Filters in Microsoft Endpoint Manager

Filters is a new feature that has been recently added to Microsoft Endpoint Manager. They can be used when assigning an application or policy and for an administrator gives you greater control of which devices will be targeted.

After adding a group assignment to your app or policy, the filter can be added on top to include or exclude devices based on the properties and values you have specified.

Filters in Intune look and feel a lot like Azure Active Directory Dynamic Groups and the rule builder uses similar properties, operators, and rule syntax.

Using a filter can give you many more options when deploying an app or policy and makes sure that each kind of device you have enrolled will get the correct configurations applied. For example, filters could be used alongside a Dynamic Group to target a specific policy to one departments corporate-owned device:

  1. Create an Azure AD Dynamic User group to query against the department field.
  2. In Endpoint Manager, create a filter for devices where ownership equals ‘Corporate’.
  3. Assign your policy to the Dynamic User group and apply the filter.

Supported Operating Systems and workloads

Filters can be used to query device properties on the following operating systems:

  • Windows 10 and later
  • macOS
  • iOS/iPadOS
  • Android Enterprise
  • Android Device Administrator

Besides a few exceptions for each OS, most application and policy types support the use of filters. View the full list of supported workloads here:

Supported device properties

Here are the device properties that currently can be selected when creating a filter:

  • Device name
  • Manufacturer
  • Model
  • Device category
  • OS version
  • Device ownership
  • Operating system SKU (Windows 10 and later)
  • Enrollment profile name (Windows 10 and later, macOS, iOS/iPadOS, and Android Enterprise)
  • Rooted or jailbroken (iOS/iPadOS, Android Enterprise, and Android device administrator)

Enable the preview feature

While filters are still in public preview, you will need to enable the feature in your tenant before it can be used:

  1. From the Microsoft Endpoint Manager portal, select Tenant Administration > Filters (Preview) > Try out filters (preview) feature.
  2. Move the slider to On and click Apply.

Create and apply a filter

Before a filter can be used in an assignment, it must first be created and each filter that you create can be re-used on multiple application and policy assignments:

  1. Navigate to Devices > Filters > Create.
  2. Enter a display name for the filter and optionally add a description.
  3. Under Platform, select the Operating System this filter will apply to.
  1. Using the dropdown boxes, select the Property you would like to evaluate devices based on. Select your Operator, and enter a Value.
  2. Optionally select Add expression to query multiple properties in a single filter.
  1. Click Next, then Create.

Now that your filter has been created, it can be used when assigning an application or policy:

  1. When on the Assignments page of an app or policy, add the user or device Group you would like to apply your filter to.
    Filters cannot be used on a group that is being excluded from an app or policy assignment
  2. For an application click None under the filter mode or filter heading. For a policy, select Edit filter.
  1. Select whether the filter will be used to include or exclude devices that match your filter from the assignment.
  1. From the list, select the filter you would like to apply to the group, and click Select.
    Only one filter can be selected per group. To filter on multiple properties, you will need to add multiple expressions to a single filter.
  1. You will now see the filter name and mode listed next to the group assignment.

Monitor and troubleshoot an assignment

After a filter is applied to an assignment, there are a couple of places you can view the status of the assignment:

  1. Under the Device status tab on your application or policy. If the device does not meet the filter you have applied, the Deployment Status will show as Not applicable. If the device did meet the filter and it’s been applied on the device, the Deployment Status will be Succeeded.
  1. For more detailed information about whether a device meets the filter criteria can be viewed from a devices details page, under the Filter evaluation tab. This will list apps or policies that have been assigned to the device or user and have a filter applied.

Click the Filter evaluated button to view details of whether or not the device matched the filter, details of your filter, and then the actual properties of the device.

About the author