Any suggestions? Export (0) Print
Expand All

Manage settings and features on your devices with Microsoft Intune policies

 

Updated: November 23, 2015

Applies To: Microsoft Intune

Microsoft Intune uses policies that help you to configure many security and functional settings for enrolled mobile devices, including:

  • Hardware settings, like allowing use of the devices camera, or Bluetooth capability

  • Password settings including password length and quality

  • Allowed and blocked apps let you configure apps that are compliant, or noncompliant in your organization, and then report on devices that are not compliant (for Windows Phone devices, you can block apps from being installed, or used.

  • Kiosk mode settings that allow you to ‘lock down’ certain features of the device like allowing only one app to run, or disabling the power button and volume controls.

Use the information in this topic to help you decide which policy you need to use to manage your devices.

System_CAPS_tipTip

For more detailed information about how to use policies, see Use policies to manage computers and mobile devices with Microsoft Intune.

Policy name

Use when you want to

Custom Configuration (Android 4 and later, Samsung KNOX Standard 4.0 and later)

  • Deploy OMA-URI settings, such as Wi-Fi settings that can be used to control device features. This is useful when the setting you need is not available in a configuration policy.

For details, see Android custom policy settings in Microsoft Intune.

Email Profile (Samsung KNOX Standard 4.0 and later)

  • Create, deploy and monitor Exchange ActiveSync email settings on managed devices. This lets users access corporate email on their personal devices without any required setup on their part.

For details, see Configure access to corporate email using email profiles with Microsoft Intune.

General Configuration (Android 4 and later, Samsung KNOX Standard 4.0 and later)

  • Configure mobile device security and functional settings.

  • Specify apps that are compliant or noncompliant, and report when they are used.

  • Configure kiosk mode that locks devices to allow only certain features to work, for example, allow the device to run only one app, or disable the volume buttons.

For details, see Android configuration policy settings in Microsoft Intune.

PKCS #12 (.PFX) Certificate Profile (Android 4 and later)

  • Use this profile to create and deploy PFX settings for device certificate requests.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

SCEP Certificate Profile (Android 4 and later)

  • Configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

Trusted Certificate Profile (Android 4 and later)

  • Configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

VPN Profile (Android 4 and later)

  • Configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For details, see Help users connect to their work using VPN profiles with Microsoft Intune.

Wi-Fi Profile (Android 4 and later)

  • Configure and deploy wireless network settings to users in your organization. By deploying these settings, you minimize the end-user effort required to connect to the wireless network.

For details, see Help users connect to company networks using Wi-Fi profiles with Microsoft Intune.

Policy name

Use when you want to

Custom Configuration (iOS 7.1 and later)

  • Deploy configuration profiles to iOS devices that you created using the Apple Configurator tool. This is useful when the setting you need is not available in a configuration policy.

For details, see iOS custom policy settings in Microsoft Intune.

Email Profile (iOS 7.1 and later)

  • Create, deploy and monitor Exchange ActiveSync email settings on managed devices. This lets users access corporate email on their personal devices without any required setup on their part.

For details, see Configure access to corporate email using email profiles with Microsoft Intune.

General Configuration (iOS 7.1 and later)

  • Configure mobile device security and functional settings.

  • Specify apps that are compliant or noncompliant, and report when they are used.

  • Configure kiosk mode that locks devices to allow only certain features to work, for example, allow the device to run only one app, or disable the volume buttons.

For details, see iOS configuration policy settings in Microsoft Intune.

SCEP Certificate Profile (iOS 7.1 and later)

  • Configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

Trusted Certificate Profile (iOS 7.1 and later)

  • Configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

VPN Profile (iOS 7.1 and later)

  • Configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For details, see Help users connect to their work using VPN profiles with Microsoft Intune.

Wi-Fi Profile (iOS 7.1 and later)

  • Configure and deploy wireless network settings to users in your organization. By deploying these settings, you minimize the end-user effort required to connect to the wireless network.

For details, see Help users connect to company networks using Wi-Fi profiles with Microsoft Intune.

Mobile App Configuration Policy (iOS 7.1 and later)

  • Use mobile app configuration policies to automatically supply settings that might be required when the user runs an iOS app.

For details, see Configure apps with mobile app configuration policies in Microsoft Intune.

Policy name

Use when you want to

Custom Configuration (Mac OS X 10.9 and later)

  • Deploy configuration profiles to Mac computers that you created using the Apple Configurator tool. This is useful when the setting you need is not available in a configuration policy.

For details, see Mac OS X custom policy settings in Microsoft Intune.

General Configuration (Mac OS X 10.9 and later)

  • Configure mobile device security and functional settings.

  • Specify apps that are compliant or noncompliant, and report when they are used.

For details, see Mac OS X configuration policy settings in Microsoft Intune.

SCEP Certificate Profile (Mac OS X 10.9 and later)

  • Configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

   Trusted Certificate Profile (Mac OS X 10.9 and later)

  • Configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

VPN Profile (Mac OS X 10.9 and later)

  • Configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For details, see Help users connect to their work using VPN profiles with Microsoft Intune.

Wi-Fi Profile (Mac OS X 10.9 and later)

  • Configure and deploy wireless network settings to users in your organization. By deploying these settings, you minimize the end-user effort required to connect to the wireless network.

For details, see Help users connect to company networks using Wi-Fi profiles with Microsoft Intune.

Applies to Windows Phone, and enrolled Windows devices only.

Policy name

Use when you want to

Custom Configuration (Windows 10 Desktop and Mobile and later)

  • Deploy OMA-URI settings that can be used to control device features. This is useful when the setting you need is not available in a configuration policy.

    For a list of available settings, see Custom URI settings for Windows 10 devices.

For details, see Windows 10 custom policy settings in Microsoft Intune.

Custom Configuration (Windows Phone 8.1 and later)

  • Deploy OMA-URI settings that can be used to control device features. This is useful when the setting you need is not available in a configuration policy.

For details, see Windows Phone custom policy settings in Microsoft Intune.

Email Profile (Windows Phone 8 and later)

Email Profile (Windows 10 Desktop and Mobile and later)

  • Create, deploy and monitor Exchange ActiveSync email settings on managed devices. This lets users access corporate email on their personal devices without any required setup on their part.

For details, see Configure access to corporate email using email profiles with Microsoft Intune.

General Configuration (Windows 10 Desktop and Mobile and later)

  • Configure mobile device security and functional settings for enrolled Windows 10 desktop and Mobile devices.

For details, see Windows 10 configuration policy settings in Microsoft Intune.

General Configuration (Windows 10 Team and later)

  • Configure device security and functional settings for enrolled Windows 10 Team devices (for example, a Surface Hub device).

For details, see Windows Team configuration policy settings in Microsoft Intune.

General Configuration (Windows 8.1 and later)

  • Configure mobile device security and functional settings for enrolled Windows devices.

For details, see Windows configuration policy settings in Microsoft Intune.

General Configuration (Windows Phone 8.1 and later)

  • Configure mobile device security and functional settings.

  • Specify apps that users can, or cannot use and block noncompliant apps from being installed or used.

For details, see Windows Phone configuration policy settings in Microsoft Intune.

PKCS #12 (.PFX) Certificate Profile (Windows 10 Desktop and Mobile and later)

  • Use this profile to create and deploy PFX settings for device certificate requests.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

SCEP Certificate Profile (Windows 8.1 and later)

SCEP Certificate Profile (Windows Phone 8.1 and later)

  • Configure a Simple Certificate Enrollment Protocol certificate which can be used with a trusted mobile device certificate to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

Trusted Certificate Profile (Windows 8.1 and later)

Trusted Certificate Profile (Windows Phone 8.1 and later)

  • Configure a trusted mobile device certificate which can be used to authenticate mobile devices to allow them to access network resources such as those configured by Wi-Fi and VPN profiles.

For details, see Enable access to company resources using certificate profiles with Microsoft Intune.

VPN Profile (Windows 10 Desktop and Mobile and later)

VPN Profile (Windows 8.1 and later)

VPN Profile (Windows Phone 8.1 and later)

  • Configure and deploy settings that give users secure access to your company network from their mobile device. By deploying these settings, you minimize the end-user effort required to connect to their work.

For details, see Help users connect to their work using VPN profiles with Microsoft Intune.

Wi-Fi Import

  • Import and deploy Windows Wi-Fi configurations that you have previously exported to a file.

For details, see Help users connect to company networks using Wi-Fi profiles with Microsoft Intune.

Policy name

Use when you want to

Managed Browser Policy (Android 4 and later)

Managed Browser Policy (iOS 7.1 and later)

  • Specify the websites that users can, and cannot access when they are using the managed browser app.

For details, see Manage Internet access using managed browser policies with Microsoft Intune.

Mobile Application Management Policy (Android 4 and later)

Mobile Application Management Policy (iOS 7.1 and later)

  • Modify the functionality of apps that you deploy to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a restricted app, or configure an app to open all web links inside the managed browser.

For details, see Configure and deploy mobile application management policies in the Microsoft Intune console

Policy name

Use when you want to

Exchange ActiveSync Policy

  • Configure mobile device security and functional settings for devices that are managed by Exchange ActiveSync.

For details, see Exchange ActiveSync policy settings in Microsoft Intune.

Mobile Device Security Policy

  • Configures settings for mobile devices (all platforms) including:

    • Security

    • Encryption

    • System

    • Email

    • Applications

System_CAPS_importantImportant

Microsoft Intune now features separate configuration policies for each device platform, and these policies contain the most up-to-date settings you can use. You can continue to use the mobile device security policy and any existing deployments will still work, but you should plan to migrate to the new configuration policies as soon as possible.

For details, see Mobile device security policy settings in Microsoft Intune.

Policy name

Use when you want to

Exchange Online Policy

Exchange On-premises Policy

  • Manage access to Microsoft Exchange email from devices that are not managed by Intune or not compliant with a compliance policy you created.

For details, see Manage email access with Microsoft Intune.

SharePoint Online Policy

  • Manage access to SharePoint Online from devices that are not managed by Intune or not compliant with a compliance policy you created.

For details, see Manage SharePoint Online access with Microsoft Intune.

System_CAPS_noteNote

You do not deploy conditional access policies to users and devices. Instead, you configure the required policy and it applies to all groups targeted in the policy.

Policy name

Use when you want to

Compliance policies

  • Define the level of compliance for devices and then report about devices that are noncompliant. These policies are used with conditional access to help evaluate devices that should be blocked from services.

For details, see Manage device compliance policies for Microsoft Intune.

Policy name

Use when you want to

Microsoft Intune Agent Settings

Configure the Microsoft Intune client on computers, including settings for:

  • Endpoint Protection

  • Software updates

  • Policy check schedule

This type of policy can be deployed only to groups of devices.

Intune clients download new and updated policy according to the Update and application detection frequency setting, which defaults to 8 hours. However, you can force a refresh of policy on computers at any time.

For details, see Keep Windows PCs up to date with software updates in Microsoft Intune.

Microsoft Intune Center Settings

Configure details that appear in the Microsoft Intune Center on managed computers.

This type of policy can be deployed only to groups of devices.

For details, see Common Windows PC management tasks with the Microsoft Intune computer client.

Windows Firewall Settings

Configures Windows Firewall settings and exceptions for common network communications on computers, including:

  • BranchCache

  • Remote Assistance

  • Media sharing

This type of policy can be deployed only to groups of devices.

For details, see Help secure Windows PCs with Endpoint Protection for Microsoft Intune.

Show:
© 2016 Microsoft