SOLVED

Targeting different intune policies to different devices for the same users.

Copper Contributor

Hi all,

I'm looking at deploying Intune Standalone as a migration from SCCM Hybrid Intune and I'm looking to improve user experience while I can.

 

Talking about iOS devices here, we have users who might potentially have a corporate iOS device (which hasn't been set up through DEP) that has been configured by our helpdesk as if it was a personal device and handed to the user, and a personal device which they've self-enrolled. We'd like the user to get different polices depending on whether or not they're using a personal device or a corporate device.

 

Are there any options here? From what I understand, I can't target a user group for the corporate policy and then set an exclude for a device group containing their BYOD device.

 

Is our only option to implement DEP Then use dynamic group memberships? Is there something dumb I'm missing? Appreciate any thoughts.

5 Replies
best response confirmed by Robert Moir (Copper Contributor)
Solution

Hi Robert,

 

wouldn't it be a possibility to use dynamic groups yet?

In my case we donÄt use DEP oder Android Zero Touch.

The users can enroll their devices by their own. In the enrollment process they choose a device type (BYOD or COPE/CORP).

I've set up a dynamic group like this: 

e.g.

 

Name: Intune_BYOD_Devices_IOS

Rule: (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") -and (device.deviceCategory -eq "BYOD")

 

or for Android:

Rule: (device.deviceOSType -eq "Android") -and (device.deviceCategory -eq "BYOD")

 

Be carefull: The OS Type for iOS Devices isn't "iOS" (Strange, i know).

It is "iPad" and "iPhone".

With the device.devicecategory you can distinguish BYOD and CORP or the types you have. (BYOD is just a string i used. If you use "Company Device" you have to use this string in the dynamic rule.

Thank you for your response Patrick, I was looking at this already and I'm delighted to see someone using it and confirming it should work. I think the longer term answer here for me is to implement DEP but with your validation that it works I think Device Categories feeding Dynamic Device Groups is a good solution for now.
This works very well for me.
The only negative aspect is, that it needs some time before the dynamic group is updated, after a device is enrolled.

Just a short response, because of a new Techcommunity Account. :) [Ignore me]

Because of a new techcommunity account, this is just a short response to follow up the thread. :)
1 best response

Accepted Solutions
best response confirmed by Robert Moir (Copper Contributor)
Solution

Hi Robert,

 

wouldn't it be a possibility to use dynamic groups yet?

In my case we donÄt use DEP oder Android Zero Touch.

The users can enroll their devices by their own. In the enrollment process they choose a device type (BYOD or COPE/CORP).

I've set up a dynamic group like this: 

e.g.

 

Name: Intune_BYOD_Devices_IOS

Rule: (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") -and (device.deviceCategory -eq "BYOD")

 

or for Android:

Rule: (device.deviceOSType -eq "Android") -and (device.deviceCategory -eq "BYOD")

 

Be carefull: The OS Type for iOS Devices isn't "iOS" (Strange, i know).

It is "iPad" and "iPhone".

With the device.devicecategory you can distinguish BYOD and CORP or the types you have. (BYOD is just a string i used. If you use "Company Device" you have to use this string in the dynamic rule.

View solution in original post