Configuring device settings
Microsoft Intune allows configuring device properties and settings using configuration profiles - Configuration profiles. Microsoft also uses the term device profiles in some places. Elsewhere, it's mentioned that we create a Policy. We create profiles for various platforms and apply them to selected users or devices.
Generally (for Windows, macOS, and iOS/iPadOS), we choose from two profile types:
- Templates - templates contain groups of settings for certain features (such as Device restrictions, Domain join, Email, VPN), Intune contains a large number of templates
- Settings catalog - the settings catalog contains a list of all the settings we can configure, for Windows there are thousands of items, including those not found in the templates, for macOS it replaces the use of Preference file
Microsoft's documentation states that for Windows we have two more options for creating device configurations:
- Administrative templates - located in the configuration profile under templates and in the settings catalog, allows using a selected group of Group Policy administrative templates (ADMX policies) settings, we can also import additional ADMX templates
- Security Baselines - contains pre-configured security settings from Microsoft security teams, we can deploy a certain prepared Baseline or create a custom profile, the configuration is located under Endpoint security
The last possible option for configuring devices is to run a script on the device.
- PowerShell Script on Windows
- Shell Script on macOS
Windows Configuration Service Provider (CSP)
Configuration Service Provider is an interface for reading, setting, modifying, and deleting configuration settings on a device. These settings are mapped to registry keys or files. It uses the Open Mobile Alliance (OMA) Device Management (DM) protocol and the SyncML standard. Or Wireless Application Protocol (WAP).
Apple Configuration Profiles
Apple also uses something it calls configuration profiles to set up a large number of devices. Configuration profiles can be deployed on macOS devices in various ways. One of them is an MDM server like Intune. Another option is the Apple Configurator, which we can also use to create profiles. We can also create profiles using the Profile Manager, which is a component of the macOS Server app. Profiles are stored in files with the extension .mobileconfig or .xml.
The configuration profile is stored in an property list (plist) format, which is based on XML. In the TopLevel object, there are properties that describe the profile and its deployment. Specific configuration values are stored in one or more (array) Payload in the PayloadContent property.
For configuring a specific area, we have the corresponding Payload (Intro to MDM payloads). Each one has its own name and identifier (Payload Type). For example, DirectoryService has the type com.apple.DirectoryService.managed. Lists and descriptions can be found at Apple, for example MDM payload list for Mac computers, Review MDM payloads for Apple devices, or Profile-Specific Payload Keys.
Policy refresh
Devices registered in Intune download changes (check for updates) at a certain interval. This depends on several conditions, but is usually around every 8 hours. If we prepare a device configuration, it will not be applied immediately.
We can manually trigger an immediate synchronization. Using the Company Portal app on the device in Devices - Check Status or Settings - Sync. Or using the Microsoft Endpoint Manager admin center - Devices on the device Sync.
Creating a configuration profile
We can manage profiles and create new ones using
- Microsoft Endpoint Manager admin center - Devices - Configuration profiles
Note: We can limit ourselves to a specific platform (by selecting it under By platform) or work with all of them.
When creating a new profile (Create profile), we first choose the platform. Then for most platforms, we select the type (Profile type, whether we use templates or the settings catalog. For Android, we select the group of settings we want to configure. If we chose a Templates profile type, we select a specific template.
Basics
In the first step of the profile creation wizard, we set the profile name and an optional description. The name should be descriptive enough for us to navigate through hundreds of profiles. We can include the platform in the name (even though we usually see it in the profile list), what the profile configures, and possibly also who it is assigned to (like All Win devices).
Configuration settings
The next main step is Configuration settings, where we set the actual configuration items. The following steps vary depending on the profile type and platform.
Assignments
We always set the Assignments, i.e., the assignment (deployment) of the configuration profile to a group of users or devices. It is always necessary to carefully consider whether it is more appropriate to choose a user group or a device group. We add included groups (Included groups), where we can also use a filter to exclude certain devices.
We can use the pre-prepared groups All users and All devices. The group of all devices includes all devices registered in Intune. The group of all users contains users who have an Intune license assigned.
We can also set excluded groups (Excluded groups). There are a number of conditions for how to combine included and excluded groups.
Note: When the assignment is removed, the behavior may vary. The settings may remain applied or revert to the default state.
Scope Tags and Applicability Rules
We can assign Scope Tags to the profile. The profile will then be applied to the group with the assigned tag.
For Windows, we can use Applicability Rules (to filter the profile application to certain Windows editions or versions).
Settings catalog - settings catalog
We can create a configuration profile from the settings catalog for Windows, macOS, and iOS/iPadOS. The catalog offers all the settings we can configure in one place. Additional settings are continuously added. We can create a profile that contains a variety of different settings. It's a similar approach to creating a Group Policy Object (GPO).
Differences by platform
For Windows 10/11, we have thousands of settings available. They are generated directly from the Windows Configuration Service Providers (CSP). We can also configure Administrative Templates, which add additional settings. Windows adds and publishes more MDM provider settings, which are quickly added to Intune.
For macOS and iOS/iPadOS, the device settings are generated directly from Apple Profile-Specific Payload Keys.
The Apple Declarative Device Management (DDM) is integrated into the settings catalog. If we configure iOS/iPadOS 15+ devices registered using user enrollment (User Enrollment), DDM will be used. In other cases, the standard Apple MDM protocol is used.
Configuration settings
We add settings to the profile in the Configuration settings step. We can select a category and add individual or all items from it. Or we can search by the setting name or use a filter. A brief description of a specific setting is displayed when hovering over the tooltip (the icon in the circle).
Some settings have (User) or (Device) in the name. This means that the given policy will only apply to the user scope (HKEY_CURRENT_USER) or the device scope (HKEY_LOCAL_MACHINE). The profile can be assigned to both a group of users and devices.
Templates
Templates contain logical groups of settings. If we want to use these groupings of settings when configuring (creating a profile), we use a specific template.
When creating a profile, we choose a specific template, and in the Configuration settings step, we have certain pre-configured items for configuration. We cannot remove them or add more. A brief description of the item is displayed when hovering over the tooltip (icon in the circle).
Some templates are special, and we'll briefly mention them below.
Template - Administrative templates
One of the templates for Windows is Administrative templates, where there are many sets of settings for areas such as Office, Edge, Chrome, Windows Components, Network, etc. Windows settings use Windows policy CSPs.
These are similar settings to those found in Group Policy. The settings are based on ADMX, which are integrated into the system or are part of the standard ADMX files (like Office). We can also import additional third-party ADMX templates.
Note: Administrative templates can be configured under Templates, but also under Settings Catalog. The catalog has more administrative templates available.
There is also a Group Policy analytics tool that analyzes our on-premises GPOs and can automatically create the corresponding configuration for Intune. We first need to export the GPO (the Back Up option) to an XML file using the Group Policy Management console. We import the gpreport.xml file into Intune, and the analysis will be performed. It will show us which settings are supported in MDM, which are obsolete or unavailable. If the setting is found in a supported CSP, its name and CSP mapping (OMA-URI path) will be displayed.
Template - Custom
The Custom template allows you to perform custom settings that are not available in Intune. It is configured differently for each platform.
For Windows and Android, we use the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) to enter values. Example: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely.
For Apple devices (macOS and iOS/iPadOS), we can import a file with an configuration profile created using Apple Configurator or Apple Profile Manager. It is a file with the extension .mobileconfig or .xml.
Template - Preference file
For macOS, we can set a Preference file that uses the standard property list (.plist) format (list of properties). It defines preferences for macOS applications and devices. This allows us to set items that are not available in Intune.
Property List Files contain configuration information for applications. Each application has its own unique Bundle ID (Preference domain name), such as com.Microsoft.Edge. We can use Xcode to work with the file.
In the configuration, we enter the Preference domain name and import the Property list file with the extension .plist or .xml.
Scripts
Intune can be used to upload a PowerShell Script on Windows or a Shell Script on macOS, and then run it on the device. We can use scripts for various purposes, for configuring devices and installing applications. This expands the capabilities of device management (MDM).
We manage the scripts under (or for a specific platform selected in By platform)
- Microsoft Endpoint Manager admin center - Devices - Scripts
PowerShell Script
Intune uses an integrated client for management in Windows 10/11. To use scripts, we need the Intune Management Extension, which supplements the built-in MDM features of Windows. If the conditions are met, the Intune management extension is installed automatically on the device when a PowerShell script or Win32 app is assigned to a user or device.
PowerShell scripts can run even without a signed-in user. The time limit for script execution is 30 minutes. The Intune management extension agent checks for new or changed scripts on every startup. If a script is run, it will not run again until the script or policy is changed.
When adding a script (Add), we enter a descriptive name and an optional description. In the Script settings step, we upload the PowerShell script, which must be less than 200 kB. And we set three options:
- Run this script using the logged on credentials - whether the script runs under the user or the system
- Enforce script signature check - whether the script must be signed by a trusted publisher
- Run script in 64-bit PowerShell host - whether the 32-bit or 64-bit PowerShell host is used
In the Assignments step, we assign the script to a group of users or devices. If we want to target Workplace Joined devices (Azure AD Registered), we can only use a device group (users are ignored).
The Intune management extension agent normally stores logs in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. We can use CMTrace.exe to view them.
Shell Script
To use scripts on macOS devices, we need to have the Microsoft Intune management agent installed. It is also required, for example, for installing DMG applications. The agent is installed automatically on the device if at least one script is assigned. More information at Microsoft Intune management agent for macOS.
Scripts start with #! and must be in a valid location, such as #!/bin/sh or #!/usr/bin/env zsh. Scripts run in parallel on devices as separate processes.
Adding a script (Add) is almost the same as for a PowerShell script. Only in the Script settings step do we have different options. When we upload a Shell script, which must be less than 200 kB, its content is displayed in a read-only editor. We set the options:
- Run script as signed-in user - whether the script runs with the user's credentials or as the root user
- Hide script notifications on devices - by default, the user sees the information IT is configuring your computer
- Script frequency - how often the script is run, the default is only once
- Max number of times to retry if script fails - how many times the script should be run if it returns an error (non-zero exit code)
Security Baselines
Security Baselines contain pre-configured security settings from Microsoft security teams. Intune allows you to easily deploy Windows Security Baselines. We can also modify the prepared Baseline and deploy only the settings and values we require. We can use it for Windows 10/11.
When creating a Security Baseline Profile, we create a template that consists of multiple Configuration Profiles. The configuration is similar to when creating a configuration profile of the Template type.
- Microsoft Endpoint Manager admin center - Endpoint security - Security baselines
We select the baseline we want to use and click Create profile. We go through the wizard. The main thing is to review the prepared settings in the Configuration settings step and possibly change the default baseline configuration.
There are no comments yet.