Forum Discussion
Separate APP policies
Hi Buddy
Many thanks for your reply although I don't think I really understand what you are saying.
Anyway, I think I have it working with the following filters:
- BYOD APP policy > Assigned to E3 / F3 groups > EXCLUDE (app.deviceManagementType -eq "Android Enterprise")
- Corp Owned / Intune Enrolled COBO APP policy - EXCLUDE (app.deviceManagementType -eq "Unmanaged")
In APP Monitor, I can see:
- BYOD APP policy going to my test BYOD device
- COBO APP policy going to my test COBO device
This is the desired outcome đđ˛
Nice đ
If APP Monitor shows the BYOD policy landing on the BYOD device and the COBO policy landing on the COBO device, then your filter split is doing exactly what you intended.
What I was trying to say (poorly!) is just this:
- APP (MAM) policies are designed mainly for âUnmanagedâ/BYOD-style devices (MAM without full device management).
- For Android Enterprise COBO (Fully Managed/Dedicated/COPE) devices, settings like âblock screenshotsâ are often better enforced via Android Enterprise device restrictions (configuration profiles), because those are device-level controls and are more consistent across apps.
So youâve got two valid options:
- Keep what you have (two APP policies + your filters). If itâs working and youâre happy, thatâs totally fine.
- Simplify long-term: keep one APP policy for BYOD only, and move âCOBO differencesâ (like screenshot behavior) into Android Enterprise device restrictions instead of a second APP policy.
One small tip: if a user has both a BYOD and a COBO device, your approach still works, just make sure the filters stay mutually exclusive so you never end up with both APP policies applying to the same device context.
If you tell me whether your corp devices are Fully Managed (COBO) or COPE, I can point you to the exact restriction setting to use for screenshots so you donât have to maintain two APP policies unless you really want to.