Intune device categories

Question

Hello,

Currently i'm figuring out a low maintenance way of orchestrating Intune enrolled devices (win10/11/android, iOS (iphone, ipad).

The goal is to have limited to no IT admin interaction, to get this done I'm using the "device categories" in Intune.
I've created categories based on department and after the user installs "Intune company portal" he logs on with his email address and password.
The wizard asks him to select his department and finishes.

This "device categories" are linked to dynamic membership M365 groups, apps for ex: Finance are deployed to that group.
Since the "Device category" was selected the device was automatically added to that group that has that dynamic membership query.
This way i can assign whatever i want, conditional access, PIM, JIT, etc to a group that is automatically populated by selecting the device category.

Now the question:
The complete idea is based on Device and not user, baseline apps and others settings will be applied for whole departments.
But an application that only 2 of the 5 users in the Finance team need to have installed can't be deployed this way.
Is there a better way that you know/use to fix the issue in the line above?

Kind regards,

Yoni

Answer 1

@Tom Meeus Thanks for your update.

Currently, I haven't heard that "Device Category" feature will be removed in the future.

I have done a lot of research again, and I have another idea. It is not needed to create a new device group. Intune has a "filters" feature. We can create a filter that filter out the 2 target users' devices. Please refer to the following article:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

Then we can add the Finance team device group in include app assignment and apply the target filter. This app will only install on the 2 target users' devices.

Hope it will help.

Answer 2

@Tom Meeus Thanks for posting in our Q&A. From your description, did you mean that you don't want to deploy this app to users and just want to deploy to the two users' devices? If there is any misunderstanding, feel free to let us know.

It is suggested to try to use exclude app assignment. We can create a new device group for the devices that not need to install this app. Then add the Finance team device group in include app assignment and add the new device group in exclude app assignment.
https://learn.microsoft.com/en-us/mem/intune/apps/apps-inc-exl-assignments

Hope it will give you some ideas.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hi LuDai,

Yes, all settings and apps will be deployed to the devices instead of users. I know that MS sees the "identity" aka "user account" as their base. This is why i'm asking here.

For the app exclusion group, this creates another level that needs to be managed, the idea is to create a baseline for every department and access to the apps is based on user permissions.
Disregarding that the users has access or not, the app is deployed to the device. This way a baseline is created and it comes down to user permissions to the app.

I've been demo'ing this idea to a number of customers to simplify their admin work when deploying a device and the reply that comes most back is "Then we just give them no access to the application but leave the app installed in case they need to login to replace someone that is sick/left/... ."

So is Microsoft forseeing to remove the "Device Category" feature in future releases, seeing in this system, it is the backbone of it all.

Thanks for your reply,

Kind regards,

Tom