Thank you, @r0bu, for the reply. We are using ABM + ADE + device assigned VPP (well, we are using VPP...and I choose 'license type = device' when I add groups to them in Intune). Setting up AD groups specifically for iPad and iPhone was a thought I had, as well, but wasn't sure if that was the only way to go.

I've tried to set up 'dynamic' security groups for the purpose of pushing apps to devices for users who are unable to use the portal due to not having an AD account, but wasn't able to get it going. I am unable to figure out how to put devices into the group.

Hi @Hollis255 

To use dynamic groups you need Azure AD P1 (or a qualifying license such as M365 Business Premium, M365 E3 or EMS E3 - best to check https://github.com/AaronDinnage/Licensing as this will give you a great idea of where licenses sit).

MS documentation on rules for devices is here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#r...

This is what my dynamic device group (Azure AD, Groups, New Group) looks like;

and the query would be;

iPhones would simply be (device.deviceOSType -eq "iPhone")

Hope this helps?

@r0bu  - thank you SO much, It totally helps. Sorry for my delayed response, I've been busy getting everything set up in there. Dynamic groups seems to have done the trick for most of my needs, but now I just need to figure out the best way to handle users without an AD account. I was running Company Portal in ASAM and, of course, this isn't going to work unless the user is in AD. I created a DEM user account, group and profile to get around that for now, but that isn't ideal. We were really hoping to be able to track the devices by user logged in, but if they can't log in, we really don't have a good and simple way to see who has what. (I know, logging in isn't 100% accurate, either, since someone could log in, then pass the device to someone else and we'd never know).

I also ran into several issues with Company Portal (gets stuck in CP even after user has logged in and been working. If they open CP for any reason, the app just stays open and can't close it or go to home screen until hard reset. Also, if the device is not connected via cellular or wifi, the CP opens up to the sign on screen and you can't close it or even log in (because no connection to verify creds) and the device is basically bricked until reset unless you get to a wifi that is already set up to 'autoconnect'.

Those issues have made it so I no longer have it running in ASAM, but it is a required app on all devices. Now I need to find a way to lock the device until the user signs into CP. Again, the device can be anywhere and used by anyone (inside or outside the company) without our knowledge because the enrollment would not be complete until CP was logged into.

The journey continues.

Thanks, again!

~ Hollis255