Intune Policy: MSP-level General Management
This topic discusses general Intune policy management at the MSP level.
In order to configure policies and profiles on devices, you need to assign policies and profiles to security groups and then manage Intune devices through security groups. You can view global policies and profiles at the MSP level and publish them down to accounts. In addition, Nerdio Manager allows partners to manage policies and profiles at the customer account level.
Import Policies and Profiles at the MSP Level
In addition to the built-in policies and profiles, Nerdio Manager allows you to import policies and profiles that are in the MSP's tenant. This provides the ability to create custom policies with advanced configurations. Once policies are imported at the global level, you can assign them to specific customer accounts.
To import policies and profiles at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
-
Select Import.
-
Enter the following information:
From the drop-down list, select whether to view policies or profiles from the MSP tenant or a Customer Account tenant.
Available Policy: Select the desired policies or profiles.
-
Overwrite if already exists: Select this option to re-import a policy or profile that already exists in Nerdio Manager.
Note: When this option is selected, all the existing assignments stay the same.
Tags: From the drop-down list, select optional tags for the policy or profile. These tags are used for searching and organization.
Change Log: Type the change log information.
Evaluate user/group assignments: Select this option to load user/group assignments on the status page.
-
Once you have entered all the desired information, select Import.
The policy or profile is added to the table.
Assign Policies and Profiles to Customers at the MSP Level
You need to sign in to the Microsoft Endpoint Manager admin center with an MSP-level Azure tenant to create global-level compliance policies, configuration profiles, or security policies. You can only view them on Nerdio Manager.
Once policies are created at the global level, you can assign them to specific customer accounts.
To assign policies and profiles to customers at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
-
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, oAutopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
For example:
Locate the policy or profile you wish to work with.
-
Select Assign and then select Add assignments.
-
Enter the following information:
-
Select assignments: From the drop-down list, select the account(s) to assign this policy or profile to.
Note:
Select All to assign this policy or profile to all accounts.
If an account is grayed out, Intune may not be enable for the account. Hover over the account name for more information.
-
If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.
Add: Select this option to add the selected customer account(s) to the existing assignments.
Overwrite: Select this option to replace the existing assignments with the new selection(s).
-
Once you have selected all the desired accounts, select Confirm.
Note:
Nerdio Manager shows the current assignments in the policy/profile list.
Remove Assigned Policies and Profiles from Customers at the MSP Level
After policies and profiles have been assigned to customers, they can be removed from the customers.
To remove assigned policies and profiles from an account at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Locate the policy or profile you wish to work with.
-
Select Assign.
Locate the account you wish to remove and select Remove.
Directly Assign Policies to Customer Devices, Users, and Group Templates at the MSP Level
After policies have been assigned to customers, they can be directly assigned to all users and/or all devices in that customer. Alternatively, you may directly assign policies to group templates.
Due to Microsoft limitations, the Filters feature only applies to the following policies and profiles. See List of platforms, policies, and app types supported by filters in Microsoft Intune for details.
Security baselines
Configuration profiles
Update Rings
Enrollment Status Pages
Endpoint Security Policies
Due to Microsoft limitations, the Group Templates feature only applies to the following policies and profiles. See the Microsoft Support Matrix for details.
Compliance policies
Security baselines
Configuration profiles
Update Rings
Autopilot Profiles (only All Devices)
Enrollment Status Pages
Endpoint Security Policies
To directly assign policies to all users and/or all devices or group templates in an account at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Compliance policies, Configuration profiles, Security baselines, Update Rings, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Locate the policy you wish to work with.
-
Select Assign.
In the Direct Assign drop-down list, select All Devices and/or All Users. Alternatively, select a Group Template.
-
In the Device Filter column:
Toggle Include and Exclude, as desired.
From the drop-down list, select the devices to include or exclude.
Select Apply and close.
Directly Assign Policy Baselines to Customer Devices, Users, or Group Templates at the MSP Level
After policy baselines have been assigned to customers, they can be directly assigned to all users and/or all devices in that customer. Alternatively, you may directly assign policies to group templates.
To directly assign policy baselines to all users and/or all devices or Group Templates in an account at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Policy baselines.
Locate the policy baseline you wish to work with.
Select Edit policies.
Locate the policy you wish to work with.
-
Select Edit.
In the Direct Assign drop-down list, select All Devices and/or All Users. Alternatively, select a Group Template.
-
In Device Filter:
Toggle Include and Exclude, as desired.
From the drop-down list, select the devices to include or exclude.
Select Save.
Select Apply and Close.
Synchronize Assigned MSP-level Policies and Profiles with Customers
Nerdio Manager allows you to easily keep MSP-level policies and profiles that have been assigned to customers in sync at the customer account level.
To remove assigned policies and profiles from an account at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Locate the policy or profile you wish to work with.
-
Select Assign.
Locate the account you wish to work with.
-
Select one of the following options:
Once: Select this option to perform the sync one time.
Keep in sync: Select this option to always keep the customer's policy or profile in sync with the MSP-level policy or profile.
Select Apply changes to apply the change and perform the sync.
Re-publish Policies and Profiles at the MSP Level
Once policies and profiles are created at the MSP level and assigned to customer accounts, they can be changed at the MSP level and re-published to the assigned customer accounts. This enables you to publish changes from the policies at MSP level to customer accounts.
Note: This option is only available for policies and profiles that are assigned to customer(s).
To re-publish policies and profiles to customers at the MSP level:
In Nerdio Manager, at the MSP level, navigate to Policy Management.
Select Configuration profiles, Compliance policies, Configuration profiles, Security baselines, Conditional access, App Management, Update Rings, MAM, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.
Locate the policy or profile you wish to re-publish.
From the action menu, select Re-publish.
-
On the confirmation pop-up window, review the information and select Confirm.
Note: If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.
Comments (0 comments)