question

Eduards-6654 avatar image
1 Vote"
Eduards-6654 asked Crystal-MSFT commented

Corporate-owned dedicated devices scope tag enrollment

Hello

i configured RBAC in Intune.

We have been managing kiosk devices and work-profile devices.

KIOSK - administrator have scope tag "kiosk device" and they can only operate with kiosk devices and can't see work-profile devices.

Problem.

When i enroll new kiosk device it's automatically assigns default scope tag but not "kiosk device" tag. In Corporate-owned dedicated devices porperties in scope tag i selected only "kiosk device."

So enroll kiosk device and it's with default scope tag and kiosk administrator doesn't see the device until i go to intune portal (intune adminstirator) and manually add "kiosk device" tag to the device.

Could i automate this process?

mem-intune-generalmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered

@Eduards-6654, Thanks for posting in our Q&A. From your description, I know we want to assign "kiosk device" tag to the Android devices which are enrolled with "Corporate-owned dedicated devices profile" after enrollment. If there's any misunderstanding, feel free to let us know.

I notice we assigned the "Corporate-owned dedicated devices profile" with this tag. Based on my understanding, this is only for the profile. Not for the devices enrolled with this profile. To assign the tag to all the devices enrolled with this profile, we can follow the steps as below which I tested in my lab:
1. Create a Dynamic group that includes all the devices that are enrolled with the "Corporate-owned dedicated devices profile" . Fro example, in my lab, the profile is "test_Corp" and i set the Dynamic membership rule as "device.enrollmentProfileName -eq "test_Corp")"
62803-image.png
https://docs.microsoft.com/en-us/mem/intune/enrollment/android-kiosk-enroll#create-a-device-group
2, Assign the above device group with the scope tag "kiosk device"

62804-image.png
3. Then try to do the enrollment, after it is enrolled, we can see the tag has been assigned to this device.
62762-image.png

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (106.4 KiB)
image.png (41.2 KiB)
image.png (97.0 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Eduards-6654 avatar image
1 Vote"
Eduards-6654 answered Crystal-MSFT commented

Hello thank you for your answers.

But at this moment I already have device group which is called "KIOSK device" and all configuration profiles applications are deployed to this group.

I don't want to create new group and then move all existing devices to that group so it could ruin all the configuration.

Is there possibility to add existing group? But problem is that it's no dynamic group..\


i can change existing group to "Dynamic device"
62938-image.png

will it not ruin all the configuration?



image.png (6.0 KiB)
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@Eduards-6654, Yes, we can add the existing group to the assignment of the scope tag. ,When the device is added into this existing group, try to sync policy wait some time and you will see the tag be changed to the one you assigned.

63298-image.png


2 Votes 2 ·
image.png (35.6 KiB)
Eduards-6654 avatar image Eduards-6654 Crystal-MSFT ·

Hello, @Crystal-MSFT .

For example I have in my group 100+ devices. If i will change it's type from Assigned to the "Dynamic device" and add condition which will join devices in this groups by Android enrollment profile.


Will existing 100+ devices which were added manually will remain? They will no disappear?

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT Eduards-6654 ·

@Eduards-6654, For your question, I would like to say that the maually added existing devices will be removed from the group, and then the membership rule is processed to add new members. This will cause some time lose. Please be aware of this. We can see more information in the following article:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-change-type#:~:text=Select%20Groups.,on%20your%20desired%20membership%20type.

1 Vote 1 ·
Show more comments