Since this is just a “behind-the-scenes” behavioral change in the targeting mechanism for ESP profiles, you’ll notice no changes in the Intune portal, just a change in the result. You can use a device-targeted ESP profile with self-deploying mode, white glove, and any other scenario, and you can use it in co-management scenarios where you want to turn off ESP for co-managed devices (once you build a group containing those devices). If you target device groups instead of user groups, all of these issues go away (although you still do need to be careful with Hybrid Azure AD Join due to the shift from the Azure AD device object to the Hybrid Azure AD device object, as I discuss here and here). There was also an “interesting” scenario where the blocking app list would not work during device ESP with a non-default (user-targeted) ESP profile, so ESP would end up tracking all apps. That was rather awkward with self-deploying mode and the white glove technician process, which don’t have a user, so for those scenarios you had no choice but to use the default ESP profile. Prior to this change, you could target groups containing users, and you could use the default ESP profile to target “All users and devices” as a fallback, but there was no way to target device groups. While the Hybrid Azure AD Join over VPN process probably gets people more excited, another change went live in Intune at the same time: The ability to target enrollment status page (ESP) profiles to groups of devices.
0 kommentar(er)
