Microsoft Intune · Device & Endpoint Management
Policy and Profile Manager
Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
Scope: Device configuration and enrollment management
Permissions
- Device configurations - Full CRUD + Assign + View reports
- Device compliance policies - Full CRUD + Assign + View reports
- Corporate device identifiers - Full CRUD
- Enrollment programs - Full management (profiles, tokens, devices)
- Managed apps - Full CRUD + Assign
- Policy Sets - Full CRUD + Assign
- Quiet Time policies - Full CRUD + Assign + View reports
- Filters - Full CRUD
- Android Enterprise - Read, Update app sync, enrollment profiles, onboarding
Common use cases
- Creating and deploying configuration profiles
- Managing device compliance policies
- Setting up Apple DEP/ABM enrollment
- Managing corporate device identifiers (IMEI, serial numbers)
Best practices
- Use for dedicated configuration management staff
- Combine with Application Manager for full deployment capability
- Test policies in pilot groups before broad deployment
- Document policy purposes and ownership
Security considerations
- Can modify compliance policies affecting device access
- Can manage enrollment programs and tokens
- Changes to configurations can affect all enrolled devices
Common questions
When should I assign the Policy and Profile Manager role?
Assign Policy and Profile Manager when you need to: Creating and deploying configuration profiles; Managing device compliance policies; Setting up Apple DEP/ABM enrollment; and Managing corporate device identifiers (IMEI, serial numbers). It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Policy and Profile Manager role do?
The Policy and Profile Manager role grants permissions including: Device configurations - Full CRUD + Assign + View reports; Device compliance policies - Full CRUD + Assign + View reports; Corporate device identifiers - Full CRUD; Enrollment programs - Full management (profiles, tokens, devices); Managed apps - Full CRUD + Assign; and Policy Sets - Full CRUD + Assign. See the Permissions section above for the full list.
What are the security risks of the Policy and Profile Manager role?
Key considerations when assigning Policy and Profile Manager: Can modify compliance policies affecting device access; Can manage enrollment programs and tokens; and Changes to configurations can affect all enrolled devices. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.