cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Dynamic Groups Help

Daniel Hudson
Steel Contributor

‎Feb 12 2018 06:17 AM

‎Feb 12 2018 06:17 AM

Dynamic Groups Help

Hi All

 

We're about to migrate from MobileIron to Intune and I've been building the service ready for our users.

 

In MobileIron, we previously had different policies and configurations for users based upon dynamic groups (labels) that filtered on both user and device attributes e.g. user is in xxx AD group and has an iOS device with DEP enabled.

 

Currently I can't see how this can be achieved in Intune. Would I have to use nested Dynamic groups (if this is supported) to segregate by device attribute, and then from that group by user attribute? Or do I need to rethink about how we're applying configurations and policies?

 

Secondly, we have subsets of users that need slightly different policies (such as VIPs, or users with specialist devices). Are we able to prioritise policies/configurations so that, if 2 are pushed to the same device, one is given priority over the other, or do I need to figure a way to separate them out from the 'main' group? The only way I can think of doing this is, again, create a dynamic group that says "everyone with xxx AD group", and then create a second dynamic group which is "everyone not already in that other dynamic group". Would this be the ideal solution?

 

Any help or insight with this would be hugely appreciated.

 

Thanks

Dan

Labels:
1,645 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Daniel Hudson (Steel Contributor)
Oliver Kieselbach

‎Feb 15 2018 02:17 PM

‎Feb 15 2018 02:17 PM

Solution

Re: Dynamic Groups Help

Hi Dan,

 

please have a look here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-a...

you will need to come up with a different strategy how to assign configurations. As of now there is no way to build a query like person x not member in group y.

The way Microsoft is thinking about the Intune assignments are user centric. So a VIP group will get different settings and is not member of the broad employee group for example. This leads to separation in the end. Your example of user has iOS and DEP is also not directly addressable. We can't mix user and device attributes. We would assign a policy to a user group and if the user has an Android all iOS device policies would be marked as "not applicable". If the user now enrolls a iOS device the iOS policies would apply. Makes sense?

Certainly not the flexibility you may be familiar with MobileIron, but that's how it is.

 

best,

Oliver

1 Like
Reply
Daniel Hudson

‎Feb 16 2018 01:53 AM

‎Feb 16 2018 01:53 AM

Re: Dynamic Groups Help

Hi Oliver

Thank you for your response. I can see I'm going to need a complete rethink about how we sort our policies and groupings!

D
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Daniel Hudson (Steel Contributor)
Oliver Kieselbach

‎Feb 15 2018 02:17 PM

‎Feb 15 2018 02:17 PM

Solution

Re: Dynamic Groups Help

Hi Dan,

 

please have a look here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-a...

you will need to come up with a different strategy how to assign configurations. As of now there is no way to build a query like person x not member in group y.

The way Microsoft is thinking about the Intune assignments are user centric. So a VIP group will get different settings and is not member of the broad employee group for example. This leads to separation in the end. Your example of user has iOS and DEP is also not directly addressable. We can't mix user and device attributes. We would assign a policy to a user group and if the user has an Android all iOS device policies would be marked as "not applicable". If the user now enrolls a iOS device the iOS policies would apply. Makes sense?

Certainly not the flexibility you may be familiar with MobileIron, but that's how it is.

 

best,

Oliver

View solution in original post

1 Like
Reply