Forum Discussion

Daniel Hudson's avatar
Daniel Hudson
Steel Contributor
Feb 12, 2018

Dynamic Groups Help

Hi All

 

We're about to migrate from MobileIron to Intune and I've been building the service ready for our users.

 

In MobileIron, we previously had different policies and configurations for users based upon dynamic groups (labels) that filtered on both user and device attributes e.g. user is in xxx AD group and has an iOS device with DEP enabled.

 

Currently I can't see how this can be achieved in Intune. Would I have to use nested Dynamic groups (if this is supported) to segregate by device attribute, and then from that group by user attribute? Or do I need to rethink about how we're applying configurations and policies?

 

Secondly, we have subsets of users that need slightly different policies (such as VIPs, or users with specialist devices). Are we able to prioritise policies/configurations so that, if 2 are pushed to the same device, one is given priority over the other, or do I need to figure a way to separate them out from the 'main' group? The only way I can think of doing this is, again, create a dynamic group that says "everyone with xxx AD group", and then create a second dynamic group which is "everyone not already in that other dynamic group". Would this be the ideal solution?

 

Any help or insight with this would be hugely appreciated.

 

Thanks

Dan

  • Hi Dan,

     

    please have a look here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

    you will need to come up with a different strategy how to assign configurations. As of now there is no way to build a query like person x not member in group y.

    The way Microsoft is thinking about the Intune assignments are user centric. So a VIP group will get different settings and is not member of the broad employee group for example. This leads to separation in the end. Your example of user has iOS and DEP is also not directly addressable. We can't mix user and device attributes. We would assign a policy to a user group and if the user has an Android all iOS device policies would be marked as "not applicable". If the user now enrolls a iOS device the iOS policies would apply. Makes sense?

    Certainly not the flexibility you may be familiar with MobileIron, but that's how it is.

     

    best,

    Oliver

  • Hi Dan,

     

    please have a look here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

    you will need to come up with a different strategy how to assign configurations. As of now there is no way to build a query like person x not member in group y.

    The way Microsoft is thinking about the Intune assignments are user centric. So a VIP group will get different settings and is not member of the broad employee group for example. This leads to separation in the end. Your example of user has iOS and DEP is also not directly addressable. We can't mix user and device attributes. We would assign a policy to a user group and if the user has an Android all iOS device policies would be marked as "not applicable". If the user now enrolls a iOS device the iOS policies would apply. Makes sense?

    Certainly not the flexibility you may be familiar with MobileIron, but that's how it is.

     

    best,

    Oliver

    • Daniel Hudson's avatar
      Daniel Hudson
      Steel Contributor
      Hi Oliver

      Thank you for your response. I can see I'm going to need a complete rethink about how we sort our policies and groupings!

      D

Resources