This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I cannot seem to wrap my head around the device type filtering for App protection policies.
The goal is to create two App protection policies - one for Intune enrolled devices and one for personal devices that are not enrolled.
I created two Managed app filters for iOS devices:
iOS - Managed Device Apps
(app.deviceManagementType -eq "Managed") and (app.deviceModel -contains "iPhone") or (app.deviceModel -contains "iPad")
iOS - Unmanaged Device Apps
(app.deviceManagementType -eq "Unmanaged") and (app.deviceModel -contains "iPhone") or (app.deviceModel -contains "iPad")
I created an App configuration policy for iOS Managed apps for iOS devices to enable the IntuneMAMUPN {{UserPrincipalName}} in the General configuration settings.
I created two iOS app protection policies:
IOS Managed Devices policy
iOS Unmanaged Devices policy
I used the filters above, but I don't think the filters do much. In the App monitoring - nothing ever shows Managed.
Maybe I am just completing confusing how this works.
Should the app protection policies apply to just unmanaged devices? DO I use app configuration policies for each MS app individually selecting Managed devices. I feel like I am close to understanding, but 100% there. When I do the validate for the filters, my iPhone that is enrolled, does not show up. My unmanaged iPad does for both filters.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Matt Dillon, Thanks for posting in Q&A. For your scenario, we have created two app protection policies and each needs to add related filter as below to apply to different device type.
IOS Managed Devices policy Filter: iOS - Managed Device Apps
iOS Unmanaged Devices policy Filter: iOS - Unmanaged Device Apps
For the filters you create, I think it has some issue. We can create "Managed apps", choose Platform as iOS/iPadOS, then only set (app.deviceManagementType -eq "Managed") and (app.deviceManagementType -eq "Unmanaged") in the rules.
Meanwhile, based as I know, an app protection policy is required with IntuneMAMUPN for managed devices. This applies for any setting that requires enrolled devices as well. Therefore, we need to create an app configuration policy for Managed devices and assign to the same user group as the app protection policy.
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Here is the filter I created for Unmanaged Device apps. I guess my question and confusion comes from the results of this filter. I have both my iPad and iPhone show up for each.
@Matt Dillon, Thanks for your reply. Based on my understanding, the filter will filter the device which is iPad or unmanaged iPhone. So I think it is not correct. I think you need to remove the devicemodel rule and only keep devicemanagementtype.
Yeah I came to the same conclusion. I found a bit more on the learn.microsoft.com sites.
Example: deviceManagementType (Device Management Type): On Intune enrolled devices, create a filter rule based on the Intune device management type. Devices must be Intune enrolled to use this app property. Select from the following values using the -eq and -ne operators:
so if I start from the beginning and am tasked with creating app protection policies for managed devices and unmanaged devices, I am still at a loss at how to filter these out. I am going to delete all the policies I have and create them one at a time to see if I cannot figure out the best way to achieve proper filtering of app protection policies. From what i am gathering - the app protection policies will only apply to the unmanaged devices at this time. App configuration policies are needed for the managed devices. I get app protection policies to apply to my enrolled device, but not really sure how. My unmanaged devices are definetely getting the policies. If I can figure out everything else I will be happy.
Here is what I am not fully understanding:
I have the following iOS apps deployed as Required:
They are all installed on my iPhone and if they were already installed - get taken over.
I have App configurations policies (with nothing more than the Configuration keys for IntuneMAMUPN and IntuneMAMOID set to {{UserPrincipalName}} and {{userid}}) for the required apps listed above.
When I create the Managed app filter using the following syntax (app.deviceManagementType -eq "Managed"), I get the following results:
If I was understanding this correctly, I would expect to see not only Outlook, Word, and OneDrive, but Power BI and Teams as well. Like if I saw those in the results, I would have better grasp on this.
The unmanaged apps filter shows even crazier results.
I would think that the managed app filter would result with all apps that have an app configuration policy assigned individually and the unmanaged filter would be the rest of the microsoft apps.
At the end of the day, I just want to be able to have a longer PIN when using apps on devices that are not managed. What I get now is no PIN on my managed apps and the longer pin on everything other app.
@Matt Dillon, Thanks for the reply. From your description, it seems the Preview devices not showing Teams and Power BI. To check on the issue, I suggest go to one affected device side to login the two apps with work account and check diagnostic logs on the affected device to see if the policy is applied to the two apps:
For the PIN set, could you let us know how did we configure in app protection policy? Please get screen shots of the configuration. Also collect the about:intune help log on one affected device to check what PIN setting we get on the managed app?
@Matt Dillon, Hope things are going well. If there's any finding, feel free to let us know.
I finally figured these out. Here is a summary:
- use filter deviceManagementType = Android Enterprise
- use filter deviceManagementType = Unmanaged
- use filter deviceManagementType = Managed
- use filter deviceManagementType = Unmanaged
The managed device filters should only result with Required Apps pushed out to Enrolled devices, and the unmanaged apps will be everything else. So if you have an enrolled device and you require Word, Word will be a managed app. If on the same device , you install Excel, it will be considered an unmanaged app.
For iOS Managed devices only, create separate App Config policies for each app. i.e. - if you are requiring Word, Outlook, Teams, and One Drive, then make an app confi polciy for each app. https://learn.microsoft.com/en-us/mem/intune/apps/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm
For each ap config, simply add IntuneMAMUPN, String, {{UserPrincipalName}} and IntuneMAMOID, String, and {{userid}} in the configuration. Assign to All users.
if you are testing this out and have access to an Android and iOS device, try the Android first as it will be easier to understand. iOS seems to hold on to old settings longer. I found that they eventually work, but its better to wipe all msft apps off your iOS device first, reboot, and then install Word only. Authenticator should be forced to install. Once you validate the unmanaged device app policies, sign in to Company Portal to enroll in Intune. Uninstall Word and let it reinstall from Company Portal and you will have a better time.
Hope this helps.
@Matt Dillon, Thanks for the update. I am glad that we figure out the issue. Congratulations! And thanks for your sharing the detailed information. I appreciate it. It can help others who have the same issue.
Again thanks for your time and have a nice day!