Skip to content
Posted by Thijs Lecomte7 Comments on Android Enterprise Dynamic Groups for Intune Azure AD

Android Enterprise Dynamic Groups for Intune

Microsoft Endpoint Manager (Intune) currently supports fours different Android Enterprise enrollment methods:

  • Work Profile
  • Dedicated Device
  • Fully Managed
  • Fully Managed Devices with Work Profile (Corporate Owned – Personally Enabled (COPE))

Each method has it’s own purpose. Work Profile is mostly used for employees who want access to company resources using their own personal device. A dedicated device is used in a production environment where user affinity isn’t required. Fully Managed devices are used when user affinity is required (when a single user uses a specific device).

COPE is essentially a Fully Managed enrollment but with a Work Profile. This means an organization can fully manage the device, while respecting the privacy for the user in the work profile.

Source: MEM Twitter

Some organizations are using all three enrollment methods and have users that might use every one of those devices. Assigning configuration policies and applications on a user basis isn’t possible in this scenario. That’s why you need to create dynamic device groups for each scenario.

Work Profile

To be able to group Work Profile devices, use the following dynamic device query:

(device.deviceOSType -eq "AndroidForWork") and (device.managementType -eq "MDM")

Dedicated device

To enroll dedicated devices, you need to create a new enrollment profile. Each enrollment profile has a unique name and that name can be used to configure a dynamic group. If you would create an enrollment profile called ‘Warehouse_Devices’, the query you need to use is:

(device.enrollmentProfileName -match "Warehouse_Devices")

Keep in mind that dedicated devices do not have a user affiliated with them. So you cannot target policies to a user group for this device type.

Because you can create a device group per enrollment profile, you can be really granular with your configurations.

Fully Managed device

Fully Managed devices don’t have an enrollment profile affiliated with them, so there is only one way to create a group.

(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)

Fully Managed Devices with Work Profile

Fully Managed Devices with Work Profile supports enrollment profiles, just as Dedicated Devices. So you can also create dynamic groups based on the different enrollment profiles.

Categories

Azure AD, Intune

Tags

, , , , , , , , , ,

Thijs Lecomte View All

7 thoughts on “Android Enterprise Dynamic Groups for Intune Leave a comment

  1. Pingback: Choosing the right Android enrollment method – 365 by Thijs

  2. Using dynamic group membership for a fully managed device, is there a way to control what apps are deployed to the device during enrolment, rather than after the phone has landed on the home screen and waiting for the play store to kick in?
    Authenticator and Intune apps are pushed early in the process. I’d love to add a couple more.

    Like

    Reply

  3. Is there a way to create dynamic groups for android devices based on network information? For example, can we have android devices submit their IP address, and create dynamic groups based on that information. I’m looking for a way to designate an office location for android devices.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: