List of platforms, policies, and app types supported by filters in Microsoft Intune
When you create an app, compliance policy, device configuration profile, or app configuration policy, you assign the policy to groups (users or devices). When you assign the policy, you can also use filters. For example, you can assign policies to Windows client devices running a specific OS version.
You can use filters on managed devices (devices enrolled in Intune) and managed apps (apps managed by Intune).
Filters support some of the different workloads available in Microsoft Intune. This article lists the app types, compliance policies, device configuration profiles, and app configuration policies that support filters. It also lists the workloads that aren't supported.
This article assumes you're familiar with filters. If not, learn more at Use filters when assigning your apps, policies, and profiles.
Before you begin
- ✅: Supports filters.
- ❌: Doesn't support filters.
- N/A: Doesn't apply to the platform.
Supported app types for managed devices
You can use filters for some common app policies on the following platforms. For a list of what's not supported on managed devices, go to not supported (in this article).
Android Enterprise
| App type | Supported |
|---|---|
| Store app | N/A |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | N/A |
| Line-of-business apps | N/A |
| Android Enterprise system app | ✅ |
| Managed Google Play store app | ✅ |
| Managed Google Play web link | ✅ |
| Managed Android line-of-business app | ✅ |
Note
Filters aren't supported on Android Enterprise personally-owned devices with work profile (BYOD) when used in "Available" app assignments. If users are targeted with an "Available" app intent, then the app continues to show as available to install from the Google managed play store. Any include or exclude filtering is ignored.
Android device administrator
| App type | Supported |
|---|---|
| Store app | ✅ |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
| Line-of-business apps | ✅ |
Important
Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.
iOS/iPadOS
| App type | Supported |
|---|---|
| Store app | ✅ |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
| iOS/iPadOS web clip | ✅ |
| Line-of-business apps | ✅ |
| iOS/iPadOS volume purchase program (VPP) app | ✅ |
macOS
| App type | Supported |
|---|---|
| Store app | N/A |
| Microsoft 365 apps | ✅ |
| Microsoft Edge version 77 and newer | ✅ |
| Microsoft Defender for Endpoint | ✅ |
| Web link | ❌ |
| Line-of-business apps | ✅ |
Windows 10/11
| App type | Supported |
|---|---|
| Store app | ✅ |
| Microsoft 365 apps | ✅ |
| Microsoft Edge version 77 and newer | ✅ |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
| Windows web link | ✅ |
| Line-of-business apps | ✅ |
| Windows app (Win32) | ✅ |
| Microsoft Store for Business | ✅ |
App configuration policies
For managed apps, you can use filters for app configuration policies on the following platforms:
- Android
- iOS/iPadOS
- Windows
For managed devices, you can use filters for app configuration policies on the following platforms:
- Android Enterprise
- iOS/iPadOS
App protection policies
For managed apps, you can use filters for app protection policies on the following platforms:
- Android
- iOS/iPadOS
- Windows
For managed devices, filters aren't supported for app protection policies. For other features not supported on managed devices, go to not supported (in this article).
Compliance policies
For managed apps, filters aren't supported for compliance policies.
For managed devices, you can use filters for all compliance policies on the following platforms:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 10 and later
Device configuration profiles and Endpoint security
For managed apps, filters aren't supported for device configuration profiles and endpoint security policies.
On managed devices, you can use filters for some common device configuration policies on the platforms listed in the following tables. For a list of what's not supported, go to not supported (in this article).
Note
Some profile types are only available for specific platforms. For example, the Device features profile type includes settings that are only available for iOS/iPadOS and macOS devices.
For a list of all device configuration profiles, and the platforms they apply to, go to Apply features and settings on your devices.
Android device administrator
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✅ |
| Derived credential | N/A |
| Device restrictions | ✅ |
| Device restrictions (Windows 10 Team) | N/A |
| Device features | N/A |
| N/A | |
| Email (Samsung KNOX only) | ✅ |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ❌ |
| MX profile (Zebra only) | ✅ |
| PKCS certificate | ✅ |
| PKCS imported certificate | ✅ |
| SCEP certificate | ✅ |
| Settings catalog | N/A |
| Trusted certificate | ✅ |
| VPN | ✅ |
| Wi-Fi | ✅ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | N/A |
| Attack surface reduction | N/A |
| Disk encryption | N/A |
| Endpoint detection and response | N/A |
| Firewall | N/A |
| Security baselines | N/A |
Android Enterprise
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✅ |
| Derived credential | ✅ |
| Device restrictions | ✅ |
| Device Restrictions (Windows 10 Team) | N/A |
| Device Features | N/A |
| ✅ | |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ❌ |
| OEMConfig | ✅ |
| PKCS certificate | ✅ |
| PKCS imported certificate | ✅ |
| SCEP certificate | ✅ |
| Settings catalog | N/A |
| Trusted certificate | ✅ |
| VPN | ✅ |
| Wi-Fi | ✅ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | N/A |
| Attack surface reduction | N/A |
| Disk encryption | N/A |
| Endpoint detection and response | N/A |
| Firewall | N/A |
| Security baselines | N/A |
Android (AOSP)
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Device restrictions | ✅ |
| PKCS certificate | ✅ |
| SCEP certificate | ✅ |
| Trusted certificate | ✅ |
iOS/iPadOS
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✅ |
| Derived credential | ✅ |
| Device restrictions | ✅ |
| Device Restrictions (Windows 10 Team) | N/A |
| Device Features | ✅ |
| ✅ | |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ✅ |
| PKCS certificate | ✅ |
| PKCS imported certificate | ✅ |
| SCEP certificate | ✅ |
| Settings catalog | N/A |
| Trusted certificate | ✅ |
| VPN | ✅ |
| Wi-Fi | ✅ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | N/A |
| Attack surface reduction | N/A |
| Disk encryption | N/A |
| Endpoint detection and response | N/A |
| Firewall | N/A |
| Security baselines | N/A |
macOS
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✅ |
| Derived credential | N/A |
| Device restrictions | ✅ |
| Device restrictions (Windows 10 Team) | N/A |
| Device features | ✅ |
| N/A | |
| Endpoint Protection | ✅ |
| Enrollment device platform restrictions | ✅ |
| Extensions | ✅ |
| PKCS certificate | ✅ |
| PKCS imported certificate | ✅ |
| Preference file | ✅ |
| SCEP certificate | ✅ |
| Settings catalog | ✅ |
| Trusted certificate | ✅ |
| VPN | ✅ |
| Wi-Fi | ✅ |
| Wired network | ✅ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | ❌ |
| Attack surface reduction | N/A |
| Disk encryption | ❌ |
| Endpoint detection and response | N/A |
| Firewall | ❌ |
| Security baselines | N/A |
Windows 10/11
| Profile type | Supported |
|---|---|
| Update rings for Windows 10/11 | ✅ |
| Device configuration profile | |
| Administrative Templates | ✅ |
| Custom | ✅ |
| Derived credential | N/A |
| Delivery optimization | ✅ |
| Device restrictions | ✅ |
| Device Restrictions (Windows 10 Team) | ✅ |
| Device Features | N/A |
| Device Firmware Configuration Interface (DFCI) on Windows 11 and Windows 10 RS5 (1809)+ on supported UEFI | ✅ |
| Domain Join | ✅ |
| Edition upgrade and S mode switch | ✅ |
| ✅ | |
| Endpoint analytics Remediations scripts | ✅ |
| Endpoint Protection | ✅ |
| Enrollment device platform restrictions | ✅ Support for a subset of filter properties including device osVersion, operatingSystemSKU, and enrollmentProfileName |
| Kiosk | ✅ |
| Network boundary | ✅ |
| PKCS certificate | ✅ |
| PKCS imported certificate | ✅ |
| SCEP certificate | ✅ |
| Secure assessment (Education) | ✅ |
| Settings catalog | ✅ |
| Shared multi-user device | ✅ |
| Trusted certificate | ✅ |
| VPN | ✅ |
| Wi-Fi | ✅ |
| Wired network | ❌ |
| Windows health monitoring | ✅ |
| Endpoint Security profile | |
| Account protection | ✅ Account protection, Local user group membership, and Local admin password solution (Windows LAPS) |
| Antivirus | ✅ |
| Attack surface reduction | ✅ Excludes Web protection (Microsoft Edge Legacy), Application control, and App and browser isolation |
| Disk encryption | ✅ |
| Endpoint detection and response | ✅ |
| Endpoint Privilege Management (EPM) | ✅ |
| Firewall | ✅ |
| Microsoft Defender for Endpoint (Windows 10/11 Desktop) | ✅ |
| Security baselines | ❌ |
Not supported on managed devices
The following features on managed devices don't support using filters:
Custom compliance policies for Windows 10/11 (preview)
App protection policies for Android and iOS/iPadOS
You can use filters on app protection policies for managed apps. For more information on managed apps, go to Use filters when assigning your apps, policies, and profiles in Intune.
End user experiences customization policies
iOS/iPadOS app provisioning profiles
Partner device management
Policies for Office apps
Policy sets
PowerShell scripts for Windows
S mode supplemental policies for Windows 10
Shell scripts for macOS
Terms and conditions
Update policies for iOS/iPadOS
Feature updates for Windows
Enrollment notifications
Linux platform workloads
Devices that are targeted with Endpoint Security configuration using Microsoft Defender for Endpoint integration, such as servers. These devices aren't enrolled in Intune.