Confusion Regarding Filter Precedence

Copper Contributor
App Deployment/Packaging
 

Here's the scenario I'm facing (VPP app):

Group A (Required Assignment):

  • Users: Identical to Group B.

  • Filter: Include only corporate iPhones.

  • Purpose: Auto-install the app on corporate-owned iPhones.

Group B (Available Assignment):

  • Users: Identical to Group A.

  • Filter: None.

  • Purpose: Make the app available to all devices (corporate and BYOD) in the Company Portal.

Issue:

  • BYOD devices are receiving the required install despite the filter.

  • Filter message: "The app was offered during the last check-in. We couldn't evaluate the device for matching filters because a conflicting assignment didn't require filters."

    • Filter: (device.model -contains "iPhone") and (device.deviceOwnership -eq "Corporate")

    • Evaluation result: Not evaluated due to a conflicting assignment without filters.

Business Request:

  • The app should be available to the same list of users.

  • It should be required (auto-installed) only on corporate devices.

  • Overlapping groups are used to simplify automation and avoid complicating the process for the Service Desk, which would need to check if devices are BYOD or corporate-owned.

I've been looking at:

Filter reports and troubleshooting in Microsoft Intune | Microsoft Learn

Filter reports and troubleshooting in Microsoft Intune | Microsoft Learn

Assign apps to groups in Microsoft Intune | Microsoft Learn

And am admittedly a little smooth-brained. Can anyone explain what's happening here and how to resolve? Is the "no filter" available group taking precedence over the "include" filter and somehow pushing to all devices?

How can I rectify this? Can I just add a dynamic group to exclude all BYOD devices in the required assignment and leave the rest the same or use an exclude filter for BYOD device in the required assignment? Any help is appreciated.

2 Replies
I'm running into the exact same issue. I have some applications that I want available to anyone to install, but I also have devices that are used for specific projects where the expected behavior is that these apps are automatically installed (required). I have a filter in place on the required assignment but the apps are also installing onto the users' BYOD device, not jus the project device. I feel like this kind of defeats the purpose of the filter.
I just found this MS Learn article that covers this.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters-reports-troubleshoot#managed-devic...
"Overlapping can cause conflicts and Intune helps avoid conflicts.

Intune prevents you from creating multiple assignments to the same Microsoft Entra group. It's not recommended to assign apps or policies to the same target user or device with more than one intent. For example, when you deploy an app, you can't select a group for an Available assignment, and then the same group for a Required assignment.

An overlap can occur when a user or device is in multiple targeted groups. Conflicting assignments aren't recommended. For more information, go to conflicts between app intents."