Use filters (preview) when assigning your apps, policies, and profiles in Microsoft Endpoint Manager

When you create a policy, you can use filters to assign a policy based on rules you create. A filter allows you to narrow the assignment scope of a policy. For example, use filters to target devices with a specific OS version or a specific manufacturer, target only personal devices or only organization-owned devices, and more.

For example, you can use filters in the following scenarios:

  • Deploy a Windows 10 device restriction policy to only the corporate devices in the Marketing department, while excluding personal devices.
  • Deploy an iOS/iPadOS app to only the iPad devices in the Finance users group.
  • Deploy an Android mobile phone compliance policy to all users in the company, and exclude Android meeting room devices that don't support the mobile phone compliance policy settings.

Filters include the following features and benefits:

  • Improve flexibility and granularity when assigning Intune policies and apps.
  • Are used when assigning app, policies, and profiles. They dynamically target devices based on device properties you enter.
  • Can include or exclude devices in a specific group based on criteria you enter.
  • Create a query of device properties based on the device platform, including Android, iOS/iPadOS, macOS, and Windows 10.
  • Can be used and reused in multiple scenarios in “Include” or “Exclude” mode.

This feature applies to:

  • Android device administrator
  • Android Enterprise
  • iOS/iPadOS
  • macOS
  • Windows 10 and newer

This article describes the filter architecture, and shows you how to create, update, and delete a filter.

How filters work

Admin creates a filter, and uses the filter in a policy in Microsoft Endpoint Manager and Microsoft Intune.

Before a policy is applied to a device, filters dynamically evaluate applicability. Looking at the image, here's an overview:

  1. You create a reusable filter for any platform based on some device properties. In the example, the filter is for personal devices.

  2. You assign a policy or app to the group. In the assignment, you add the filter in either include or exclude mode. For example, you "include" personal devices, or you "exclude" personal devices from the policy.

  3. The filter is evaluated when the device enrolls, checks in with the Intune service, or at any other time a policy evaluates.

  4. You see the filter results based on the evaluation. For example, the app or policies applies, or it doesn't apply.

Prerequisites

Enable filters, and add a filter

Enable filters public preview

To use filters, you must enable it in your organization tenant.

  1. Sign in to the Endpoint Manager admin center.

  2. Select Tenant administration > Filters (preview) > Try out the filters (preview) feature.

  3. Set Filters (preview) to On:

    Turn on or enable the filters feature in Microsoft Endpoint Manager and Microsoft Intune.

Tip

  • Public preview features for Microsoft Endpoint Manager are fully supported by Microsoft. For more information, see Public preview in Microsoft Intune.
  • To enable or disable filters for your tenant, your account must have have the Intune Service Administrator (also known as Intune Administrator) permission .
  • You can disable the Filters (preview) feature by setting it back to Off. To turn off this feature, you must remove any filter assignments, and then delete all the filters you created.
  • Microsoft wants your feedback about this feature. To provide feedback, go to Tell us what you think about the Filters (preview) feature.

Create a filter

  1. Sign in to the Endpoint Manager admin center.

  2. Select Tenant administration > Filters (preview) > Create.

    You can also create filters in Devices > Filters (preview), or Apps > Filters (preview).

  3. In Basics, enter the following properties:

    • Filter name: Enter a descriptive name for the filter. Name your filters so you can easily identify them later. For example, a good filter name is Windows OS version filter.
    • Description: Enter a description for the filter. This setting is optional, but recommended.
    • Platform: Select your platform. Your options:
      • Android device administrator
      • Android Enterprise
      • iOS/iPadOS
      • macOS
      • Windows 10
  4. Select Next.

  5. In Rules, there are two ways to create a rule: Use the rule builder, or use the rule syntax.

    Rule builder:

    • And/Or: After you add an expression, you can add to the expression using the and or or options.

    • Property: Select a property for your rule, such as device or operating system SKU.

    • Operator: Select the operator from the list, such as equals or contains.

    • Value: Enter the value in your expression. For example, enter 10.0.18362 for the OS version, or Microsoft for the manufacturer.

    • Add expression: After you add the property, operator, and value, select Add expression:

      Use the rule builder in Microsoft Endpoint Manager and Microsoft Intune to create an expression filter, and assign to your policies.

      The expression you created is automatically added to the rule syntax editor.

    Rule syntax:

    You can also manually enter your rule expression, and write your own rules in the rule syntax editor. In Rule syntax, select Edit:

    Select rule syntax edit to use the rule builder in Microsoft Endpoint Manager and Microsoft Intune.

    The expression builder opens. Manually enter expressions, such as (device.osVersion -eq "10.0.18362") and (device.manufacturer -eq "Microsoft"):

    Use the expression builder to enter your rule syntax in Microsoft Endpoint Manager and Microsoft Intune.

    For more information on writing your own expressions, see Device properties, operators, and rule editing when creating filters.

    Select OK to save your expression.

    Tip

    • When you create a rule, it's validated for the correct syntax, and any errors are shown.
    • If you enter syntax that's not supported by the basic rule builder, then the rule builder is disabled. For example, using nested parenthesis disables the basic rule builder.
  6. Select Next.

  7. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.

    Select Next.

  8. In Review + create, review your settings. When you select Create, your changes are saved. The filter is created, and ready to be used. The filter is also shown in the filters list.

Use a filter

After the filter is created, it's ready to use when assigning your apps or policies.

  1. Sign in to the Endpoint Manager admin center.

  2. Go to your apps, compliance policies, or configuration profiles. For a list of what's supported, see Supported workloads when creating filters. Select an existing policy, or create a new policy.

    For example, select Devices > Compliance policies, and select an existing policy. Select Properties > Assignments > Edit:

    Select a policy or profile, and edit the assignment in Microsoft Endpoint Manager and Microsoft Intune.

  3. Assign your policy to a users group or a devices group.

  4. Select Edit filter. Your options:

    • Do not apply a filter: All targeted users or devices recieve the app or policy without filtering.

    • Include filtered devices in assignment: Devices that match the filter conditions recieve the app or policy. Devices that don't match the filter conditions don't receive the app or policy.

      A list of filters that match the policy platform is shown.

    • Exclude filtered devices in assignment: Devices that match the filter conditions don't recieve the app or policy. Devices that don't match the filter conditions receive the app or policy.

      A list of filters that match the policy platform is shown.

  5. Select your filter > Select.

    For example, select Include filtered devices in assignment, and select the filter:

    Include the filter when assigning a policy in Microsoft Endpoint Manager and Microsoft Intune.

  6. To save your changes, select Review + save > Save.

When the device checks in with the Intune service, the properties defined in the filter are evaluated, and determine if the app or policy should be applied.

Change an existing filter

After a filter is created, it can be changed or updated.

  1. Sign in to the Endpoint Manager admin center.

  2. Select Tenant administration > Filters (preview). A list of all the filters is shown.

    You can also update filters in Devices > Filters (preview), or Apps > Filters (preview).

  3. Select the filter you want to change. Select Rules > Edit, and make your changes:

    Change or update an existing filter in Microsoft Endpoint Manager and Microsoft Intune.

  4. To save your changes, select Review + save > Save.

Delete a filter

  1. Sign in to the Endpoint Manager admin center.

  2. Select Tenant administration > Filters (preview). A list of all the filters is shown.

    You can also delete filters in Devices > Filters (preview), or Apps > Filters (preview).

  3. Next to the filter, select the ellipses (...), and select Delete:

    Delete a filter in Microsoft Endpoint Manager and Microsoft Intune.

To delete a filter, you must remove the filter from any policy assignments. Otherwise, when trying to delete the filter, you'll get the following error:

Unable to delete assignment filter – An assignment filter is associated with existing assignments. Delete all the assignments for the filter and try again.

Next steps