Intune and device filters
Intune Filters is an innovative feature that allow you to do advanced targeting options for tasks such as compliance policies, configuration profiles, and app assignments, all through the use of filters. It has been around for a while but lets se how I use it.
At its core, Intune Filters enable you to layer a filter on top of a designated device or user group, offering two distinct modes: inclusion or exclusion of devices from the assignment. I’ve been using dynamic device groups for similar purposes and configuring assignments based on these groups. This can be quite complex in large envuironmetns with different needs.
As an example, I want a configuration to hit all users but not if the logon to a Citrix VDI
However, moving forward, I can streamline this process by leveraging filters and applying them to larger, potentially pre-defined, group memberships. The primary advantage of this transition is the elimination of the waiting period for dynamic group membership updates, which can be time-consuming, especially in larger environments.
Filters are available for:
- Devices enrolled in Intune, which are managed devices.
- Apps that are managed by Intune, which are managed apps.
Creating Filters
To set up filters in Intune follow these steps:
- Go to “Device” -> “Filters”
- Click on the “Create” and the “Managed Devices” to begin.
- On the initial screen, provide a name for your filter, an optional description, and specify the platform you intend to target (e.g., Windows 10, iOS, Android, etc.).
Building a filter entails using the rule builder, which will likely feel familiar if you’ve worked with dynamic device groups. Notably, the filter’s rule syntax aligns with that of the group membership rule. The available fields are as follows, all of which are text fields unless otherwise indicated:
- deviceName
- manufacturer
- model
- deviceCategory
- osVersion
- isRooted (True / False / Unknown)
- deviceOwnership (Personal / Corporate / Unknown)
- enrollmentProfileName
- deviceTrustType
- operatingSystemSKU
More info on the properties can be found here.
When constructing your filter rules, you can reference the device details page for a specific device you wish to include. This page provides essential information such as deviceName, manufacturer, model, and deviceOwnership.
Checking a device’s details can be particularly useful when formulating rules, especially when targeting a specific model and uncertain about its wording or format.
For each field, you can choose from a range of operators (except for isRooted and deviceOwnership, which offer “Equals” and “NotEquals” exclusively):
- Equals
- NotEquals
- StartsWith
- Contains
- NotContains
- In
- NotIn
As you build your rule set, click “Add Expression” after each row, and the rule syntax field will populate accordingly. Once you are satisfied with your rule, proceed to the next step.
Intune continually introduces new features to filters, so keep an eye out for additional fields and opportunities to utilize them across the Intune platform.
Applying/Using Your Filters These filters can be employed when applying policies, profiles, and apps. They are integrated into the Assignments screen, and you will notice the addition of two new columns following the Groups column: Filter and Filter Mode.
You can apply a filter to any “Included Groups” assignment, including options like All Devices, All Users, and specific groups. Filters operate in two modes: Include or Exclude. During evaluation, filters behave as follows:
- If the filter mode is Include and there is a match, the item is applied.
- If the filter mode is Include and there is no match, the item is not applied.
- If the filter mode is Exclude and there is a match, the item is not applied.
- If the filter mode is Exclude and there is no match, the item is applied.
Below is an example how a filter can be created to target Windows 365 PCs:
This is an example how I us it in the assignment of a configuration policy: