One of the things that we have to do as administrators is forget the past. It’s necessary because our options for applying different types of policies have vastly expanded. Instead of simply computer or user group policies, we have now have policies and profiles of both device and user types and we can assign the user policies to devices and device policies to users. Sound confusing and it is. The choice is now yours to make but how to you make that decision?
How to decide whether to apply settings to a user or to a device
It’s been difficult to find official guidance on this. I honestly don’t think that Microsoft has an opinion. It’s more of a rule of thumb and a personal preference. What we really need to do is to simplify our options.
First, pay no attention to the name of a policy being labelled as device or user. Since we can assign them to either regardless of what they claim to be, this isn’t the important part. In fact, it can be misleading.
Apply policies, profiles and configurations to devices when…
the setting should be set on that device whether anyone is logged into it or not.
This will be used mainly for policies that apply before anyone logs onto the device. Like an update. Or Autopilot configuration.
For most environments, you will apply policies to devices very sparingly or not at all.
Apply policies, profiles and configurations to users when…
it should be applied to any device that the user logs onto. And also when you want to policy to apply every time that device is used.
When in doubt apply to a group of users
For example, when creating a compliance policy that verifies whether a device meets your minimum criteria for being a device on your network, one might think that this should be applied to the device. But, no. Compliance policies should be applied to users. Here’s why…
We want to know if a user logs into a non-compliant device and then be able to block their ability to access protected corporate data. A user policy will do that for us. A device policy would get applied once to the device and we’d never hear from it again. We want constant checking for compliance, therefore this is a user policy.
Learn to ignore this error
When you apply certain policies to users, you will find that it is unable to apply that policy to the system account user. This will cause a red flag in your policy application. It’s very annoying but it is safe to ignore. The system user account is a highly secure account and even EndPoint Manager has limited ability to configure it. I wish that Microsoft wouldn’t show us those errors but they do. Ignore them.
If you like this content please join our Endpoint Manager, Lighthouse & Defender group. https://www.facebook.com/groups/endpointmanager
All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Peer groups, Kits, papers, MSP training and more. https://www.thirdtier.net
One thought on “EndPoint Mgt Concepts: Apply to the user or to the device?”
User groups vs. device groups
Many users ask when to use user groups and when to use device groups. The answer depends on your goal. Here’s some guidance to get you started.
If you want to apply settings on a device, regardless of who’s signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user.
Device groups are useful for managing devices that don’t have a dedicated user. For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. Put these devices in a devices group, and assign your profiles to this devices group.
You create a Device Firmware Configuration Interface (DFCI) Intune profile that updates settings in the BIOS. For example, you configure this profile to disable the device camera, or lock down the boot options to prevent users from booting up another OS. This profile is a good scenario to assign to a devices group.
On some specific Windows devices, you always want to control some Microsoft Edge settings, regardless of who’s using the device. For example, you want to block all downloads, limit all cookies to the current browsing session, and delete the browsing history. For this scenario, put these specific Windows devices in a devices group. Then, create an Administrative Template in Intune, add these device settings, and then assign this profile to the devices group.
To summarize, use device groups when you don’t care who’s signed in on the device, or if anyone signs in. You want your settings to always be on the device.
Profile settings applied to user groups always go with the user, and go with the user when signed in to their many devices. It’s normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. And, it’s normal for a person to access email and other organization resources from these devices.
If a user has multiple devices on the same platform, then you can use filters on the group assignment. For example, a user has a personal iOS/iPadOS device, and an organization-owned iOS/iPadOS. When you assign a policy for that user, you can users filters to target only the organization-owned device.
Follow this general rule: If a feature belongs to a user, such as email or user certificates, then assign to user groups.
You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a users group, and assign your Help Desk icon profile to this users group.
A user receives a new organization-owned device. The user signs in to the device with their domain account. The device is automatically registered in Azure AD, and automatically managed by Intune. This profile is a good scenario to assign to a users group.
Whenever a user signs in to a device, you want to control features in apps, such as OneDrive or Office. In this scenario, assign your OneDrive or Office profile settings to a users group.
For example, you want to block untrusted ActiveX controls in your Office apps. You can create an Administrative Template in Intune, configure this setting, and then assign this profile to a users group.
To summarize, use user groups when you want your settings and rules to always go with the user, whatever device they use.