Export (0) Print
Expand All

Use policies to manage computers and mobile devices with Microsoft Intune

Updated: November 21, 2014

Applies To: Microsoft Intune

Microsoft Intune Policies are groups of settings that control features on computers and mobile devices like software updates, Endpoint Protection, Windows Firewall settings, and the end-user experience in the Microsoft Intune Center. You create policies using templates that contain recommended or customized settings, and then deploy them to device or user groups.

In the Policy workspace, a status summary and alerts identify issues that require your attention. Additionally, a status summary appears on the System Overview page.

When a setting is configured in two policies that are both deployed to the same device, the policy settings applied are determined as follows:

  • If a device is a member of two groups, each with different policies applied, the policy associated with the deepest group in the group tree structure is applied. You can view the device group tree structure in the Groups workspace.

  • If both policies are deployed to the same group, or if both groups are at the same depth in the group tree structure, the setting from the policy with the most recent Last Modified Time wins.

The following policies are available to manage computers and mobile devices. You can create multiple policies that you deploy to different groups of managed devices.

 

Policy template When to use it

Android Configuration Policy

Let’s you specify apps that users can, or cannot use on Android devices and report when noncompliant apps are installed or used. Additionally, configures kiosk mode where you can lock devices to allow only certain features to work, for example, allow the device to run only one app, or disable the volume buttons.

For more information, see Manage devices using configuration policies with Microsoft Intune.

Email Profile for Samsung KNOX Standard (4.0 and later)

Email profiles help you create, deploy and monitor Exchange Active Sync email settings on managed devices. This lets user’s access corporate email on their personal devices without any required setup on their part.

For more information, see Enable access to corporate email using email profiles with Microsoft Intune.

SCEP Certificate Profile (Android 4 and later)

Let’s you configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

Trusted Certificate Profile (Android 4 and later)

Let’s you configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

VPN Profile (Android 4 and later)

Use VPN profiles to configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For more information, see Help users connect to their work using VPN profiles with Microsoft Intune.

Wi-Fi Profile (Android 4 and later)

Use Wi-Fi profiles to configure and deploy wireless network settings to users in your organization. By deploying these settings, you minimize the end-user effort required to connect to the wireless network.

For more information, see Help users connect to company networks using Wi-Fi profiles with Microsoft Intune.

 

Policy template When to use it

Email Profile (iOS 5 and later)

Email profiles help you create, deploy and monitor Exchange Active Sync email settings on managed devices. This lets user’s access corporate email on their personal devices without any required setup on their part.

For more information, see Enable access to corporate email using email profiles with Microsoft Intune.

iOS Configuration Policy

Let’s you specify apps that users can, or cannot use on iOS devices and report when noncompliant apps are installed or used. Additionally, configures kiosk mode where you can lock devices to allow only certain features to work, for example, allow the device to run only one app, or disable the volume buttons.

For more information, see Manage devices using configuration policies with Microsoft Intune.

SCEP Certificate Profile (iOS 6 and later)

Let’s you configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

Trusted Certificate Profile (iOS 5 and later)

Let’s you configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

VPN Profile (iOS 6 and later)

Use VPN profiles to configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For more information, see Help users connect to their work using VPN profiles with Microsoft Intune.

Wi-Fi Profile (iOS 5 and later)

Use Wi-Fi profiles to configure and deploy wireless network settings to users in your organization. By deploying these settings, you minimize the end-user effort required to connect to the wireless network.

For more information, see Help users connect to company networks using Wi-Fi profiles with Microsoft Intune.

 

Policy template When to use it

Email Profile (Windows Phone 8 and later)

Email profiles help you create, deploy and monitor Exchange Active Sync email settings on managed devices. This lets user’s access corporate email on their personal devices without any required setup on their part.

For more information, see Enable access to corporate email using email profiles with Microsoft Intune.

SCEP Certificate Profile (Windows 8.1 and later) (for enrolled devices only)

Let’s you configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

SCEP Certificate Profile (Windows Phone 8.1 and later)

Let’s you configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

Trusted Certificate Profile (Windows 8.1 and later) (for enrolled devices only)

Let’s you configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

Trusted Certificate Profile (Windows Phone 8.1 and later)

Let’s you configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For more information, see Enable access to company resources using certificate profiles and multifactor authentication with Microsoft Intune.

VPN Profile (Windows 8.1 and later) (for enrolled devices only)

Use VPN profiles to configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For more information, see Help users connect to their work using VPN profiles with Microsoft Intune.

VPN Profile (Windows Phone 8.1 and later)

Use VPN profiles to configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For more information, see Help users connect to their work using VPN profiles with Microsoft Intune.

Windows Phone Configuration Policy (Windows Phone 8.1 and later)

Let’s you specify apps that users can, or cannot use and block noncompliant apps from being installed or used.

For more information, see Manage devices using configuration policies with Microsoft Intune.

 

Policy template When to use it

Microsoft Intune Agent Settings

Configures the Microsoft Intune client on computers, including settings for:

  • Endpoint Protection

  • Software updates

  • Policy check schedule

This type of policy can be deployed only to groups of devices.

Microsoft Intune clients download new and updated policy according to the Update and application detection frequency setting, which defaults to 8 hours. However, you can force a refresh of policy on computers at any time.

For more information about the Microsoft Intune Agent settings you can configure on computers, see Keep your computers up to date with software updates in Microsoft Intune.

Microsoft Intune Center Settings

Configures details that appear in the Microsoft Intune Center on managed computers (available as a custom policy only).

This type of policy can be deployed only to groups of devices.

For more information about the Microsoft Intune Center settings you can configure, see Manage computers with Microsoft Intune.

Windows Firewall Settings

Configures Windows Firewall settings and exceptions for common network communications on computers, including:

  • BranchCache

  • Remote Assistance

  • Media sharing

This type of policy can be deployed only to groups of devices.

For more information about the Windows Firewall settings you can configure for computers, see Help secure your computers with Endpoint Protection and Windows Firewall policy for Microsoft Intune.

 

Policy template When to use it

Mobile Device Security Policy

Configures settings for mobile devices including:

  • Security

  • Encryption

  • System

  • Email

  • Applications

This type of policy can be deployed only to groups of users.

For more information about the settings you can configure for mobile devices, see Configure security policy for mobile devices in Microsoft Intune.

 

Policy template When to use it

Exchange On-premises Policy

These policies can be used to block access to Microsoft Exchange from devices that are not managed by Intune. You can set various exceptions for device platforms, models, and so on. For more information about conditional access policies, see Control access to on-premises Microsoft Exchange with conditional access in Microsoft Intune.

  1. In the Microsoft Intune administration console, click Policy > Overview > Add Policy.

  2. In the Create a New Policy dialog box, select a template on which to base the new policy, and then do one of:

    • Create and Deploy a Policy with the Recommended Settings, then click Create Policy.

    • Create and Deploy a Custom Policy, then click Create Policy. Configure a name, and optional description for the policy, configure the required policy settings, and then click Save Policy.

      In the confirmation dialog box, click Yes to deploy the policy now, or click No to create the policy without deploying it.

  3. In the Manage Deployment dialog box:

    • To deploy the policy - Select one or more groups to which you want to deploy the policy, click Add > OK.

    • To close the dialog box without deploying it - Click Cancel.

You can view the new policy by browsing the sections for each policy type in Policy workspace.

When you create a policy that uses the recommended settings, the name of the new policy is a combination of the template name, date, and time. When you edit the policy, the name updates with the time and date of the edit.

  1. In the Microsoft Intune administration console, click Policy, browse to, and select the policy you want to manage.

  2. Select one of the actions in the following table:

     

    Action More information

    Edit

    Opens the properties for the selected policy to allow you to make changes.

    Delete

    Deletes the selected policy.

    When you delete a policy, it is removed from all groups to which it was deployed. Settings that the policy configured are then reset as follows:

    Manage Deployment

    In the Manage Deployment dialog box, select the group you want to deploy the policy to and click Add.

  1. In the Microsoft Intune administration console, click Groups, and then select a device group.

  2. Select the devices on which you want to refresh the policies, and then click Remote Tasks > Refresh Policies.

  3. Click Remote Tasks in the bottom-right corner of the Microsoft Intune administrator console window to check the task status.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft