SOLVED

Users with Multiple Devices - Groups Best Practice

Iron Contributor

Hi All

 

Say a user has multiple devices like so:

 

Windows 10 laptop

iOS Personal phone

iOS DEP / Corp phone

Android Enterprise Work Profile

Android Enterprise COFM

MacOS

 

Is it best to create ONE group for policies, apps etc or create a group per OS?

 

Info appreciated

5 Replies
This is really dependent on the settings you specify per device.

Do you push different settings to personal/coorporate devices?
best response confirmed by Stuart King (Iron Contributor)
Solution

Hi @Stuart King , 

 

I had the same scenario for one of our customers, in that case, what I would suggest,

 

Just create a Dynamic Groups.

Example:

 

Windows 10 laptop 

  • (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Company")
  • (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Personal")

iOS Personal phone

  • (device.deviceOwnership-eq "Personal") 

iOS DEP / Corp phone 

  • (device.enrollmentProfileName -eq "DEP iPhones") 

Android Enterprise Work Profile 

  • (device.deviceOSType -contains "AndroidEnterprise")
  • (device.deviceOSType -eq "AndroidForWork")

MacOS

  • (device.deviceModel -eq "iPad Air")

 

And then simply create your Intune Management Profiles and Categories based on those created groups. 

 

And don't forget to benefit of using device categories.  

 

 

 

@MahmoudAtallah 

 

Hi Buddy

 

Thanks very much for the device queries per OS, very useful.

 

Can you please recheck the queries on:

 

AE Corp Owned Fully Managed

iOS Personal

 

Stuart

@Stuart King 

 

As the best approach is to create device categories,  by using the deviceCategory attribute. For example: device.deviceCategory -eq “Personal Device“.

When users of iOS and Android devices enroll their device, they must choose a category from the list of categories you configured. After they choose a category and finish enrollment, their device is added to the Intune device group, or the Active Directory security group that corresponds with the category they chose.

@MahmoudAtallah 

 

Many thanks for your very informative reply.

 

Device Categories, I find, can be prone to error from end users, ie selecting the wrong category.

 

Do you have a reference that this is the best practice here?

 

User Groups vs Device Groups:

 

https://docs.microsoft.com/en-us/intune/configuration/device-profile-assign#user-groups-vs-device-gr...

 

Regards

1 best response

Accepted Solutions
best response confirmed by Stuart King (Iron Contributor)
Solution

Hi @Stuart King , 

 

I had the same scenario for one of our customers, in that case, what I would suggest,

 

Just create a Dynamic Groups.

Example:

 

Windows 10 laptop 

  • (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Company")
  • (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Personal")

iOS Personal phone

  • (device.deviceOwnership-eq "Personal") 

iOS DEP / Corp phone 

  • (device.enrollmentProfileName -eq "DEP iPhones") 

Android Enterprise Work Profile 

  • (device.deviceOSType -contains "AndroidEnterprise")
  • (device.deviceOSType -eq "AndroidForWork")

MacOS

  • (device.deviceModel -eq "iPad Air")

 

And then simply create your Intune Management Profiles and Categories based on those created groups. 

 

And don't forget to benefit of using device categories.  

 

 

 

View solution in original post