Forum Discussion

Robert Moir's avatar
Robert Moir
Copper Contributor
Feb 15, 2019

Targeting different intune policies to different devices for the same users.

Hi all,

I'm looking at deploying Intune Standalone as a migration from SCCM Hybrid Intune and I'm looking to improve user experience while I can.

 

Talking about iOS devices here, we have users who might potentially have a corporate iOS device (which hasn't been set up through DEP) that has been configured by our helpdesk as if it was a personal device and handed to the user, and a personal device which they've self-enrolled. We'd like the user to get different polices depending on whether or not they're using a personal device or a corporate device.

 

Are there any options here? From what I understand, I can't target a user group for the corporate policy and then set an exclude for a device group containing their BYOD device.

 

Is our only option to implement DEP Then use dynamic group memberships? Is there something dumb I'm missing? Appreciate any thoughts.

  • Hi Robert,

     

    wouldn't it be a possibility to use dynamic groups yet?

    In my case we donÄt use DEP oder Android Zero Touch.

    The users can enroll their devices by their own. In the enrollment process they choose a device type (BYOD or COPE/CORP).

    I've set up a dynamic group like this: 

    e.g.

     

    Name: Intune_BYOD_Devices_IOS

    Rule: (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") -and (device.deviceCategory -eq "BYOD")

     

    or for Android:

    Rule: (device.deviceOSType -eq "Android") -and (device.deviceCategory -eq "BYOD")

     

    Be carefull: The OS Type for iOS Devices isn't "iOS" (Strange, i know).

    It is "iPad" and "iPhone".

    With the device.devicecategory you can distinguish BYOD and CORP or the types you have. (BYOD is just a string i used. If you use "Company Device" you have to use this string in the dynamic rule.

  • Hi Robert,

     

    wouldn't it be a possibility to use dynamic groups yet?

    In my case we donÄt use DEP oder Android Zero Touch.

    The users can enroll their devices by their own. In the enrollment process they choose a device type (BYOD or COPE/CORP).

    I've set up a dynamic group like this: 

    e.g.

     

    Name: Intune_BYOD_Devices_IOS

    Rule: (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") -and (device.deviceCategory -eq "BYOD")

     

    or for Android:

    Rule: (device.deviceOSType -eq "Android") -and (device.deviceCategory -eq "BYOD")

     

    Be carefull: The OS Type for iOS Devices isn't "iOS" (Strange, i know).

    It is "iPad" and "iPhone".

    With the device.devicecategory you can distinguish BYOD and CORP or the types you have. (BYOD is just a string i used. If you use "Company Device" you have to use this string in the dynamic rule.

    • Robert Moir's avatar
      Robert Moir
      Copper Contributor
      Thank you for your response Patrick, I was looking at this already and I'm delighted to see someone using it and confirming it should work. I think the longer term answer here for me is to implement DEP but with your validation that it works I think Device Categories feeding Dynamic Device Groups is a good solution for now.
      • Deleted's avatar
        Deleted
        This works very well for me.
        The only negative aspect is, that it needs some time before the dynamic group is updated, after a device is enrolled.

Resources