Forum Discussion
Solved
Dynamic device group from InTune user groups
We've onboarded a number of users into InTune, and we're all new to it. Previously, they were on MaaS360, which had both device groups and user groups, and you could assign to either individually. A ...
Intune is often very 'device centric' in how things are applied, so that is likely related to the issues they are running into wishing for user assignment to apply more like machine assignments.
When you apply things to a user group, then you have a bit of 'tyranny of the previous user' as many system level settings won't apply until the next login after the setting is applied. Especially in environments where there may be 1 primary user on a device, but others may use or borrow a device on occasion, it can become a real policy troubleshooting mess if things are assigned primarily at the user group level. Best practice is to always assign to the machine group wherever practical, and do your best to keep user assignments to things that only affect the user... But at least with Intune you have much more flexibility to apply system level changes to user accounts where it is needed, so it isn't all bad... just different from AD in subtle ways that people don't realize at first.
That being said... a lot of this (but not all of it) can be avoided with Autopilot and setting up multiple autopilot policies that dump devices into useful default groups when they are ingested, and assigning the right devices to the right policies for the right initial machine group assignment. Or pre-assigning a users at the autopilot level so that the initial login applies that user's group assignments on first login (and preventing the wrong user from taking that first login) instead of having to log in once, open company portal, force a sync, and reboot to get the 'real first experience' the user is expecting.
Hi I don't see the point here, you can also use dynamic user groups, for example :
- all users with title = Manager :(user.jobTitle -eq « Manager »)
- all users from France : (user.country -eq « France »)
- all users with an enterprise licence : (user.assignedPlans -any (assignedPlan.servicePlanId -eq « 43de0ff5-c92c-492b-9116-175376d08c38 » -and assignedPlan.capabilityStatus -eq « Enabled »)
(and so many other attributes)
Intune is often very 'device centric' in how things are applied, so that is likely related to the issues they are running into wishing for user assignment to apply more like machine assignments.
When you apply things to a user group, then you have a bit of 'tyranny of the previous user' as many system level settings won't apply until the next login after the setting is applied. Especially in environments where there may be 1 primary user on a device, but others may use or borrow a device on occasion, it can become a real policy troubleshooting mess if things are assigned primarily at the user group level. Best practice is to always assign to the machine group wherever practical, and do your best to keep user assignments to things that only affect the user... But at least with Intune you have much more flexibility to apply system level changes to user accounts where it is needed, so it isn't all bad... just different from AD in subtle ways that people don't realize at first.
That being said... a lot of this (but not all of it) can be avoided with Autopilot and setting up multiple autopilot policies that dump devices into useful default groups when they are ingested, and assigning the right devices to the right policies for the right initial machine group assignment. Or pre-assigning a users at the autopilot level so that the initial login applies that user's group assignments on first login (and preventing the wrong user from taking that first login) instead of having to log in once, open company portal, force a sync, and reboot to get the 'real first experience' the user is expecting.
This is exactly it. The tenant wants the configurations to be assigned to the device, not the user.
I had to look up Autopilot - these are iOS devices, and hadn't encountered it. But it seems to be equivalent to Automated Device Enrollment. I didn't set this up (it was set up, just not by me), but researching has led me to Device Categories as a simple way of associating devices to departments, independent of users. Still wondering though, if a device doesn't have a user, will a dynamic group picking categories grab that device? Seemed like devices weren't available for grouping without a user.
