Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Filter apps depending on scope tags

Occasional Contributor

In our organization we have a lot of admins in Endpoint manager to assign apps to our iPads (one on each school at least). When they assign apps they can see every app. If it's a popular app we usually have 15 different apps with the same name but bought with different vpp-account. To choose the correct app that belongs to the school they have to look att properties on each one.

We have assigned scope tags but it doesn't seem to filter based on that. What else do we need to do so that the admin only see the apps that belongs to them and have the correct scope tag? If this works we also avoid admins assigning wrong app.

This is how it shows:

Skärmklipp.PNG

//Mattias

1 Reply
Hi Mattias,

Did you create RBAC Roles? If not, you need to create them - assign Azure AD members - scope the tags for new RBAC groups. There are some settings to remember with tags-


https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags

“When working with scope tags, remember these details:
You can assign scope tags to an Intune object type if the tenant can have multiple versions of that object (such as role assignments or apps). The following Intune objects are exceptions to this rule and don't currently support scope tags:
Corp Device Identifiers
Autopilot Devices
Device compliance locations
Jamf devices
VPP apps and ebooks associated with the VPP token inherit the scope tags assigned to the associated VPP token.
When an admin creates an object in Intune, all scope tags assigned to that admin will be automatically assigned to the new object.
Intune RBAC doesn't apply to Azure Active Directory roles. So, the Intune Service Admins and Global Admins roles have full admin access to Intune no matter what scope tags they have.
If a role assignment has no scope tag, that IT admin can see all objects based on the IT admins permissions. Admins that have no scope tags essentially have all scope tags.
You can only assign a scope tag that you have in your role assignments.
You can only target groups that are listed in the Scope (Groups) of your role assignment.
If you have a scope tag assigned to your role, you can't delete all scope tags on an Intune object. At least one scope tag is required.”