Compliance, Configuration Profiles, and App Deployment
Summary
This note explains the difference between compliance, configuration profiles, and app deployment in Intune-style endpoint management. The goal is to make device support work easier by separating three things that often get mixed together.
Why this matters
- many endpoint issues are described vaguely as “Intune is not working”
- support gets clearer when you know whether the issue is device health, device settings, or application delivery
- these layers are related, but they do not mean the same thing
Environment / Scope
| Item | Value |
|---|---|
| Topic | Intune device-management layers |
| Best use for this note | separating the main types of endpoint management outcome |
| Main focus | compliance, config, apps, support interpretation |
| Safe to practise? | yes |
Core comparison
| Layer | What it means | Typical example |
|---|---|---|
| Compliance | whether the device meets required conditions | device must have encryption or healthy security state |
| Configuration profile | settings pushed to shape device behaviour | Wi-Fi, security baseline, restrictions, system settings |
| App deployment | delivery of managed software to the device | Company Portal app, browser, endpoint tool, line-of-business app |
Mental model
Think about the device like this:
device enrolled
-> config shapes behaviour
-> apps provide tools and access
-> compliance decides whether the device is acceptable for policy or access decisionsThis means a device can:
- receive a profile but still be non-compliant
- be compliant but still miss an app
- have an app installed but still be blocked by compliance policy
Everyday examples
| Situation | Likely layer to check first |
|---|---|
| device cannot reach expected Wi-Fi or setting state | configuration profile |
| user says required app is missing | app deployment |
| conditional access blocks the device | compliance |
| device appears enrolled but still behaves incorrectly | config, app, and compliance may need separating |
Common misunderstandings
| Misunderstanding | Better explanation |
|---|---|
| ”Compliance is just another policy” | it is about whether the device meets required conditions |
| ”Configuration profiles and apps are the same delivery path” | one changes settings, the other delivers software |
| ”If the device is compliant, everything should work” | app and setting delivery can still fail separately |
| ”One Intune issue means one root cause” | endpoint support often needs these layers split first |
Practical check sequence
When a managed device issue appears, ask:
- is the device enrolled and visible?
- is the issue about settings, apps, or access state?
- is the device compliant?
- are the expected profiles assigned?
- is the required app assigned and reporting correctly?
Key takeaways
- compliance, configuration, and app deployment are different layers
- support is easier when the device problem is described in the right layer first
- separating these layers reduces portal confusion and weak troubleshooting