy.
Description: Type the new description of the policy.
Tags: From the drop-down list, select optional tags for the policy. These tags are used for searching and organization.
Once you have entered all the Name information, select Next.
In the Settings tab, make the desired changes.
Once you have made all the desired changes in the Settings tab, select Next.
In the Assignments tab, from the drop-down list, select the account(s) to assign this policy to.
Once you have entered all the desired information on all the tabs, select Finish.
The built-in device compliance policy is added to the table.
Bulk Actions on Policies and Profiles at the MSP Level
Nerdio Manager manager allows you to perform bulk actions on policies or profiles.
To perform bulk actions on policies and profiles at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Select the policies or profiles you wish to perform bulk actions on.
Once you have selected all the desired policies or profiles, at the bottom of the table select Select bulk action, and then select any of the relevant actions that apply to the policies or profiles.
Note: For example, you selected 4 Configuration Profiles, with only 2 assigned to customers. The action menu displays the following:
Assign selected (4)
Re-publish selected (2)
That is, only the 2 profiles are assigned, so only those 2 can be re-published to the assigned customers. In addition, all 4 profiles can be assigned to customers.
Comments (0 comments)