SOLVED
Home

Targeting different intune policies to different devices for the same users.

%3CLINGO-SUB%20id%3D%22lingo-sub-341172%22%20slang%3D%22en-US%22%3ETargeting%20different%20intune%20policies%20to%20different%20devices%20for%20the%20same%20users.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341172%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI'm%20looking%20at%20deploying%20Intune%20Standalone%20as%20a%20migration%20from%20SCCM%20Hybrid%20Intune%20and%20I'm%20looking%20to%20improve%20user%20experience%20while%20I%20can.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETalking%20about%20iOS%20devices%20here%2C%20we%20have%20users%20who%20might%20potentially%20have%20a%20corporate%20iOS%20device%20(which%20hasn't%20been%20set%20up%20through%20DEP)%20that%20has%20been%20configured%20by%20our%20helpdesk%20as%20if%20it%20was%20a%20personal%20device%20and%20handed%20to%20the%20user%2C%20and%20a%20personal%20device%20which%20they've%20self-enrolled.%20We'd%20like%20the%20user%20to%20get%20different%20polices%20depending%20on%20whether%20or%20not%20they're%20using%20a%20personal%20device%20or%20a%20corporate%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20options%20here%3F%20From%20what%20I%20understand%2C%20I%20%3CEM%3Ecan't%3C%2FEM%3E%20target%20a%20user%20group%20for%20the%20corporate%20policy%20and%20then%20set%20an%20exclude%20for%20a%20device%20group%20containing%20their%20BYOD%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20our%20only%20option%20to%20implement%20DEP%20Then%20use%20dynamic%20group%20memberships%3F%20Is%20there%20something%20dumb%20I'm%20missing%3F%20Appreciate%20any%20thoughts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-341172%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBYOD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-341655%22%20slang%3D%22en-US%22%3ERe%3A%20Targeting%20different%20intune%20policies%20to%20different%20devices%20for%20the%20same%20users.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341655%22%20slang%3D%22en-US%22%3EThis%20works%20very%20well%20for%20me.%3CBR%20%2F%3EThe%20only%20negative%20aspect%20is%2C%20that%20it%20needs%20some%20time%20before%20the%20dynamic%20group%20is%20updated%2C%20after%20a%20device%20is%20enrolled.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-341644%22%20slang%3D%22en-US%22%3ERe%3A%20Targeting%20different%20intune%20policies%20to%20different%20devices%20for%20the%20same%20users.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341644%22%20slang%3D%22en-US%22%3EThank%20you%20for%20your%20response%20Patrick%2C%20I%20was%20looking%20at%20this%20already%20and%20I'm%20delighted%20to%20see%20someone%20using%20it%20and%20confirming%20it%20should%20work.%20I%20think%20the%20longer%20term%20answer%20here%20for%20me%20is%20to%20implement%20DEP%20but%20with%20your%20validation%20that%20it%20works%20I%20think%20Device%20Categories%20feeding%20Dynamic%20Device%20Groups%20is%20a%20good%20solution%20for%20now.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-341599%22%20slang%3D%22en-US%22%3ERe%3A%20Targeting%20different%20intune%20policies%20to%20different%20devices%20for%20the%20same%20users.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-341599%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Robert%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewouldn't%20it%20be%20a%20possibility%20to%20use%20dynamic%20groups%20yet%3F%3C%2FP%3E%3CP%3EIn%20my%20case%20we%20don%C3%84t%20use%20DEP%20oder%20Android%20Zero%20Touch.%3C%2FP%3E%3CP%3EThe%20users%20can%20enroll%20their%20devices%20by%20their%20own.%20In%20the%20enrollment%20process%20they%20choose%20a%20device%20type%20(BYOD%20or%20COPE%2FCORP).%3C%2FP%3E%3CP%3EI've%20set%20up%20a%20dynamic%20group%20like%20this%3A%26nbsp%3B%3C%2FP%3E%3CP%3Ee.g.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EName%3A%26nbsp%3BIntune_BYOD_Devices_IOS%3C%2FP%3E%3CP%3ERule%3A%26nbsp%3B(device.deviceOSType%20-eq%20%22iPad%22)%20-or%20(device.deviceOSType%20-eq%20%22iPhone%22)%20-and%20(device.deviceCategory%20-eq%20%22BYOD%22)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eor%20for%20Android%3A%3C%2FP%3E%3CP%3ERule%3A%26nbsp%3B(device.deviceOSType%20-eq%20%22Android%22)%20-and%20(device.deviceCategory%20-eq%20%22BYOD%22)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBe%20carefull%3A%20The%20OS%20Type%20for%20iOS%20Devices%20isn't%20%22iOS%22%20(Strange%2C%20i%20know).%3C%2FP%3E%3CP%3EIt%20is%20%22iPad%22%20and%20%22iPhone%22.%3C%2FP%3E%3CP%3EWith%20the%20device.devicecategory%20you%20can%20distinguish%20BYOD%20and%20CORP%20or%20the%20types%20you%20have.%20(BYOD%20is%20just%20a%20string%20i%20used.%20If%20you%20use%20%22Company%20Device%22%20you%20have%20to%20use%20this%20string%20in%20the%20dynamic%20rule.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-469770%22%20slang%3D%22en-US%22%3ERe%3A%20Targeting%20different%20intune%20policies%20to%20different%20devices%20for%20the%20same%20users.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-469770%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20a%20short%20response%2C%20because%20of%20a%20new%20Techcommunity%20Account.%20%3A)%3C%2Fimg%3E%20%5BIgnore%20me%5D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-469778%22%20slang%3D%22en-US%22%3ERe%3A%20Targeting%20different%20intune%20policies%20to%20different%20devices%20for%20the%20same%20users.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-469778%22%20slang%3D%22en-US%22%3EBecause%20of%20a%20new%20techcommunity%20account%2C%20this%20is%20just%20a%20short%20response%20to%20follow%20up%20the%20thread.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Highlighted
Robert Moir
New Contributor

Hi all,

I'm looking at deploying Intune Standalone as a migration from SCCM Hybrid Intune and I'm looking to improve user experience while I can.

 

Talking about iOS devices here, we have users who might potentially have a corporate iOS device (which hasn't been set up through DEP) that has been configured by our helpdesk as if it was a personal device and handed to the user, and a personal device which they've self-enrolled. We'd like the user to get different polices depending on whether or not they're using a personal device or a corporate device.

 

Are there any options here? From what I understand, I can't target a user group for the corporate policy and then set an exclude for a device group containing their BYOD device.

 

Is our only option to implement DEP Then use dynamic group memberships? Is there something dumb I'm missing? Appreciate any thoughts.

5 Replies
Solution

Hi Robert,

 

wouldn't it be a possibility to use dynamic groups yet?

In my case we donÄt use DEP oder Android Zero Touch.

The users can enroll their devices by their own. In the enrollment process they choose a device type (BYOD or COPE/CORP).

I've set up a dynamic group like this: 

e.g.

 

Name: Intune_BYOD_Devices_IOS

Rule: (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") -and (device.deviceCategory -eq "BYOD")

 

or for Android:

Rule: (device.deviceOSType -eq "Android") -and (device.deviceCategory -eq "BYOD")

 

Be carefull: The OS Type for iOS Devices isn't "iOS" (Strange, i know).

It is "iPad" and "iPhone".

With the device.devicecategory you can distinguish BYOD and CORP or the types you have. (BYOD is just a string i used. If you use "Company Device" you have to use this string in the dynamic rule.

Thank you for your response Patrick, I was looking at this already and I'm delighted to see someone using it and confirming it should work. I think the longer term answer here for me is to implement DEP but with your validation that it works I think Device Categories feeding Dynamic Device Groups is a good solution for now.
This works very well for me.
The only negative aspect is, that it needs some time before the dynamic group is updated, after a device is enrolled.

Just a short response, because of a new Techcommunity Account. :) [Ignore me]

Because of a new techcommunity account, this is just a short response to follow up the thread. :)
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies