Search This Blog

Saturday, June 26, 2021

Assign apps, policies, and profiles with the new filters in Endpoint Manager

Introduction

In May Microsoft introduced Filters in Endpoint Manager. Many would go with a device centric approach instead of a user centric approach as one would normally do in configuration manager.

So how can filters help us?

Filters are here to assign policies and apps to users and then be able to manage what type of device, OS version, hardware model and much more, they apply to.

Why would I use such an approach? Because it will be much easier for your organisation to shift hardware as the policies now follow the user and not the device. No need to create tons of dynamic Azure AD groups to be able to leverage the correct policies which has proven to be slow in larger environments. There are many other reasons but I will stop here as the post is about how to use them actively in your environment.

In the bottom of this post, I will share the filters that I use. I will put more into this post as I discover more use cases and the need of filter rules.

 

Feedback goes into this link:

https://forms.office.com/r/ibB4tf6CAz

 

Are you afraid to use preview features in a production environment?

Don’t be, Microsoft got you fully supported

Public preview overview in Microsoft Intune - Azure | Microsoft Docs

 

Requirements

  • Microsoft Endpoint Manager

 

Filters works on following platforms:

clip_image002

 

To see what policies and app types supported you can go to this link:
Platforms and policy types supported by filters in Microsoft Intune - Azure | Microsoft Docs

 

Enable Filters (Preview)

Sign into Endpoint Manager with an Intune Administrator.

Press Tenant administration

clip_image004

 

Choose Filters (preview)

clip_image006

 

Click the red text

clip_image008

 

Turn on the Filters (preview) and press ok.

clip_image010

 

3 ways into to create a filter

Sign into Endpoint Manager

Tenant administration -> Filters (preview)

clip_image012

 

Devices -> Filters (preview)

clip_image014

 

Apps -> Filters (preview)

clip_image016

 

Let’s create a filter

Sign into Endpoint Manager

clip_image017

clip_image018

 

Press create

clip_image020

 

Give it a filter name

Give it a description

And finally choose the platform for the filter to apply. (It is important to choose the correct platform, because it will only be available to use on the chosen platform when we assign it in a minute.)

clip_image022

 

For this filter to work we will specify the osVersion and startWith 10.0.18363

clip_image024

 

Click Create

clip_image026

 

Use filter on assignment

Sign into Endpoint Manager

clip_image028

clip_image030

clip_image032

 

Choose one of your configuration profiles

clip_image034

 

clip_image036

 

Edit

clip_image038

 

Edit Filter

clip_image040

 

Choose whether you want to include or exclude the filter applied.

OBS! You can only choose 1 filter.

Press select

clip_image042

 

Press Review + save

clip_image044

 

Now keep an eye on your devices and see how the filter works

clip_image046

 

This means the filter matches the device OS level and will therefore apply as it is in “Include” mode.

clip_image048

 

Filters that I use in my environment

Device properties what they are:

Supported filter device properties and operators in Microsoft Intune - Azure | Microsoft Docs

 

Windows 10

Query

Purpose

(device.osVersion -startsWith "10.0.17763")

Filter on all your 1809 windows versions

(device.osVersion -startsWith "10.0.18363")

Filter on all your 1909 windows versions

(device.osVersion -startsWith "10.0.19041")

Filter on all your 20H1 windows versions

(device.osVersion -startsWith "10.0.19042")

Filter on all your 20H2 windows versions

(device.osVersion -startsWith "10.0.19043")

Filter on all your 21H1 windows versions

(device.operatingSystemSKU -ne "Holographic") and (device.operatingSystemSKU -eq "Enterprise")

You have HoloLens in your environment and users logon to them and do not want assignment to apply to that platform.

See all the SKU in the above link

(device.manufacturer -eq "Lenovo")

You only need to include or exclude device manufacturer Lenovo

(device.manufacturer -eq "Microsoft")

You only need to include or exclude device manufacturer Microsoft

(device.manufacturer -in ["HP", "Hewlett-Packard"])

You only need to include or exclude device manufacturer HP

(device.manufacturer -eq "Dell")

You only need to include or exclude device manufacturer Dell

(device.model -in ["Latitude 5540", "Latitude 5550"])

Specific models to include or exclude

(device.enrollmentProfileName -startsWith "AutoPilot")

If you need policies to apply to devices enrolled with a specific autopilot profile name

(device.model -contains "Cloud PC")

Filter on all Windows 365 devices


iOS/iPadOS

Query

Purpose

(device.deviceOwnership -eq "Personal")

Include or exclude only personal devices

(device.deviceOwnership -eq "Corporate")

Include or exclude only corporate devices

(device.deviceOwnership -eq "Unknown")

Include or exclude only Unknown devices

(device.enrollmentProfileName -eq "iPad shared devices")

If you need policies to apply to devices enrolled with a specific profile name

 

I currently do not have any Mac’s where I need filters and the same goes for Android devices.

 

If you have conflicting assignments for the same policy.

Filter reports and troubleshooting in Microsoft Intune - Azure | Microsoft Docs

 

Summary

Hope this post helped you on clarify what filters can be used for and how to use a user centric approach in your organization.

Happy testing!

 

Sources:
Create filters in Microsoft Intune - Azure | Microsoft Docs

Supported filter device properties and operators in Microsoft Intune - Azure | Microsoft Docs

Platforms and policy types supported by filters in Microsoft Intune - Azure | Microsoft Docs

Filter reports and troubleshooting in Microsoft Intune - Azure | Microsoft Docs

No comments:

Post a Comment