cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filter apps depending on scope tags

Mattias Löwdell
Copper Contributor

‎Mar 17 2022 09:38 AM - edited ‎Mar 17 2022 09:39 AM

‎Mar 17 2022 09:38 AM - edited ‎Mar 17 2022 09:39 AM

Filter apps depending on scope tags

In our organization we have a lot of admins in Endpoint manager to assign apps to our iPads (one on each school at least). When they assign apps they can see every app. If it's a popular app we usually have 15 different apps with the same name but bought with different vpp-account. To choose the correct app that belongs to the school they have to look att properties on each one.

We have assigned scope tags but it doesn't seem to filter based on that. What else do we need to do so that the admin only see the apps that belongs to them and have the correct scope tag? If this works we also avoid admins assigning wrong app.

This is how it shows:

Skärmklipp.PNG

//Mattias

Labels:
1,679 Views
0 Likes
1 Reply
Reply
1 Reply
Moe_Kinani

‎Mar 21 2022 06:18 PM

‎Mar 21 2022 06:18 PM

Re: Filter apps depending on scope tags

Hi Mattias,

Did you create RBAC Roles? If not, you need to create them - assign Azure AD members - scope the tags for new RBAC groups. There are some settings to remember with tags-


https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags

“When working with scope tags, remember these details:
You can assign scope tags to an Intune object type if the tenant can have multiple versions of that object (such as role assignments or apps). The following Intune objects are exceptions to this rule and don't currently support scope tags:
Corp Device Identifiers
Autopilot Devices
Device compliance locations
Jamf devices
VPP apps and ebooks associated with the VPP token inherit the scope tags assigned to the associated VPP token.
When an admin creates an object in Intune, all scope tags assigned to that admin will be automatically assigned to the new object.
Intune RBAC doesn't apply to Azure Active Directory roles. So, the Intune Service Admins and Global Admins roles have full admin access to Intune no matter what scope tags they have.
If a role assignment has no scope tag, that IT admin can see all objects based on the IT admins permissions. Admins that have no scope tags essentially have all scope tags.
You can only assign a scope tag that you have in your role assignments.
You can only target groups that are listed in the Scope (Groups) of your role assignment.
If you have a scope tag assigned to your role, you can't delete all scope tags on an Intune object. At least one scope tag is required.”
0 Likes
Reply