Intune: Introducing Filters

Endpoint Manager/Intune Filters is a new feature which is currently (at time of writing) in public preview. This gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.

At a basic level, you apply a filter over the top of an included device or user group, with two modes to either include or exclude devices from the assignment. For this kind of thing I currently use dynamic device groups, and set assignments to these groups. Going forward I can change this to using filters, and assigning to larger (perhaps assigned membership) groups. The benefit to doing this is that you no longer have to wait for dynamic group membership to update, which can take a while – especially on larger environments.

Go to Endpoint Manager Admin Centre > Tenant administration > Filters (preview) then click “Try out the filters (preview) feature!”. Turn Filters (preview) On on the next screen that appears, and click Apply.

The Filters screen – you don’t have to access this through Tenant Admin as it’s also available via Devices or Apps.

Creating Filters

Once you’ve turned the feature on, you should be able to click Create to make your first filter. On the first screen you’ll be asked to provide a name, optional description and which platform you are targeting (Windows 10, iOS, Android etc).

In this example I’ve created a filter targeting iOS devices. Use the rule builder to create your rule, or if you already know (or want to type) the syntax you can do so directly. I’m going to create a filter which shows all Corporate owned iPads. This kind of thing is something I normally do with a dynamic device group, so I could just copy the rule syntax from the group’s membership rule.

Creating a filter is a case of using the rule builder which may be familiar if you’ve used dynamic device groups. The filters rule syntax is the same as the group membership rule syntax.

The fields you can choose are listed below – they are all text fields except where noted:

  • deviceName
  • manufacturer
  • model
  • deviceCategory
  • osVersion
  • isRooted (True / False / Unknown)
  • deviceOwnership (Personal / Corporate / Unknown)
  • enrollmentProfileName

When building your filter rules, if you have a device in mind that you want to include you could look at its device details page, where you’ll find the deviceName, manufacturer, model and deviceOwnership data.

Checking the details of a device can help when building a rule – especially if you’re targeting a specific model and are unsure as to how it is worded/formatted.

For each field you can pick from the following operators (except for isRooted and deviceOwnership, where you’re limited to “Equals” and “NotEquals”)

  • Equals
  • NotEquals
  • StartsWith
  • Contains
  • NotContains
  • In
  • NotIn

Build up your rule set by clicking Add Expression after you’ve put each row in, and you should see the rule syntax field populated. Once you’re happy you can click Next.

Once you’ve created the rule, there’s not much you can do with it from the Filters section yet (besides look at it and delete it) – it might be nice in the future if we could preview the results here, but remember this is still in preview and not General Availability yet.

Applying/Using your Filters

These filters can be used when applying policies, profiles and apps – the full list of supported workloads is available on the Microsoft Docs – and are set through the usual Assignments screen. You should notice that a couple of new columns have appeared after the Groups column for Filter and Filter Mode.

Applying a filter to an assignment. In this example, despite All Devices being included in the assignment, the filter will remove everything which is not a corporate iPad.

You can apply a filter to any “Included Groups” assignment – so All Devices, All Users, and groups, and it works in two modes – Include or Exclude. When the filters are evaluated this works pretty much as you’d expect:

  • If the filter mode is Include, and the result is a match, the item is applied
  • If the filter mode is Include, and the result is no match, the item is not applied
  • If the filter mode is Exclude, and the result is a match, the item is not applied
  • If the filter mode is Exclude, and the result is no match, the item is applied

 

Further Reading:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.