Policy Studio: Audit and manage Intune policies

Avatar
Nerdio Product Support

Policy Studio: Audit and manage Intune policies

The procedures in this article cover the complete process of managing Intune policies in Nerdio Manager's Policy Studio. They cover the use of the two main views - Settings Explorer and Policy Results - and guide you through editing the building blocks of your policies, assigning them to target devices, and identifying and editing conflicts.

Prerequisites

     Nerdio Manager subscription

The tasks in this procedure apply to the following Nerdio Manager subscription level(s):

AVD Core
AVD Premium
Windows 365
Unified Endpoint Management

      System/environment requirements

You must have an active Intune subscription in your tenant.

      Role-based access control (RBAC) and permissions

            Nerdio Manager roles

Managing Intune policies in Policy Studio requires the Admin Nerdio Manager role .

            Nerdio Manager access levels

Following the Principle of Least Privilege (PoLP), you can define one or more Nerdio Manager custom role(s) to view and manage Intune policies in Policy Studio. Custom roles require permissions in the Endpoint Management > Intune module, as follows:

  • To view policy details in Policy Studio, the Read Devices permission is required.
  • To edit policy details in Policy Studio, the Manage Devices permission is required.

Note: As support for different policy types is expanded in subsequent releases, additional permissions, including as Read/Manage Policies and Read/Manage Applications and App Policies, will eventually be required.

            Graph API permissions

The Nerdio Manager application requires either the DeviceManagementConfiguration.Read.All permission(to display Intune policies in read-only mode) or DeviceManagementConfiguration.ReadWrite.All permission (to edit policies). These permissions can be assigned either in User or Application mode.

      Preparatory steps

To grant Nerdio Manager the necessary permissions to manage Intune policies in Policy Studio, configure the Intune integration to allow read or read/write access to Intune-managed devices. Once you've done this, Policy Studio is automatically enabled and ready for use.

Use Settings Explorer view to edit Intune policies

The Settings Explorer view allows you to view and edit the Intune policies in your tenant, grouped either by policy or by setting.

To locate and edit a policy's settings:

  1. In Nerdio Manager, navigate to Endpoints > Policy Studio.

    Policy Studio opens in the Settings Explorer tab, in Policy View mode.

  2. Ensure that Configuration Profiles is selected in the Policy kind filter.

    Note: During Policy Studio's initial Public Preview phase, the feature supports Configuration Profiles only. Support for other policy types will be added in subsequent releases.

  3. Select the desired policy from the list. (Optionally, you can use the search bar to search for a specific policy by name and filter the list accordingly.)

    The right-hand panel populates with a list of collapsible setting categories for the selected policy.

  4. Select the expand button next to a setting category heading to reveal its detailed configuration options.

  5. Select the edit button to open the policy editor.

    The entire policy opens in Builder View, zoomed in to the setting you selected on the main page.

  6. Use the toggles and dropdowns to modify the values for settings included in the policy.
  7. If desired, use the checkboxes preceding a setting to remove it from the policy entirely. This option is useful if, for example, another policy managing this setting will also be assigned to the target device group(s), and you want to prevent conflict or duplication.
  8. Optionally, switch the view dropdown from Builder to Advanced to view and modify the raw JSON for the policy.

  9. When you've made all your changes, select Review.

    The wizard advances to the Finish step, displaying a summary of all policy settings and a warning that changes will affect all assigned users and devices.

  10. Select the Yes, I'm sure checkbox to acknowledge the policy changes.

  11. Select Confirm to save your changes, exit the policy editor and return to the main view.

    Note: If you have Policy approval workflows enabled, your changes will now be submitted to an administrator for review. Otherwise, your changes will be pushed to the target device(s).

    Alternatively, select Close at any point in the dialog to exit the policy editor without saving changes.

To locate a setting and edit one or more associated policies:

  1. In Nerdio Manager, navigate to Endpoints > Policy Studio.

    Policy Studio opens in the Settings Explorer tab, in Policy View mode.

  2. Switch the view dropdown from Policy View to Settings View.

  3. Ensure that Configuration Profiles is selected in the Policy kind filter.

    Note: During Policy Studio's initial Public Preview phase, the feature supports Configuration Profiles only. Support for other policy types will be added in subsequent releases.

  4. Expand a setting category in the list, and select the desired setting. (Optionally, you can use the search bar to search for a specific setting by name and filter the list accordingly.)

    The right-hand panel populates with a list of policies in your tenant that contain the setting you've chosen.

  5. Select the expand button next to a policy heading to reveal its detailed configuration options.

  6. Select the edit button to open the policy editor.

    The entire policy opens in Builder View, zoomed in to the setting you selected on the main page.

  7. Use the toggles and dropdowns to modify the values for settings included in the policy.
  8. If desired, use the checkboxes preceding a setting to remove it from the policy entirely. This option is useful if, for example, another policy managing this setting will also be assigned to the target device group(s), and you want to prevent conflict or duplication.
  9. Optionally, switch the view dropdown from Builder to Advanced to view and modify the raw JSON for the policy.

  10. When you've made all your changes, select Review.

    The wizard advances to the Finish step, displaying a summary of all policy settings and a warning that changes will affect all assigned users and devices.

  11. Select the Yes, I'm sure checkbox to acknowledge the policy changes.

  12. Select Confirm to save your changes, exit the policy editor and return to the main view.

    Note: If you have Policy approval workflows enabled, your changes will now be submitted to an administrator for review. Otherwise, your changes will be pushed to the target device(s).

    Alternatively, select Close at any point in the dialog to exit the policy editor without saving changes.

To modify policy assignments:

  1. Use either of the above methods to select and open a policy for editing.

  2. Select the Assignments tab in the policy editor.

    The editor displays Included groups and Excluded groups fields.

  3. Start typing in the Included groups field to find and select device groups to assign the policy to. Alternatively, check the All Users or All Devices boxes to assign the policy universally.
  4. Optionally, start typing in the Excluded groups field to find and select device groups to exclude from policy assignment.
  5. Optionally, if Automatic policy backups are enabled for your tenant, use the Fill Assignment from Backup or Revert to Original Assignment buttons to restore an eariler assignment configuration.
  6. Select Review.
  7. Select the Yes, I'm sure checkbox to acknowledge the assignment configuration.

  8. Select Confirm to save your changes, exit the policy editor and return to the main view.

    Note: If you have Policy approval workflows enabled, your changes will now be submitted to an administrator for review. Otherwise, your changes will be pushed to the target device(s).

    Alternatively, select Close at any point in the dialog to exit the policy editor without saving changes.

Use the Policy Results view to discover and modify the results of policies applied to target device(s)

The Policy Results view allows you to view how a selected policy or setting applies to a target device or device group, enabling quick and easy resolution and identification of conflicts.

To view the effects of applied policies on a target:

  1. In Nerdio Manager, navigate to Endpoints > Policy Studio.

    Policy Studio opens in the Settings Explorer tab.

  2. Select the Policy Results tab.

    The Policy Results page loads in Policy View mode.

  3. Use the processing type dropdown to select whether you want to view the impact of assigned policies on a device group or an individual device:
    • To view the policy results for a target device group, select Device Group Processing.
    • To view the policy results for an individual target device, select Device Processing.
  4. Select the desired device or device group from the dropdown to filter the policy results. A list of all policies applied to the target device(s) loads.

  5. Select the desired policy row in the results list to expand it and view the settings it applies.

    The row expands to display individual settings and their resolved values, including any conflict or error status.

  6. Select the edit button next to any setting to open the policy editor with a focus on that setting.

    The entire policy opens in Builder View, zoomed in to the setting you selected on the main page.

  7. Use the toggles and dropdowns to modify the values for settings included in the policy.
  8. If desired, use the checkboxes preceding a setting to remove it from the policy entirely. This option is especially useful if the setting conflicts with one applied by another policy to the same target, and you want to allow the other policy to manage the setting.
  9. Optionally, switch the view dropdown from Builder to Advanced to view and modify the raw JSON for the policy.

  10. When you've made all your changes, select Review.

    The wizard advances to the Finish step, displaying a summary of all policy settings and a warning that changes will affect all assigned users and devices.

  11. Select the Yes, I'm sure checkbox to acknowledge the policy changes.

  12. Select Confirm to save your changes, exit the policy editor and return to the main view.

    Note: If you have Policy approval workflows enabled, your changes will now be submitted to an administrator for review. Otherwise, your changes will be pushed to the target device(s).

    Alternatively, select Close at any point in the dialog to exit the policy editor without saving changes.

To view a full list of settings applied to a target and resolve conflicts:

  1. In Nerdio Manager, navigate to Endpoints > Policy Studio.

    Policy Studio opens in the Settings Explorer tab.

  2. Select the Policy Results tab.

    The Policy Results page loads in Policy View mode.

  3. Switch the view dropdown from Policy View to Settings View.
  4. Use the processing type dropdown to select whether you want to view the impact of assigned policies on a device group or an individual device:
    • To view the policy results for a target device group, select Device Group Processing.
    • To view the policy results for an individual target device, select Device Processing.

  5. Select a device or device group from the dropdown.

    A list of individual settings is displayed. If multiple policies are attempting to apply the setting to the target device(s), a warning message (for example 2 policies) will appear in the row, indicating that a conflict requires resolution.

  6. Select the edit button next to any listed setting to open the applicable policy in the policy editor, with a focus on that setting.

    The entire policy opens in Builder View, zoomed in to the setting you selected on the main page.

  7. Use the toggles and dropdowns to modify the values for settings included in the policy.
  8. If desired, use the checkboxes preceding a setting to remove it from the policy entirely. This option is especially useful if the setting conflicts with one applied by another policy to the same target, and you want to allow the other policy to manage the setting.
  9. Optionally, switch the view dropdown from Builder to Advanced to view and modify the raw JSON for the policy.

  10. When you've made all your changes, select Review.

    The wizard advances to the Finish step, displaying a summary of all policy settings and a warning that changes will affect all assigned users and devices.

  11. Select the Yes, I'm sure checkbox to acknowledge the policy changes.

  12. Select Confirm to save your changes, exit the policy editor and return to the main view.

    Note: If you have Policy approval workflows enabled, your changes will now be submitted to an administrator for review. Otherwise, your changes will be pushed to the target device(s).

    Alternatively, select Close at any point in the dialog to exit the policy editor without saving changes.

Need help?

Raise a support ticket for this item.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Please sign in to leave a comment.