One of the most common requests I get when deploying Intune is that they want to deploy for instance a Certificate, VPN, WiFi or a specific app only to corporate owned devices and not personal(BYOD) devices. We have Dynamic groups in AzureAD that can solve this for us, however when I looked at the documentation on Microsoft docs it was not correct. So here we go:
To create a Dynamic Azure AD group for Corporate owned devices here is how we can do it:
- We create a Dynamic Device group
- Add a simple rule shown below that uses deviceOwnership and includes all devices marked as Company, If want one for Personal devices we can create a new one and change it to Personal instead.
We can also create a Dynamic Group for all Corporate Owned iPhones. We do this by adding a second rule with and and condition
Then we can deploy the Certificate, VPN app and target only our company owned devices.
Dynamic groups are awesome!
Did this actually work? I’ve been trying to get this to work for iPhone/ipad and android and the ownership element doesn’t appear to work. Devices are found if I remove the ownership condition…
Hi,
It was a while since I used it will test it out during the week to make sure it still works.
/Jörgen
They may have changed this. It should be deviceCategory Match Corporate.
Hey – I have just noticed when I create this device rule – If I do “Corporate” device syntax after validation shows this fails. when I check why it fails, it shows that the device I referenced against says the (device.deviceOwnership -eq “Company”) and not (device.deviceOwnership -eq “Corporate”)
Should have updated that a long time ago. Thanks for the heads up it is updated now.