Device based vs User based MDM policies in ConfigMgr 2012 R2

With ConfigMgr and Intune you have long been able to manage devices like Android, iOS and Windows with mail profiles, security settings, Wi-Fi profiles and VPN profiles. Deployment of those profiles has undergone a fundamental change with the release of ConfigMgr R2 and CU3. To understand those changes you first to understand how policies were deployed in the past.

Back in the old days “prior to R2 CU3”

On the ConfigMgr side, even if you deployed policies to a user it would always be deployed to the device. What happened in the background the policy generated would not be generated for the users in the collection. Instead ConfigMgr would calculate all devices owned by that user, and generate a device policy for those devices.  What did that mean when enrolling a device?

  1. The device is enrolled into Intune. 
  2. We are now waiting until the next time ConfigMgr ‘pulls’ data from Intune which is every 5 minutes 
  3. When ConfigMgr pulls the new data the device is registered with ConfigMgr. 
  4. Like any other device, ConfigMgr will go thru a collection evaluation that will add the device to the correct collections
  5. Once the device is registered a policy will now be generated since it’s marked as owned by the user in the collection 
  6. We are now waiting until the next time ConfigMgr ‘syncs’ data with Intune (every 5 minutes)
  7. With the policy in Intune next time the device syncs with Intune, it will receive the policy, and do things like request a SCEP cert from the NDES server, etc.

Applying policies post R2 CU3

With the latest updates as mentioned things has changed for the better and applying policies is now happening much faster. So what has happened? The No translation of user to device based policies is gone. This means that a user policy is now deployed to the user object and not to the primary device. The benefit of this change is that when a new device is enrolled into Intune, the user policy has already been synced to Intune thus speeding up the entire policy process. When enrolling a new device today:

  1. The device is enrolled into Intune.
  2. Policy is found for the user in Intune, and is immediately delivered to the device.
  3. The device will begin requesting a SCEP cert from the NDES server immediately. This means that the device will get the SCEP certificate, wifi profile, security settings and VPN profiles long before it’s registered in ConfigMgr.

A few things to notice

Any policy created BEFORE upgrading ConfigMgr to CU3 will continue to be device-based and not user-based. For that reason you have to delete the old deployments completely (I also delete the profiles ) and re-deploy them to  user collections .  For old device collection deplpoyments I recommend converting them t user collection deployments.


Also make sure you deploy this

Comments (%):

  1. Philipp says:

    Hi Kent,
    you got any suggestions when User Policies are not arriving on the Device? When deploying them to the device it works but users just get the SCEP Policies and nothing else.
    best regards

Leave a Reply