Office 365 - Intune/AAD - Dynamic Device Groups

Recently working for a client on an Intune deployment, I had to create a number of dynamic device Azure AD groups to be used for assigned configuration/compliance policies etc.

Background - There was two Device Categories configured, Personal Device & Corporate Device.

#Corporate iOS
(device.deviceOSType -eq "iPhone") -and (device.deviceCategory -contains "Co") -or (device.deviceOSType -eq "iPad") -and (device.deviceCategory -contains "Co")

#Personal iOS
(device.deviceOSType -eq "iPhone") -and (device.deviceCategory -contains "Per") -or (device.deviceOSType -eq "iPad") -and (device.deviceCategory -contains "Per")

#Corporate Android
(device.deviceOSType -eq "Android") -and (device.deviceCategory -contains "Co")

#Personal Android
(device.deviceOSType -eq "Android") -and (device.deviceCategory -contains "Per")

#Corporate Windows 10
(device.deviceOSType -contains "Windows") -and (device.deviceOSVersion -eq "Windows 10") -and (device.deviceOwnership -eq "Company") -or (device.deviceOSType -contains "Windows") -and (device.deviceOSVersion -eq "Windows 10") -and (device.deviceCategory -startsWith "Corporate")

#Personal Windows 10
(device.deviceOSType -contains "Windows") -and (device.deviceOSVersion -eq "Windows 10") -and (device.deviceOwnership -eq "Personal") -or (device.deviceOSType -contains "Windows") -and (device.deviceOSVersion -eq "Windows 10") -and (device.deviceCategory -startsWith "Personal")

#Corporate Windows 8.1 Phone Devices
(device.deviceOSType -contains "WindowsPhone") -and (device.deviceOwnership -eq "Company") -or (device.deviceOSType -contains "WindowsPhone") -and (device.deviceCategory -startsWith "Corporate")

#Personal Windows 8.1 Phone Devices
(device.deviceOSType -contains "WindowsPhone") -and (device.deviceOwnership -eq "Personal") -or (device.deviceOSType -contains "WindowsPhone") -and (device.deviceCategory -startsWith "Personal")

I have used the device.deviceOwnership -eq "Company" and the device.deviceCategory -startsWith "Corporate" mainly because the default ownership when enrolling a device into Intune is set to Personal. I found that  configuration policies were not being applied if we solely used device.deviceOwnership as this required an administrator to manually have to assign the ownership within Intune/Azure AD (which they should as part of the corporate enrolment process), but this configuration would catch any that have been missed and where the user has set the device category to Corporate. 


Post a Comment