Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Dec 21, 2025

Separate APP policies

Hi All

 

I hope you are well and have a Merry Christmas and a Happy New Year.

 

Anyway, trying to get my head around APP policies for both BYOD and Corp (COBO) Android devices.

 

I'd like nothing more than a single APP policy for Android but there are certain settings such block screenshots that I would like to include in the BYOD APP policy but not include in the Corp (COBO) APP policy.

 

So, my thinking is:

  • BYOD APP policy > Assigned to E3 / F3 groups > Filter on EXCLUDE corp devices
  • Corp Owned / Intune Enrolled COBO APP policy - Filter on EXCLUDE personal devices

Could someone advise on the best way to achieve this? What's the best Device / App filter syntax to use?

 

Info appreciated

Intune
Mobile Application Management (MAM)

4 Replies

  • Shubham_Kumar_Singh's avatar
    Shubham_Kumar_Singh
    Copper Contributor
    Dec 21, 2025

    Hi Stuart,

    if you exclude the filter it will exclude from the complete policy. Since you are planning for screen capture feature, create a duplicate policy and exclude the corporate device and add in the new policy. And you create filter device ownership = corporate. 

    • StuartK73's avatar
      StuartK73
      Iron Contributor
      Dec 23, 2025

      Hi Buddy

      Many thanks for your reply although I don't think I really understand what you are saying.

      Anyway, I think I have it working with the following filters:

       

      • BYOD APP policy > Assigned to E3 / F3 groups > EXCLUDE (app.deviceManagementType -eq "Android Enterprise")
      • Corp Owned / Intune Enrolled COBO APP policy - EXCLUDE (app.deviceManagementType -eq "Unmanaged")

       

      In APP Monitor, I can see:

      • BYOD APP policy going to my test BYOD device 
      • COBO APP policy going to my test COBO device

       

      This is the desired outcome 😎🌲

      • Simone_Termine's avatar
        Simone_Termine
        Brass Contributor
        Dec 29, 2025

        Nice 😎
        If APP Monitor shows the BYOD policy landing on the BYOD device and the COBO policy landing on the COBO device, then your filter split is doing exactly what you intended.

        What I was trying to say (poorly!) is just this:

        • APP (MAM) policies are designed mainly for “Unmanaged”/BYOD-style devices (MAM without full device management).
        • For Android Enterprise COBO (Fully Managed/Dedicated/COPE) devices, settings like “block screenshots” are often better enforced via Android Enterprise device restrictions (configuration profiles), because those are device-level controls and are more consistent across apps.

        So you’ve got two valid options:

        1. Keep what you have (two APP policies + your filters). If it’s working and you’re happy, that’s totally fine.
        2. Simplify long-term: keep one APP policy for BYOD only, and move “COBO differences” (like screenshot behavior) into Android Enterprise device restrictions instead of a second APP policy.

        One small tip: if a user has both a BYOD and a COBO device, your approach still works, just make sure the filters stay mutually exclusive so you never end up with both APP policies applying to the same device context.

        If you tell me whether your corp devices are Fully Managed (COBO) or COPE, I can point you to the exact restriction setting to use for screenshots so you don’t have to maintain two APP policies unless you really want to.

Resources