Managed Apps Filters in Intune for MAM
This month, there is a new type of filter added to Microsoft Intune. We have had filters for a while now in Intune to filter out specific devices to include or exclude from assignments. The thing with filter is the speed of the evaluation. If using a Dynamic group it can take hours for a device to be added to the group. Filter is instant. So, using dynamic groups is not recommended if filter is supported.
Lets take an example where dynamic groups fails. You want to exclude Cloud PC´s from getting the WIFI settings. If using a Dynamic group, the Cloud PC is provisioned and initially does not belong to the dynamic group. Resulting in the WIFI settings is deployed. After an hour or two, the Cloud PC becomes a member and the WIFI settings does not apply anymore. No big harm? But lets replace WIFI with a large app deployments like M365 apps.
When using Filters this is instant at the process of deployment. The client will be evaluated against the filter when deployment occur. So no settings or apps is deployed “by accident” to excluded devices. Conclusion, use filters!
Create Managed Apps Filters
When we are using Intune App Protection policies or App configuration policies (aka MAM), we have very limited access to the hardware properties of the device. Only a few properties are exchanged and those are related to the managed app and not the device. This is where the new filter comes in. It filters against properties of the managed app instead of the device. Lets say Outlook mobile gets a new feature that can be configured App Configuration Policy, you want this new feature deployed, but you only want it to be deployed on the latest version of Outlook. (Just to be sure you don´t break the older ones 🙂
- Open Intune Portal on https://intune.microsoft.com
- Select Tenant Administration
- Select Filters
- Click Create+
- Select Managed Apps to create a new Managed apps filter
- Enter a name, description and select to create a filter for android or iOS. In my case Android.
- Create your Manage Apps filter by selecting the Property to evaluate and enter an operator an value.
As you can see, we can filter on App Version of the managed app. We also see some device specific properties. so a few of them are available even in managed apps filters. But not all the properties that we can use in a device filter:
- By using the preview filter, you can verify if your filter is correct and it filters out the correct apps/devices:
But wait a minute, how do we know this is Outlook? A matter of fact, we don´t. This is brand new, but right now it´s really hard to differentiate different apps. The only property that we have available is the app version, not the name. so if we filter out version 4.23 and we have both Outlook and OneDrive at version 4.23, the filter can be used for them both. Not very user friendly. Hope for a change there!
- Go ahead and create your filter if it filters correctly.
Use Managed Apps Filters with MAM
- Open Intune Portal on https://intune.microsoft.com
- Select Apps
- Select App protection policies or App configuration policies
- Click Create Policy or ADD (in my case, I create a App configuration policies for Android
- Select if it will apply on managed apps or managed devices.
- In my case I created a App configuration policies for Managed apps that apply on Microsoft Outlook for Android
- Set the configuration that you want to deploy on the latest version of Outlook and select Next
- In the assignments, add a group with members that should get this setting. and then apply the filter we just created.
As you can see, there is only Managed Apps filters available here. The device filters cannot be used. You can see the opposite if adding a filter to a device configuration, then we only see device filters.
- Go on and create your app configuration filter
Now the config will only apply to Outlook on Android, this is configured in the app configuration policy, and only on version 4.23, configured in the filter.
Conclusion
I would really like to see Managed App name as a filterable property. Not only for the risk of filtering out multiple different managed apps with same versions. It will be more user friendly to also see the app name. Lets hope it will be added.