Microsoft Intune Device Configuration Profiles core feature is Bitlocker management to the average Joe utilizing the service but that Bitlocker just touches the surface of all its capabilities.  It allows organizations to maintain granular control over device settings and to push those desktop settings from a cloud-managed, Mobile Device Management service or service called Intune.  This is completely different than “Compliance policy” where it simply to checks to see if the users are within compliance.  Configuration profiles flexes its muscles and does the heavy lifting.  Let’s take a look at “Configuration Profile” in the “Devices” portal below but first let’s remind ourselves of what Policy item does what.  Not familiar with the Intune Admin Center?  Check out our Intune Guide.

• Devices
  • Policy
    • Compliance Policies
      • Rules that devices must be meet to access company data. Compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. It’s a simple check off and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.  Configuration policies (two bullet points down) instead are the way to configure and not to check.
        • Example of how create a create a device profile.
      • Conditional Access
        • Conditional Access policies ensure your devices are compliant before accessing your cloud services. There is a checkbox to grant access only for compliant devices. This way you can create a Conditional Access policy to protect your services and allow access only to devices marked as compliant.
      • Configuration Profile
        • This is not a simple check off. Configuration Profile will enforce the setting or policy.  Rules that has to change about itself. AKA enrollment profile
          • Bitlocker Encryption
          • Meet certain passwords (change every 3 months)
          • Endpoint Protection Policy
        • Note: We highlighted some good settings to enforce down the page.
      • PowerShell Scripts
        • • These are customizations for deploying software, etc

 

 

 

 

 

 

In the configuration profiles, we get a list of all the profiles

 

 

 

 

 

Now, let’s create a policy.  We need two pieces of information to set up the configuration policy.  We need to enter a name for our configuration and we need to select a platform. Just like the compliance policies, the platform we select will determine the configuration settings we can apply.

 

 

 

 

 

 

 

 

In this case, we selected iOS/iPadOS.  With a platform selected we can select a profile type

 

 

 

 

 

 

As you can see below, there are a lot of profile types that can be configured. Setting theses up will push the configured settings to the device. Covering all of those is beyond todays conversation but we will take a quick look at the device restrictions. This policy allows us to setup the main settings of the device

 

 

 

 

 

 

 

As you can see below, there are a lot of settings you can configure for the device. Each of these tabs has a lot more options of settings that can be configured for the device. Going through all of them is beyond this discussion.  Let’s at least take a look at the general settings to show how granular the device can be configured.

 

 

 

 

 

 

 

 

 

 

From the general tab, we can see all the settings that can be configured.  Some good ones to keep in mind are highlighted here.

Device Name Modification

The device name setting is a great way to prevent users from changing the device name. This helps if you have any tracking or naming for device inventory.

Notification Settings Modification

Notifications is a great way to prevent notifications from appearing on the device. This is a great setting to remember for devices owned by the company but maybe public facing.

Activation Lock

Activation lock is a great preventive setting. By selecting this a lost or stolen device cannot be reactivated

Block App Removal

Block apps is a great way to prevent users from deleting the apps you added to the device

 

 

 

 

 

 

Microsoft Intune Device Configuration Profiles core feature is Bitlocker Summary

We highlighted some good settings to enforce in the Device Configuration Profile settings including Bitlocker.  Play around with this and let us know what are some your most useful settings to enforce.