Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Dec 21, 2025

Separate APP policies

Hi All

 

I hope you are well and have a Merry Christmas and a Happy New Year.

 

Anyway, trying to get my head around APP policies for both BYOD and Corp (COBO) Android devices.

 

I'd like nothing more than a single APP policy for Android but there are certain settings such block screenshots that I would like to include in the BYOD APP policy but not include in the Corp (COBO) APP policy.

 

So, my thinking is:

  • BYOD APP policy > Assigned to E3 / F3 groups > Filter on EXCLUDE corp devices
  • Corp Owned / Intune Enrolled COBO APP policy - Filter on EXCLUDE personal devices

Could someone advise on the best way to achieve this? What's the best Device / App filter syntax to use?

 

Info appreciated

Intune
Mobile Application Management (MAM)

3 Replies

  • Shubham_Kumar_Singh's avatar
    Shubham_Kumar_Singh
    Copper Contributor
    Dec 21, 2025

    Hi Stuart,

    if you exclude the filter it will exclude from the complete policy. Since you are planning for screen capture feature, create a duplicate policy and exclude the corporate device and add in the new policy. And you create filter device ownership = corporate. 

    • StuartK73's avatar
      StuartK73
      Iron Contributor
      Dec 23, 2025

      Hi Buddy

      Many thanks for your reply although I don't think I really understand what you are saying.

      Anyway, I think I have it working with the following filters:

       

      • BYOD APP policy > Assigned to E3 / F3 groups > EXCLUDE (app.deviceManagementType -eq "Android Enterprise")
      • Corp Owned / Intune Enrolled COBO APP policy - EXCLUDE (app.deviceManagementType -eq "Unmanaged")

       

      In APP Monitor, I can see:

      • BYOD APP policy going to my test BYOD device 
      • COBO APP policy going to my test COBO device

       

      This is the desired outcome ๐Ÿ˜Ž๐ŸŒฒ

      • Simone_Termine's avatar
        Simone_Termine
        Brass Contributor
        Dec 23, 2025

        Youโ€™re on the right track, and your targeting approach (same user groups + split via filters) is exactly how most people keep APP manageable without multiplying groups.

        If APP Monitor shows the BYOD policy landing on the BYOD test device and the COBO policy on the COBO test device, then your filter split is working as intended.

        One small tip: keep an eye on users who have both a BYOD and a COBO device. Using the same user groups is fine, but make sure the filters remain mutually exclusive so you donโ€™t accidentally apply both policies to the same sign-in context. ๐Ÿ˜Š

Resources