Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Dec 20, 2025

Separate APP policies

Hi All   I hope you are well and have a Merry Christmas and a Happy New Year.   Anyway, trying to get my head around APP policies for both BYOD and Corp (COBO) Android devices.   I'd like nothi...
Intune
Mobile Application Management (MAM)
Shubham_Kumar_Singh's avatar
Shubham_Kumar_Singh
Copper Contributor
Dec 20, 2025

Hi Stuart,

if you exclude the filter it will exclude from the complete policy. Since you are planning for screen capture feature, create a duplicate policy and exclude the corporate device and add in the new policy. And you create filter device ownership = corporate. 

StuartK73's avatar
StuartK73
Iron Contributor
Dec 22, 2025

Hi Buddy

Many thanks for your reply although I don't think I really understand what you are saying.

Anyway, I think I have it working with the following filters:

 

  • BYOD APP policy > Assigned to E3 / F3 groups > EXCLUDE (app.deviceManagementType -eq "Android Enterprise")
  • Corp Owned / Intune Enrolled COBO APP policy - EXCLUDE (app.deviceManagementType -eq "Unmanaged")

 

In APP Monitor, I can see:

  • BYOD APP policy going to my test BYOD device 
  • COBO APP policy going to my test COBO device

 

This is the desired outcome 😎🌲

  • Simone_Termine's avatar
    Simone_Termine
    Brass Contributor
    Dec 29, 2025

    Nice 😎
    If APP Monitor shows the BYOD policy landing on the BYOD device and the COBO policy landing on the COBO device, then your filter split is doing exactly what you intended.

    What I was trying to say (poorly!) is just this:

    • APP (MAM) policies are designed mainly for “Unmanaged”/BYOD-style devices (MAM without full device management).
    • For Android Enterprise COBO (Fully Managed/Dedicated/COPE) devices, settings like “block screenshots” are often better enforced via Android Enterprise device restrictions (configuration profiles), because those are device-level controls and are more consistent across apps.

    So you’ve got two valid options:

    1. Keep what you have (two APP policies + your filters). If it’s working and you’re happy, that’s totally fine.
    2. Simplify long-term: keep one APP policy for BYOD only, and move “COBO differences” (like screenshot behavior) into Android Enterprise device restrictions instead of a second APP policy.

    One small tip: if a user has both a BYOD and a COBO device, your approach still works, just make sure the filters stay mutually exclusive so you never end up with both APP policies applying to the same device context.

    If you tell me whether your corp devices are Fully Managed (COBO) or COPE, I can point you to the exact restriction setting to use for screenshots so you don’t have to maintain two APP policies unless you really want to.

  • Simone_Termine's avatar
    Simone_Termine
    Brass Contributor
    Dec 22, 2025

    You’re on the right track, and your targeting approach (same user groups + split via filters) is exactly how most people keep APP manageable without multiplying groups.

    If APP Monitor shows the BYOD policy landing on the BYOD test device and the COBO policy on the COBO test device, then your filter split is working as intended.

    One small tip: keep an eye on users who have both a BYOD and a COBO device. Using the same user groups is fine, but make sure the filters remain mutually exclusive so you don’t accidentally apply both policies to the same sign-in context. 😊

Resources