One of the most common requests I get when deploying Intune is that they want to deploy for instance a Certificate, VPN, WiFi or a specific app only to corporate owned devices and not personal(BYOD) devices. We have Dynamic groups in AzureAD that can solve this for us, however when I looked at the documentation on Microsoft docs it was not correct. So here we go:
To create a Dynamic Azure AD group for Corporate owned devices here is how we can do it:
- We create a Dynamic Device group
- Add a simple rule shown below that uses deviceOwnership and includes all devices marked as Company, If want one for Personal devices we can create a new one and change it to Personal instead.
We can also create a Dynamic Group for all Corporate Owned iPhones. We do this by adding a second rule with and and condition
Then we can deploy the Certificate, VPN app and target only our company owned devices.
Dynamic groups are awesome!