One of the most common requests I get when deploying Intune is that they want to deploy for instance a Certificate, VPN, WiFi or a specific app only to corporate owned devices and not personal(BYOD) devices. We have Dynamic groups in AzureAD that can solve this for us, however when I looked at the documentation on Microsoft docs it was not correct. So here we go:
To create a Dynamic Azure AD group for Corporate owned devices here is how we can do it:
- We create a Dynamic Device group
- Add a simple rule shown below that uses deviceOwnership and includes all devices marked as Corporate, If want one for Personal devices we can create a new one and change it to Personal instead.
We can also create a Dynamic Group for all Corporate Owned iOS devices. Instead of using a Simple rule we create and Advanced rule as shown below.
Then we can deploy the Certificate, VPN app or whatever we want to a these groups instead.
Dynamic groups are awesome!