Microsoft Intune · Device & Endpoint Management

Policy and Profile Manager

Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.

Scope: Device configuration and enrollment management

Permissions

  • Device configurations - Full CRUD + Assign + View reports
  • Device compliance policies - Full CRUD + Assign + View reports
  • Corporate device identifiers - Full CRUD
  • Enrollment programs - Full management (profiles, tokens, devices)
  • Managed apps - Full CRUD + Assign
  • Policy Sets - Full CRUD + Assign
  • Quiet Time policies - Full CRUD + Assign + View reports
  • Filters - Full CRUD
  • Android Enterprise - Read, Update app sync, enrollment profiles, onboarding

Common use cases

  • Creating and deploying configuration profiles
  • Managing device compliance policies
  • Setting up Apple DEP/ABM enrollment
  • Managing corporate device identifiers (IMEI, serial numbers)

Best practices

  • Use for dedicated configuration management staff
  • Combine with Application Manager for full deployment capability
  • Test policies in pilot groups before broad deployment
  • Document policy purposes and ownership

Security considerations

  • Can modify compliance policies affecting device access
  • Can manage enrollment programs and tokens
  • Changes to configurations can affect all enrolled devices

Common questions

When should I assign the Policy and Profile Manager role?

Assign Policy and Profile Manager when you need to: Creating and deploying configuration profiles; Managing device compliance policies; Setting up Apple DEP/ABM enrollment; and Managing corporate device identifiers (IMEI, serial numbers). It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Policy and Profile Manager role do?

The Policy and Profile Manager role grants permissions including: Device configurations - Full CRUD + Assign + View reports; Device compliance policies - Full CRUD + Assign + View reports; Corporate device identifiers - Full CRUD; Enrollment programs - Full management (profiles, tokens, devices); Managed apps - Full CRUD + Assign; and Policy Sets - Full CRUD + Assign. See the Permissions section above for the full list.

What are the security risks of the Policy and Profile Manager role?

Key considerations when assigning Policy and Profile Manager: Can modify compliance policies affecting device access; Can manage enrollment programs and tokens; and Changes to configurations can affect all enrolled devices. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →