Intune policy: MSP level general management

Avatar
Nerdio Product Support

Intune policy: MSP level general management

This topic discusses general Intune policy management at the MSP level.

In order to configure policies and profiles on devices, you need to assign policies and profiles to security groups and then manage Intune devices through security groups. You can view global policies and profiles at the MSP level and publish them down to accounts. In addition, Nerdio Manager allows partners to manage policies and profiles at the customer account level.

Import policies and profiles at the MSP level

In addition to the built-in policies and profiles, Nerdio Manager allows you to import policies and profiles that are in the MSP's tenant. This provides the ability to create custom policies with advanced configurations. Once policies are imported at the global level, you can assign them to specific customer accounts.

To import policies and profiles at the MSP level:

  1. In Nerdio Manager, at the MSP level, expand Policy Management.

  2. Select one of the following policy types to work with:

    • Configuration profiles

    • Compliance policies

    • Security baselines

    • Conditional access

    • Update Rings

    • MAM Policies

    • Autopilot Profiles

    • Enrollment Status Pages

    • Defender O365 Policies

    • CIS Policy baselines

    • Endpoint Security Policies.

  3. Select Import.

  4. Enter the following information:

    • From the drop-down list, select whether to view policies or profiles from the MSP tenant or a customer account tenant.

      • Optionally, you can search for a policy by entering the policy name, along with a date range.

    • All policy types: From the drop-down list, select the type of policy to import.

      • Optionally, select Show Already Imported to show those polices that have previously been imported.

    • Available Policy: From the list of policies displayed, select the desired policies or profiles, and then select Select.

    • Overwrite if already exists: Select this option to re-import a policy or profile that already exists in Nerdio Manager.

      Note: When this option is selected, all the existing assignments stay the same.

    • Selected policies: The polices you have selected are displayed in this box. If required, you can remove them by selecting the X next to the policy.

    • Tags: From the drop-down list, lterselect optional tags for the policy or profile. These tags are used for searching and organization.

    • Change Log: Type the change log information.

      Note: Some policy and profile types may not have all of the following options.

    • Include Entra built-in roles while publishing: Select this option to include Entra built-in roles while publishing.

    • Include enable policy state while publishing: Select this option to include the enable policy state while publishing.

    • Manage locations as variables: Select this option to manage the locations as variables.

    • Allow overwriting existing policies; Select this option to allow overwriting to existing policies.

    • Evaluate user/group assignments: Select this option to load user/group assignments on the status page.

  5. Once you have entered all the desired information, select Import.

The policy or profile is added to the table.

Assign policies and profiles to customers at the MSP level

To create global-level compliance policies, configuration profiles, or security policies, sign in to the Microsoft Endpoint Manager admin center with an MSP-level Azure tenant. In Nerdio Manager, you can only view them.

Once policies are created at the global level, you can assign them to specific customer accounts.

Notes:

  • For Conditional Access policies, tenant-specific objects such as locations, applications, and authentication context are detected and replaced with customer-specific values when publishing.

  • MAM policies based on tenant specific application IDs are supported.

To assign policies and profiles to customers at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select one of the following policy types to work with:

    • Configuration profiles

    • Compliance policies

    • Security baselines

    • Conditional access

    • App Management

    • Update Rings

    • MAM Policies

    • Autopilot Profiles

    • Enrollment Status Pages

    • Defender O365 Policies

    • CIS Policy baselines

    • Endpoint Security Policies.

  3. Locate the policy or profile you wish to work with.

  4. Select Assign, and then select Add assignments.

  5. Enter the following information:

    • Select assignments: From the drop-down list, select the account(s) to assign this policy or profile to.

      Note:

      • Select All to assign this policy or profile to all accounts.

      • If an account is grayed out, Intune may not be enabled for the account. Hover over the account name for more information.

      • If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.

    • Add: Select this option to add the selected customer account(s) to the existing assignments.

    • Overwrite: Select this option to replace the existing assignments with the new selection(s).

  6. Once you have selected all the desired account(s), select Confirm.

  7. On the Assignments page, enter the following information:

    • Sync Type: Select the sync type.

      Note: By default the sync type is set to Manual. When applying the assignment, the policy is published from the global level to the assigned customer accounts. If the assignment is set to Automatic, the policy is regularly republished to all assigned customer accounts. Any changes to the source policy on the global level are applied to assigned customer accounts. If the policy is assigned to All customers, any newly added customer accounts also get the policy published automatically.

    • Version: From the drop-down list, select the version.

  8. For Conditional Access policies only, from the drop-down list, select the desired State.

  9. Once you have entered all the desired information, select Apply and close.

    The accounts are assigned to the policy.

Remove assigned policies and profiles from customers at the MSP level

After policies and profiles have been assigned to customers, they can be removed from the customers.

To remove assigned policies and profiles from an account at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select one of the following policy types to work with:

    • Compliance policies

    • Configuration profiles

    • Security baselines

    • Conditional access

    • App Management

    • Update Rings

    • MAM Policies

    • Autopilot Profiles

    • Enrollment Status Pages

    • Defender O365 Policies

    • CIS Policy baselines

    • Endpoint Security Policies.

  3. Locate the policy or profile you wish to work with.

  4. Select Assign.

  5. Locate the account you wish to remove and select Remove.

Directly assign policies to customer devices, users, and group templates at the MSP level

After policies have been assigned to customers, they can be directly assigned to all users and/or all devices in that customer. Alternatively, you may directly assign policies to group templates.

Due to Microsoft limitations:

  • The Filters feature applies only to the following policies and profiles. See List of platforms, policies, and app types supported by filters in Microsoft Intune for details.

    • Security baselines

    • Configuration profiles

    • Update rings

    • Enrollment Status pages

    • Endpoint security policies

    • Conditional Access policies

    • Defender for Office365 policies

      Note: Direct assign for Defender for O365 policies accepts only group templates based on M365 groups. Regular security groups do not work.

  • The Group Templates feature applies only to the following policies and profiles. See the Microsoft Support Matrix for details.

    • Compliance policies

    • Security baselines

    • Configuration profiles

    • Update rings (Expedite, Windows driver update, Windows feature update, Windows quality update, and Windows updates rings policies including Hotpatches).

    • Autopilot Profiles (only All Devices)

    • Enrollment Status pages

    • Endpoint security policies

To directly assign policies to users, devices, or group templates in an account at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select Compliance policies, Configuration profiles, Security baselines, Update Rings, Autopilot Profiles, Enrollment Status Pages, or Endpoint Security Policies.

  3. Locate the policy you wish to work with.

  4. Select Assign.

  5. Select Add assignments.

  6. Enter the following information:

    • Select assignments: From the drop-down list, select the account(s) to assign this policy or profile to.

    • Add: Select this option to add the selected customer account(s) to the existing assignments.

    • Overwrite: Select this option to replace the existing assignments with the new selection(s).

  7. Once you have selected all the desired account(s), select Confirm.

  8. Select the pencil  icon to configure the direct assignments.

  9. In the Configure Direct Assignment dialog box, configure the following information:

    • Included Groups: Select the Add All Users, Add All Devices, or Add Group button, and then configure each one as follows:

      • Add All Users: From the drop-down list, select the filter required, and then select the toggle to Exclude or Include.

      • Add All Devices: From the drop-down list, select the filter required, and then select the toggle to Exclude or Include.

      • Add Group: From the drop-down lists, select the group template, and the filter required, and then select the toggle to Exclude or Include.

        Note: You can select Add All Users and Add All Devices together. To remove a group, select Remove.

    • Excluded Groups:Configure the excluded groups as follows:

      • Select the Add Group button to select groups to be excluded.

      • From the drop-down list, select the group template.

  10. Select OK.

  11. Select Apply and close.

Directly assign policy baselines to customer devices, users, or group templates at the MSP level

After policy baselines have been assigned to customers, they can be directly assigned to all users and/or all devices in that customer. Alternatively, you may directly assign policies to group templates.

To directly assign policy baselines to all users and/or all devices or Group Templates in an account at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select Policy baselines.

  3. Locate the policy baseline you wish to work with.

  4. Select Edit policies.

  5. Locate the policy you wish to work with.

  6. Select Edit.

  7. Enter the following information:

    • Sync mode.Select the sync mode.

    • Version : From the drop-down list, select the version.

    • In the Configure Direct Assignment dialog box, configure the following information:

      • Included Groups: Select the Add All Users or Add Group button, and then configure each one as follows:

        • Add All Users: From the drop-down list, select the filter required, and then select the toggle to Exclude or Include.

        • Add Group: From the drop-down lists, select the group template, and the filter required, and then select the toggle to Exclude or Include.

      • Excluded Groups: Configure the excluded groups as follows:

        • Select the Add Group button to select groups to be excluded.

        • From the drop-down list, select the group template.

      • State: From the drop-down list select how to publish this policy.

      • Evaluate user/group assignment: Select this option to load assignments on the status page.

  8. Select Save.

  9. Select Apply and Close.

Republish policies and profiles at the MSP level

Once policies and profiles are created at the MSP level and assigned to customer accounts, you can change them at the MSP level and republish to the assigned customer accounts. This enables you to publish changes from the policies at MSP level to customer accounts.

Note: This option is available only for policies and profiles that are assigned to customer(s).

To republish policies and profiles to customers at the MSP level:

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select one of the following policy types to work with:

    • Configuration profiles

    • Compliance policies

    • Security baselines

    • Conditional access

    • App Management

    • Update Rings

    • MAM Policies

    • Autopilot Profiles

    • Enrollment Status Pages

    • Defender O365 Policies

    • CIS Policy baselines

    • Endpoint Security Policies.

  3. Locate the policy or profile you wish to re-publish.

  4. From the action menu, select Re-publish.

  5. In the confirmation dialog box, review the information and select Confirm.

    Note: If Intune has been disabled for an account that has a policy or profile assigned to it, you receive this message.

Publish edited and updated policies and profiles at the MSP level

When making policy changes, Nerdio Manager allows you to select whether or not to republish manual assignments, or to immediately publish automatic assignments.

To publish updated policies and profiles

  1. In Nerdio Manager, at the MSP level, navigate to Policy Management.

  2. Select the policy you want to work with, and make the required edits and updates.

  3. Depending on the assignments types included in the policy, select Re-publish for manual sync type assignments or Publish now for automatic sync type assignments.

  4. Select Confirm.

The selected polices are now published.

Export a list of policies as a CSV file at the MSP level

Nerdio Manager allows you to export a list of polices as a CSV file.

To export a list of policies as a CSV file:

  1. At the MSP level, navigate to Policy Management.

  2. Select one of the following policy types to work with:

    • Configuration profiles

    • Compliance policies

    • Security baselines

    • Conditional access

    • App Management

    • Update Rings

    • MAM Policies

    • Autopilot Profiles

    • Enrollment Status Pages

    • Defender O365 Policies

    • CIS Policy baselines

    • Endpoint Security Policies.

  3. Select the download  icon to download the selected policy as a CSV file.

  4. The file is downloaded to the downloads folder in your browser.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Article is closed for comments.