Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Users with Multiple Devices - Groups Best Practice

Regular Contributor

Hi All


Say a user has multiple devices like so:


Windows 10 laptop

iOS Personal phone

iOS DEP / Corp phone

Android Enterprise Work Profile

Android Enterprise COFM



Is it best to create ONE group for policies, apps etc or create a group per OS?


Info appreciated

5 Replies
This is really dependent on the settings you specify per device.

Do you push different settings to personal/coorporate devices?
best response confirmed by Stuart King (Regular Contributor)

Hi @Stuart King , 


I had the same scenario for one of our customers, in that case, what I would suggest,


Just create a Dynamic Groups.



Windows 10 laptop 

  • (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Company")
  • (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Personal")

iOS Personal phone

  • (device.deviceOwnership-eq "Personal") 

iOS DEP / Corp phone 

  • (device.enrollmentProfileName -eq "DEP iPhones") 

Android Enterprise Work Profile 

  • (device.deviceOSType -contains "AndroidEnterprise")
  • (device.deviceOSType -eq "AndroidForWork")


  • (device.deviceModel -eq "iPad Air")


And then simply create your Intune Management Profiles and Categories based on those created groups. 


And don't forget to benefit of using device categories.  




@Mahmoud A. Atallah 


Hi Buddy


Thanks very much for the device queries per OS, very useful.


Can you please recheck the queries on:


AE Corp Owned Fully Managed

iOS Personal



@Stuart King 


As the best approach is to create device categories,  by using the deviceCategory attribute. For example: device.deviceCategory -eq “Personal Device“.

When users of iOS and Android devices enroll their device, they must choose a category from the list of categories you configured. After they choose a category and finish enrollment, their device is added to the Intune device group, or the Active Directory security group that corresponds with the category they chose.

@Mahmoud A. Atallah 


Many thanks for your very informative reply.


Device Categories, I find, can be prone to error from end users, ie selecting the wrong category.


Do you have a reference that this is the best practice here?


User Groups vs Device Groups: