Intune: Introducing Filters
Endpoint Manager/Intune Filters is a new feature which gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.
At a basic level, you apply a filter over the top of an included device or user group, with two modes to either include or exclude devices from the assignment. For this kind of thing I currently use dynamic device groups, and set assignments to these groups. Going forward I can change this to using filters, and assigning to larger (perhaps assigned membership) groups. The benefit to doing this is that you no longer have to wait for dynamic group membership to update, which can take a while - especially on larger environments.
Go to Endpoint Manager Admin Centre > Tenant administration > Filters and to click Create to make your first filter. On the first screen you'll be asked to provide a name, optional description and which platform you are targeting (Windows 10, iOS, Android etc).
In this example I've created a filter targeting iOS devices. Use the rule builder to create your rule, or if you already know (or want to type) the syntax you can do so directly. I'm going to create a filter which shows all Corporate owned iPads. This kind of thing is something I normally do with a dynamic device group, so I could just copy the rule syntax from the group's membership rule.
The fields you can choose are listed below - they are all text fields except where noted:
- isRooted (True / False / Unknown)
- deviceOwnership (Personal / Corporate / Unknown)
When building your filter rules, if you have a device in mind that you want to include you could look at its device details page, where you'll find the deviceName, manufacturer, model and deviceOwnership data.
For each field you can pick from the following operators (except for isRooted and deviceOwnership, where you're limited to "Equals" and "NotEquals")
Build up your rule set by clicking Add Expression after you've put each row in, and you should see the rule syntax field populated. Once you're happy you can click Next.
New functionality is always being rolled out to filters so keep an eye out for additional fields you can use, and new places you can use them across Intune.
These filters can be used when applying policies, profiles and apps - the full list of supported workloads is available on the Microsoft Docs - and are set through the usual Assignments screen. You should notice that a couple of new columns have appeared after the Groups column for Filter and Filter Mode.
You can apply a filter to any "Included Groups" assignment - so All Devices, All Users, and groups, and it works in two modes - Include or Exclude. When the filters are evaluated this works pretty much as you'd expect:
- If the filter mode is Include, and the result is a match, the item is applied
- If the filter mode is Include, and the result is no match, the item is not applied
- If the filter mode is Exclude, and the result is a match, the item is not applied
- If the filter mode is Exclude, and the result is no match, the item is applied