After a user enrolls a device with Setup Assistant with modern authentication, the home screen appears and they can freely use the device while apps and policies are delivered. By default, newly enrolled devices automatically checks in with Intune every 15 minutes for 1 hour, and then around every 8 hours, and therefore some policies and apps might not apply/install until that next check-in. To ensure that policies and apps are delivered to a device upon initial post-enrollment check-in, use filters to narrow the assignment scope of a policy.
Depending on the number of apps and policies you deploy to your user groups, not all of them might apply to devices immediately after enrollment. However, filters will significantly speed up the delivery to devices once enrollment is complete, and prior to user authentication in the Company Portal app.
Apply a filter to an ADE enrollment profile
For automated device enrollment scenarios where the authentication method is Setup Assistant with modern authentication, you can create a filter rule based on the enrollment profile name (enrollmentProfileName). You can filter on other properties, such as DeviceName, to include/exclude user groups or devices with device configuration policies, endpoint security policies, and applications, to achieve the same outcome. For information on supported workloads, see List of platforms, policies, and app types supported by filters in Microsoft Endpoint Manager.
Important: Don’t change the name of the enrollment profiles you are using with filters, otherwise the targeting will not apply.
Create and configure an enrollment profile for iOS/iPadOS or macOS automated device enrollment with user affinity, and with Setup Assistant with modern authentication as the authentication method. Then, sync your managed devices and assign the enrollment profile as you normally would for ADE. In this example we’ll use the profile name as “SA with modern auth”.
Enrollment and management settings for iOS/iPadOS devices.
Create a filter for iOS/iPadOS or macOS devices with the property enrollmentProfileName that equals the ADE enrollment profile name you configured with Setup Assistant with modern auth has been configured. See the Intune documentation for detailed information on filter properties.
Example of Filter property and value settings.
As you create policies and app assignments, you can apply the filter to user groups, and include or exclude devices based on the enrollment profile name.
For this example, the filter targets the user group "Contoso Pilot Group” and the mode is set to “Include” only the devices that have an enrollmentProfileName of "SA with modern auth”.
Example policy setting of applying a user group with a filter applied.
Once the device completes Setup Assistant and enrollment, the home page appears and the user will see targeted apps installing, including the Company Portal app on iOS/iPadOS.
If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.