Forum Discussion

Copper Contributor

Jun 25, 2024

Unsanctioned to all, exclude to some

Dear reader, I have configured the asset rules en device tagging. I need to deploy certain apps as unsanctioned to all W11 devices and exclude the same apps to certain devices who have a dev...

MatejKlemencic

Brass Contributor

Jun 25, 2024

Hi AWulle,

I faced the same issue. Unfortunately, the only way to exclude certain devices is by using a Device Group, and the challenge here is that a single device can only belong to one Device Group at a time (either the WIN11 Device Group or the Exclude Group in your case). What other policies are currently applied to your WIN11 Device Group? Could you apply those same policies to the Exclusion Group as well? That's what we did when we had a similar exclusion scenario.

ArtSofM365

Copper Contributor

Sep 03, 2024

That is indeed very unnatural and convoluted.
The single device group membership is also strange concept unique to MCAS compared to other M365 products.
Moreover you do not easily see what exceptions a SaaS app has applied.
Then there is that include/exclude concept, tags, etc.
Some alignment with other M365 products - Intune, AAD … would be welcome.