Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Serial number for dynamic group membership

%3CLINGO-SUB%20id%3D%22lingo-sub-2692747%22%20slang%3D%22en-US%22%3ESerial%20number%20for%20dynamic%20group%20membership%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2692747%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20get%20serial%20number%20as%20part%20of%20usable%20attributes%20for%20dynamic%20device%20group%20membership%20rules%3F%26nbsp%3B%20We%20are%20trying%20to%20populate%20a%20test%20group%20for%20Apple%20iOS%2FiPadOS%20DEP%20devices%20prior%20to%20them%20actually%20being%20enrolled%20in%20order%20to%20have%20an%20%22required%22%20app%20installed.%26nbsp%3B%20The%20problem%20there%20is%20no%20other%20%22DeviceID%22%2C%20that%20I%20can%20find%20anyway%2C%20available%20until%20it%20goes%20through%20the%20DEP%20pre-enrollment%20or%20full%20enrollment%20with%20Company%20Portal.%26nbsp%3B%20Our%20use%20case%20is%20that%20we%20want%20the%20Microsoft%20Authenticator%20app%20installed%20on%20our%20iOS%20DEP%20devices%20without%20users%20having%20to%20sign%20in%20to%20the%20Apple%20ID%20and%20prior%20to%20full%20enrollment%20with%20the%20Company%20Portal.%26nbsp%3B%20The%20only%20other%20method%20I%20can%20see%20working%20would%20be%20for%20Microsoft%20to%20do%20the%20same%20they%20can%20do%20with%20the%20Company%20Portal%20app%20and%20have%20Authenticator%20installed%20the%20same%20way.%26nbsp%3B%20Ultimately%2C%20we%20are%20trying%20to%20avoid%20users%20setting%20up%20their%20authenticator%20incorrectly%20(it%20is%20a%20long%20story%20that%20we%20worked%20with%20your%20identity%20support%20on)%20prior%20to%20launching%20Company%20Portal%20to%20complete%20Intune%20enrollment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2692747%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3030432%22%20slang%3D%22en-US%22%3ERe%3A%20Serial%20number%20for%20dynamic%20group%20membership%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3030432%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F278092%22%20target%3D%22_blank%22%3E%40jjrodgers%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20not%20possible%20to%20use%20serialnumber%20for%20a%20dynamic%20rule%2C%20see%20the%20below%20possible%20properties.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Mr_Helaas_0-1638610244109.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331569i87FC459B1D6492A1%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Mr_Helaas_0-1638610244109.png%22%20alt%3D%22Mr_Helaas_0-1638610244109.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAs%20defined%20in%20the%20Microsoft%20documentation%3A%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fgroups-dynamic-membership%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERules%20for%20dynamically%20populated%20groups%20membership%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20what%20i%20understand%20from%20your%20question%20is%20that%20you%20want%20to%20install%20the%20Microsoft%20Authenticator%20app%20without%20sign%20into%20the%20company%20portal%2C%20and%20you%20want%20to%20test%20this%20first%20on%20a%20test%20device.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20news%2C%20It%20is%20possible%2C%20but%20how%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Purchase%20the%20authenticator%20app%20via%20Apple%20Business%20Manager%20(device%20license)%2C%20but%20that%20is%20default%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fvpp-apps-ios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Apple%20volume-purchased%20apps%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E2.%20Sync%20app%20to%20the%20intune%20portal%3C%2FP%3E%3CP%3E3.%20Create%20a%20new%20DEP%20Profile%20(with%20different%20name%20but%20same%20settings)%20in%20the%20Intune%20portal%20and%20assign%20your%20test%20device%20to%20that%20profile.%26nbsp%3B%3C%2FP%3E%3CP%3E4.%26nbsp%3BCreate%20a%20dynamic%20group%20with%20the%20following%20rule%20syntax%20%3CSPAN%3E(device.enrollmentProfileName%20-eq%20%22New%20DEP%20Profile%22)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E5.%20Assign%20the%20new%20dynamic%20device%20group%20as%20required%20to%20the%20Microsoft%20Authenticator%20app%3C%2FP%3E%3CP%3E6.%20App%20will%20be%20installed%20on%20a%20device%20without%20login%20to%20the%20company%20portal.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20helps%20you%20with%20installing%20the%20Authenticator%20app%20without%20logon%20to%20the%20company%20portal.%3C%2FP%3E%3CP%3EIf%20this%20fixed%20your%20problem.%20Please%20let%20me%20know%20and%20mark%20this%20as%20a%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERene%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Is it possible to get serial number as part of usable attributes for dynamic device group membership rules?  We are trying to populate a test group for Apple iOS/iPadOS DEP devices prior to them actually being enrolled in order to have an "required" app installed.  The problem there is no other "DeviceID", that I can find anyway, available until it goes through the DEP pre-enrollment or full enrollment with Company Portal.  Our use case is that we want the Microsoft Authenticator app installed on our iOS DEP devices without users having to sign in to the Apple ID and prior to full enrollment with the Company Portal.  The only other method I can see working would be for Microsoft to do the same they can do with the Company Portal app and have Authenticator installed the same way.  Ultimately, we are trying to avoid users setting up their authenticator incorrectly (it is a long story that we worked with your identity support on) prior to launching Company Portal to complete Intune enrollment.  

1 Reply

Hi @jjrodgers ,

 

It is not possible to use serialnumber for a dynamic rule, see the below possible properties.

Mr_Helaas_0-1638610244109.png

As defined in the Microsoft documentation: 
Rules for dynamically populated groups membership - Azure AD | Microsoft Docs

 

But what i understand from your question is that you want to install the Microsoft Authenticator app without sign into the company portal, and you want to test this first on a test device. 

 

Good news, It is possible, but how? 

 

1. Purchase the authenticator app via Apple Business Manager (device license), but that is default  
Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Docs

2. Sync app to the intune portal

3. Create a new DEP Profile (with different name but same settings) in the Intune portal and assign your test device to that profile. 

4. Create a dynamic group with the following rule syntax (device.enrollmentProfileName -eq "New DEP Profile")

5. Assign the new dynamic device group as required to the Microsoft Authenticator app

6. App will be installed on a device without login to the company portal. 

 

I hope this helps you with installing the Authenticator app without logon to the company portal.

If this fixed your problem. Please let me know and mark this as a solution.

 

Kind regards,

 

Rene