Veri-Tech
Support/Products/Veri-Tune

Veri-Tune

Enterprise

Veri-Tune assesses your Microsoft Intune endpoint management configuration against 375 security controls covering Windows, macOS, iOS, and Android. It provides assignment-aware dual scoring, bulk policy assignment, and automated remediation with scoped JIT write permissions.

375Intune controls
4Platforms
3JIT permissions
EnterpriseMin tier

How Veri-Tune Works

Step-by-step walkthrough from start to finish

1

Run Baseline Assessment

Navigate to the Tune section and click "Run Assessment." Veri-Tune reads your Intune configuration — device compliance policies, configuration profiles, security baselines, and app protection policies — via the Graph API. The assessment evaluates 375 controls across Windows, macOS, iOS, and Android.

2

Review Dual Scores

Veri-Tune provides assignment-aware dual scoring. The "deployed" score only counts controls assigned to device groups (reflecting what's actually protecting devices). The "configured" score counts all policies regardless of assignment. A gap between the two means policies exist but aren't assigned.

3

Assign Policies to Groups

Use bulk policy assignment to select recommended policies and assign them to device groups with one click. Provide a group ID or select from existing groups, choose policies, and assign. JIT write permissions are granted for the assignment and auto-revoked after.

4

Remediate Configuration Gaps

For failing controls, Veri-Tune can create or update Intune policies to meet compliance requirements. Scoped JIT write permissions use only 3 Graph API scopes (vs 14 for M365 remediation). All actions are logged in the remediation audit trail.

5

Track Audit Trail

Every JIT consent grant, policy assignment, and write revocation is logged in the audit trail. View the full history from the Veri-Tune results page, including timestamps, actions taken, and before/after values.

Data Handling

What data is collected, processed, stored, and what is never accessed

Data collected during Intune assessment

  • Intune device compliance policies and their assignments
  • Device configuration profiles (Settings Catalog, templates, custom OMA-URI)
  • Security baselines and their current configuration values
  • App protection policies for iOS, Android, and Windows
  • Enrollment restrictions and Autopilot deployment profiles
  • Device group memberships for assignment-aware scoring

How data is processed

  • Configuration values are evaluated against 375 control definitions in the Veri-Tune registry
  • Assignment-aware scoring calculates both "deployed" (assigned to groups) and "configured" (all policies) scores
  • Cross-source detection aggregates settings from Settings Catalog, Security Baselines, and Compliance Policies
  • Framework mappings are applied (CIS, NIST, SOC 2, ISO 27001, HIPAA, CISA)
  • Remediation actions use the Graph API with scoped JIT write permissions

What is stored after assessment

  • Compliance scores (deployed and configured) in Azure Table Storage
  • Per-control pass/fail results with setting values and expected values
  • Remediation audit trail (JIT grants, assignments, revocations) in Azure Table Storage
  • Generated reports in Azure Blob Storage (encrypted at rest)

Data Veri-Tune never accesses

  • Device hardware details, serial numbers, or IMEI numbers
  • Installed applications or app usage data on managed devices
  • User personal data, email, files, or browsing history
  • BitLocker recovery keys or FileVault keys
  • Device location data or GPS coordinates
  • Managed app content or app configuration data

Permissions

Every Graph API permission used, when it's requested, and why

Permission Model

Veri-Tune uses a scoped JIT permission model with only 3 write permissions (vs 14 for M365 remediation). Read permissions are granted during initial consent. Write permissions are requested via a separate delegated consent flow immediately before remediation or policy assignment and auto-revoked after the operation. A Global Administrator must complete the delegated consent prompt — this is separate from the initial read-only consent.

DeviceManagementConfiguration.Read.All
Read
Always

Read device configuration profiles, security baselines, and settings

DeviceManagementManagedDevices.Read.All
Read
Always

Read managed device inventory and compliance status

DeviceManagementServiceConfig.Read.All
Read
Always

Read Intune service configuration and enrollment settings

DeviceManagementConfiguration.ReadWrite.All
Write
JIT only

Create or update device configuration profiles and security baselines

DeviceManagementManagedDevices.ReadWrite.All
Write
JIT only

Assign policies to device groups

DeviceManagementServiceConfig.ReadWrite.All
Write
JIT only

Update enrollment and service configuration settings

Safety Controls

  • Scoped JIT write permissions — only 3 Graph scopes vs 14 for M365
  • Delegated auth for write operations — a real admin must consent, not just app permissions
  • Auto-revocation of write permissions after every operation
  • JIT status badges show Active/Revoked/Assigned state at all times
  • Full audit trail of every consent grant, assignment, and revocation
  • Assignment-aware scoring prevents false positives from unassigned policies

Capabilities

375 Intune-specific controls across device compliance, configuration, baselines, and app protection
Assignment-aware dual scoring (deployed vs. configured compliance)
Cross-source detection: Settings Catalog, Security Baselines, Compliance Policies
Bulk policy assignment to device groups with one click
Automated remediation with scoped JIT write permissions
Runbook generation for controls requiring manual administrator steps
CIS, NIST, SOC 2, ISO 27001, HIPAA, and CISA framework mapping
Remediation audit trail with timestamps and before/after values
Included with Enterprise and MSP plans

Frequently Asked Questions

What is the difference between "deployed" and "configured" scores?
The "deployed" score only counts controls assigned to device groups — reflecting what's actually protecting your devices. The "configured" score counts all policies regardless of assignment. A large gap means you have security policies that aren't assigned to any devices.
Why does Veri-Tune use delegated auth instead of app-only permissions?
Certain Intune endpoints (like Autopilot and Enrollment Status Page profiles) require delegated authentication — they reject app-only tokens. Veri-Tune stores a delegated token during JIT consent to ensure all write operations succeed. This also provides stronger security assurance since a real administrator must actively consent.
How does bulk policy assignment work?
Select the policies you want to assign, provide a target group ID (or select from existing groups), and click "Assign." Veri-Tune requests scoped JIT write permissions, assigns the selected policies to the group, and auto-revokes write access. The entire operation is logged in the audit trail.
Does Veri-Tune access my users' devices?
No. Veri-Tune reads Intune policy configurations and device group memberships — it never accesses individual device hardware, installed apps, user data, recovery keys, or location information.

All Products · Full Permission Reference · AI Features & Privacy · Control Frameworks

Questions? Submit a ticket · Email support