Microsoft Intune · Device & Endpoint Management

Policy and Profile Manager

Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.

Scope: Device configuration and enrollment management

Permissions

Device configurations - Full CRUD + Assign + View reports
Device compliance policies - Full CRUD + Assign + View reports
Corporate device identifiers - Full CRUD
Enrollment programs - Full management (profiles, tokens, devices)
Managed apps - Full CRUD + Assign
Policy Sets - Full CRUD + Assign
Quiet Time policies - Full CRUD + Assign + View reports
Filters - Full CRUD
Android Enterprise - Read, Update app sync, enrollment profiles, onboarding

Common use cases

Creating and deploying configuration profiles
Managing device compliance policies
Setting up Apple DEP/ABM enrollment
Managing corporate device identifiers (IMEI, serial numbers)

Best practices

Use for dedicated configuration management staff
Combine with Application Manager for full deployment capability
Test policies in pilot groups before broad deployment
Document policy purposes and ownership

Security considerations

Can modify compliance policies affecting device access
Can manage enrollment programs and tokens
Changes to configurations can affect all enrolled devices

Official Microsoft Learn documentation →

Open the interactive RBACMap →