10-16-2020 11:23 AM
10-16-2020 11:23 AM
We are migrating from one MDM, which was device based, to Endpoint/Intune. Everything seems to be going okay for all users who have an Azure AD account, but we have many users who are not in AD. Is there a way to manage the devices AND push apps out to the iPhones / iPads by Serial number ONLY? So the user never actually needs to sign in?
Also, in our previous MDM, we pushed apps using tags and were able to differentiate between iPhones (only got two required apps) and iPads (two required and eight default apps) to automatically push when the device enrolled. Everything I'm seeing just says iOS/iPad and we'd like different things to happen for iPhones than for iPads.
Thank you, in advance.
10-17-2020 02:59 PM
10-19-2020 06:49 AM
Thank you, @robunger, for the reply. We are using ABM + ADE + device assigned VPP (well, we are using VPP...and I choose 'license type = device' when I add groups to them in Intune). Setting up AD groups specifically for iPad and iPhone was a thought I had, as well, but wasn't sure if that was the only way to go.
I've tried to set up 'dynamic' security groups for the purpose of pushing apps to devices for users who are unable to use the portal due to not having an AD account, but wasn't able to get it going. I am unable to figure out how to put devices into the group.
To use dynamic groups you need Azure AD P1 (or a qualifying license such as M365 Business Premium, M365 E3 or EMS E3 - best to check https://github.com/AaronDinnage/Licensing as this will give you a great idea of where licenses sit).
MS documentation on rules for devices is here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#r...
This is what my dynamic device group (Azure AD, Groups, New Group) looks like;
and the query would be;
iPhones would simply be (device.deviceOSType -eq "iPhone")
Hope this helps?