cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Use Microsoft Endpoint Manager filters to target apps and policies to specific devices
By
Scott Duffey
Published May 12 2021 09:00 AM 33.2K Views
Scott Duffey
Microsoft
‎May 12 2021 09:00 AM

Use Microsoft Endpoint Manager filters to target apps and policies to specific devices

‎May 12 2021 09:00 AM

IT administrators can now use filters in Microsoft Endpoint Manager to target apps, policies and other workload types to specific devices. Available in public preview with the May release of Microsoft Intune, the filters feature gives IT admins more flexibility and  helps them protect data within applications, simplify app deployments, and speed up software updates.

 

Microsoft built filters with a consistent and familiar rule authoring experience for admins who use Azure Active Directory dynamic device groups or are discovering the new filters capability in Conditional Access. With filters, administrators can achieve granular targeting of policies and applications to users on specific devices.

 

For example, this new capability makes it easier for administrators to comply with their organizational policies and compliance requirements by deploying:

 

  • A Windows 10 device restriction policy to just the corporate devices of users in the Marketing department while excluding personal devices
  • An iOS app to only the iPad devices for users in the Finance group
  • An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy

 

Filters work in conjunction with Azure AD group assignments or the “All users” or “All devices” groups to dynamically filter the assignment to only apply to a subset of devices during check-in. Dynamic filtering means that devices can be targeted with the right security policy and applications faster than ever before.

 

Filters are re-usable objects that can be applied to many workload types across the Endpoint Manager admin center. IT administrators can create a filter object using expressions across a set of supported device properties and then apply to that filter with an app or policy assignment. When devices check in to receive the policy, the filter evaluation engine determines applicability – either applying or not applying the policy based on the filter result. Results are reported back to the Endpoint Manager admin center so administrators can track policy and app deployment.

 

Workflow:

Microsoft Endpoint Manager filters workflow.png

 

 

Microsoft Endpoint Manager admin center Create Filter (preview).png

 

 

Microsoft Endpoint Manager admin center Android compliance policy.png

 

 

Microsoft Endpoint Manager admin center Android compliance policy filter evaluation.png 

 

Filters is being rolled out with full support across platforms (Windows, Android, iOS and macOS) and an initial set of supported workloads and filter properties. Based on customer feedback, we will expand the capabilities across workloads in the coming months.

 

We value the input we received from customers in private preview. Here are a few highlights:

 

"We are starting to use filters a lot more. We are really looking forward to the previews coming up." 

 

 “The Endpoint Manager filters feature has solved the challenges we faced with managing user-targeted settings and apps for users who have access to both a laptop and virtual desktop. For example, we can now apply a filter to prevent a user-assigned VPN profile from being applied when a user signs into their virtual desktop”

 

"Since we support a large number of different use cases, it’s always difficult to find a seamless way to target your workloads to ensure everyone in the field gets exactly what they need (configurations, apps, certificates, profiles). This is exactly where the Filters feature play a key role to accomplish difficult targeting scenarios. Filters helped us achieve complex assignment models eliminating the need of manual assignment work and helping IT stuff save important time to focus on further strategical and technical design key aspects for a truly modern workplace in our organization."

 

"MEM Filters feature is allowing more granularity for assigning our policies as well as applications. Filters helped us adopt MEM even further in our very mixed environment, allowed us creating a better targeted approach. Filters also addressed a specific use case where we had to exclude virtual devices and critical systems from some of our assignments."

 

"At Krones we support a large number of different use cases and it has always been difficult to find a way to target the specific workloads. Besides we have to ensure, that all employees get the tools they need for their work, like configurations, apps, certificates or profiles. This is exactly where the Filters feature plays a key role to accomplish difficult targeting scenarios. Filters helped us achieve complex assignment models eliminating the need of manual assignment work. As a result, our IT staff saved important time and is now able to focus on further strategic and technical design key aspects for a truly modern workplace within our organization." -Roman Kleyn, Head of Workplace Design at Krones AG

 

 

As always, we appreciate your feedback. Please feel free to post your comment here or or tag me on LinkedIn

 

 

To learn more about AAD, go here: https://aka.ms/RSACIdentity2021

 

6 Comments
Anthonymelwhrhs
Iron Contributor
‎May 13 2021 08:59 AM
‎May 13 2021 08:59 AM

Great article however, what we notice is if we deploy an app to Windows devices via all users or all devices, the app shows up as waiting to install on iPads.  We tried to use the filter to exclude iPads but that does seem to help the issue.

0 Likes
Like
jim_tpa
Copper Contributor
‎May 17 2021 06:56 AM
‎May 17 2021 06:56 AM

This is good stuff!  Thank you for sharing. 

0 Likes
Like
Jan Gutjahr
Iron Contributor
‎May 20 2021 12:31 AM
‎May 20 2021 12:31 AM

@Scott Duffey quick question if I may. I am trying to use the filters with 'Wi-Fi import' profiles. In the assignment blade I get the filter option, but the filter picker then does not list any of my filters. Is this a known issue/limitation or am I doing something wrong? Thanks, Jan

0 Likes
Like
RonSanJose
Copper Contributor
‎Jun 11 2021 06:46 AM
‎Jun 11 2021 06:46 AM

Do we have the same 'Filters" capabilities on Conditional Access Policies ? Meaning, we can filter it by Device Ownership? 

Here is our "use case" and our current constraint.

- Enforce Outlook as the only app authorized to access Exchange Online (for both corporate and BYOD devices) : Require Approved App 

- Require a Corporate Device to be compliant (but not BYOD devices as we use MAM WE)

On the Conditional Access Policy for the corporate devices, both conditions must be satisfied.

On the Conditional Access Policy for BYOD devices, only the Required Approved App must be satisfied.

 

As conditional access policies are applied to a user or user group, a user cannot both have a corporate enrolled device and a BYOD registered device (MAM W/E). As both policies are applied to the same user, the more restrictive conditional access policy (corporate devices) gets applied not only on the corporate device but on the BYOD device that is not enrolled (MAM WE).

 

On of the filter parameters shown above is "deviceOwnership". Can we use that prevent the corporate device conditional access policy from applying to the non-corporate devices (BYOD)? 

0 Likes
Like
Tim_bl
Brass Contributor
‎Oct 15 2021 11:17 PM
‎Oct 15 2021 11:17 PM

Hi @Scott Duffey and @Eugenie Burrage,

Could you please provide an indication when filters will be supported within the Weblink feature? Especially for Weblinks Filters would be very useful when using an usergroup assignment. In case of an usergroup assignment and endusers with an iOS device AND a Windows device will receive usergroup assigned weblinks on both devices. In several cases this is not desired and could be fixed by using Filters, but it's not supported on Weblinks yet.

 

Could you give an indication on Weblink support?

Thank you!

0 Likes
Like
MikkelLundKnudsen
Iron Contributor
‎Jul 12 2022 12:17 PM
‎Jul 12 2022 12:17 PM

Filters are great - we will be looking forward to see these cover the area of Endpoint Security :)

 

We currently use it for our Compliance Policy for All Standard Users (Requires BitLocker, among others.) but we want to exclude our Cloud PC's. Working Great :)

Co-Authors
Version history
Last update:
‎Feb 10 2023 11:42 AM
Updated by: