Dec 04 2018 02:46 AM
Dec 04 2018 02:46 AM
Until now it's felt like scoping policy/software deployments to 'Users' as opposed to 'Devices' has been preferable. It has the benefit of ensuring that any new device used by a user will instantly receive the relevant policy and software, maintaining the granularity and helping to ensure that the correct scope of users receive specific policy and software deployments.
However, if an organisation has the presence of shared devices (i.e. loan laptops), I'm wondering if scoping policy to 'Users' is the right fit, given the presence of such shared devices.
From reading the Microsoft documentation it would seem that you cannot target to a User group (i.e. 'All Users) and then exclude a device group (i.e. 'Shared Devices'). I can't help but think that such an exclusion would make it a lot simpler to target policy at users for 'Generic' devices whilst being able to have a different set of policy for shared devices.
Would appreciate the thoughts of the community on this. How would you target your policies in this scenario?
Dec 04 2018 03:38 AM
My answer is based on Intune - MDM. In case of shared devices (more like Kiosk devices) these are targeted via specific Dynamic AAD groups or profiles. These are 'userless' devices and do not have any association with a user account. It will never the traditional policies that are targeted towards 'All users'.
Dec 04 2018 04:14 AM
Thank you for the quick response, it's much appreciated! :)
I've found that even when there is no user/device affinity (for example, a device that is enroled with a Device Enrollment Manager account or with Self Deploying Autopilot), when a user logs into that device, policy and software that has been targeted to the specific user gets deployed to the shared device. Is this behaviour different to what you've seen? Thanks again! :)
Dec 04 2018 04:21 AM
I have not specifically used DEM /self deploying autopilot for various reasons (limitations of DEM) so cannot confirm. However, from your description I can expect policies to flow down in that scenario. Is there a way to create another Dynamic group perhaps for DEM/ Self Deploying Autopilot that be excluded while targeting all users in other policies?
Dec 04 2018 04:26 AM - edited Dec 04 2018 04:27 AM
It doesn't appear to be possible to combine user targeting with device exclusions and vice-versa. The only solution that I can envisage right now is to create groups of devices based on users as per https://blogs.technet.microsoft.com/smeems/2018/05/11/user-based-device-groups/.
Dec 10 2018 02:05 AMSolution
Dec 11 2018 04:05 AM
Thank you so much for taking the time to provide such an insightful response. It really is appreciated and reading your confirmation of behaviour as well as the reasoning for this has been invaluable!
Will certainly bear your words and thoughts on the behaviours in mind! :)
Thanks again! :)