As you know, Intune (aka Endpoint Configuration Manager) is a device management solution allowing you to apply configuration profiles, policies or deploy application on devices.
These assignment are done using device groups – usually dynamic ones to target specific OS, enrollment type or manufacturer.
Well, while these dynamic groups are quite useful they may be too large if you want to assign policies to specific devices like for example you want to apply a device restriction policy to Windows 10 devices from a specific department but exclude personal devices, this is not possible by just using these groups.
This where filters can take place.
Filters include the following features and benefits:
- Improve flexibility and granularity when assigning Intune policies and apps
- Are used when assigning app, policies, and profiles. They dynamically target devices based on device properties you enter
- Can include or exclude devices in a specific group based on criteria you enter
- Create a query of device properties based on the device platform, including Android, iOS/iPadOS, macOS, and Windows 10
- Can be used and reused in multiple scenarios in “Include” or “Exclude” mode
This feature applies to:
- Android device administrator
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 10
Before a policy is applied to a device, filters dynamically evaluate applicability. Looking at the image, here’s an overview:
- You create a reusable filter for any platform based on some device properties. In the example, the filter is for personal devices.
- You assign a policy or app to the group. In the assignment, you add the filter in either include or exclude mode. For example, you “include” personal devices, or you “exclude” personal devices from the policy.
- The filter is evaluated when the device enrolls, checks in with the Intune service, or at any other time a policy evaluates.
- You see the filter results based on the evaluation. For example, the app or policies applies, or it doesn’t apply.
To take advantage of this new capability, logon to your Endpoint Configuration Manager portal (https://endpoint.microsoft.com/) and access the Tenant Administration\Filters blade to turn it on
NOTE at the time of writing deployment of this feature is underway and may not have been deployed yet to your tenant
Once the filters feature is enable you can create your first filter by first naming the filter and defining the target platform
and then define the filter rule settings – similar to the device dynamic group setup (you can check back this documentation for available properties https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters-device-properties)
Then you have your filter available for use on assignment