This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can trysigning in orchanging directories.
Access to this page requires authorization. You can trychanging directories.
Assignment filters in Intune let you refine app and policy targeting based on device and app properties. This reference article describes the properties, operators, and rule syntax you can use when creating filters for managed devices and managed apps.
When you create an app, compliance policy, or configuration profile, you assign that app or policy to groups (users or devices). Assignment filters allow you to narrow the scope of your assignments based on specific criteria.
You can use assignment filters onmanaged devices (devices enrolled in Intune) andmanaged apps (apps managed by Intune). When creating a filter, you specify properties like device manufacturer, OS version, or enrollment profile, and use operators to build rule expressions, likestartsWith andcontains.
This article provides a complete reference for managed device properties, managed app properties, and supported operators you can use in your assignment filters, and includes practical examples.
Important
Android device administrator (DA) management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use DA management, we recommend switching to another Android management option. Support and help documentation remain available for some Android 15 and earlier devices without GMS. For more information, seeEnding support for Android device administrator on GMS devices.
You can use assignment filters onmanaged devices (devices enrolled in Intune) andmanaged apps (apps managed by Intune). This section lists the available properties.
You can use the following device properties in your managed device filter rules:
cpuArchitecture (CPU Architecture): Create a filter rule based on the Intune device CPU architecture property.
For Windows, your options are (with-eq,-ne,-in,-notIn operators):
For macOS, your options are (with-eq,-ne,-in,-notIn operators):
Examples:
(device.cpuArchitecture -eq "arm64")(device.cpuArchitecture -in ["x64", "arm64"])(device.cpuArchitecture -eq "unknown")This property applies to:
Note
Currently, enrollment scenarios don't support thecpuArchitecture property. Support will be added in a future update (no ETA).
deviceCategory (Device Category): Create a filter rule based on the Intune device category property. Enter the full string value (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
Examples:
(device.deviceCategory -eq "Engineering devices")(device.deviceCategory -contains "Engineering")(device.model -startsWith "E")This property applies to:
deviceManagementType (Device Management Type): Create a filter rule based on the Intune device management type. Select from the following values using the -eq and -ne operators:
| Value | Supported platforms |
|---|---|
Corporate-owned dedicated devices with Entra ID Shared mode | Android |
Corporate-owned dedicated devices without Entra ID Shared mode | Android |
Corporate-owned with work profile | Android |
Corporate-owned fully managed | Android |
Personally-owned work profile | Android |
AOSP user-associated devices | Android |
AOSP userless devices | Android |
Example:
(app.deviceManagementType -eq "Corporate-owned dedicated devices without Entra ID Shared mode")This property applies:
deviceName (Device Name): Create a filter rule based on the Intune device name property. Enter a string value for the device's full name (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
Examples:
(device.deviceName -eq "Scott's Device")(device.deviceName -in ["Scott's device", "Sara's device"])(device.deviceName -startsWith "S")This property applies to:
deviceOwnership (Ownership): Create a filter rule based on the device's ownership property in Intune. SelectPersonal,Corporate, or unknown values using the-eq and-ne operators.
Example:
(device.deviceOwnership -eq "Personal")This property applies to:
deviceTrustType (Microsoft Entra join type): Create a filter rule based on the device's Microsoft Entra join type. Choose between Azure AD joined, Azure AD registered, Hybrid Azure AD joined, or Unknown values (with-eq,-ne,-in,-notIn operators).
Examples:
(device.deviceTrustType -eq "Azure AD joined")(device.deviceTrustType -ne "Azure AD registered")(device.deviceTrustType -in ["Hybrid Azure AD joined","Azure AD joined"])This property applies to:
Note
ThedeviceTrustType property exists in Microsoft Entra ID and Intune. The values in this Intune assignment filters article apply to Intune. They don't apply to Microsoft Entra ID.
enrollmentProfileName (Enrollment profile name): Create a filter rule based on the enrollment profile name. This property is applied to a device when the device enrolls. It's a string value created by you, and matches the Windows Autopilot, Apple Automated Device Enrollment (ADE), or Google enrollment profile applied to the device. To see your enrollment profile names, sign in to theIntune admin center, and go toDevices >Enroll devices.
Enter the full string value (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
Examples:
(device.enrollmentProfileName -eq "DEP iPhones")(device.enrollmentProfileName -startsWith "Autopilot Profile")(device.enrollmentProfileName -ne $null)This property applies to:
IsRooted (Rooted or jailbroken): Create a filter rule based on the device's rooted (Android) or jailbroken (iOS/iPadOS) device property. SelectTrue,False, or unknown values using the-eq and-ne operators.
Example:
(device.isRooted -eq "True")This property applies to:
manufacturer (Manufacturer): Create a filter rule based on the Intune device manufacturer property. Enter the full string value (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
Examples:
(device.manufacturer -eq "Microsoft")(device.manufacturer -startsWith "Micro")This property applies to:
model (Model): Create a filter rule based on the Intune device model property. Enter the full string value (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
For iOS/iPadOS and macOS devices, use the model, not the product name. Only the model is recognized for Apple devices. For example, for iPhone 8 devices, enter the model asiPhone 8.
Examples:
(device.model -eq "Surface Book 3")(device.model -in ["Surface Book 3", "Surface Book 2"])(device.model -startsWith "Surface Book")(device.model -startsWith "MacBookPro")(device.model -startsWith "iPhone 8")Note
Older iPad Pro models use the double prime symbol (") instead of inch. If you use full string value operators, this symbol can cause assignment filters to not evaluate correctly. For these models, use partial value operators to ensure that assignment filters evaluate the model as intended. For example, foriPad Pro (12.9")(2nd generation) model devices, you can use(device.model -contains "iPad Pro 12.9") and(device.model -contains "(2nd generation)").
This property applies to:
operatingSystemVersion (Operating System Version): Create a filter rule based on the Intune device operating system (OS) version. Enter a version value (using-eq,-ne,-gt,-ge,-lt,-le operators).
Examples:
(device.operatingSystemVersion -eq 14.2.1)(device.operatingSystemVersion -gt 10.0.22000.1000)(device.operatingSystemVersion -le 10.0.22631.3235)For a list of supported operators, go toSupported operators for operatingSystemVersion (in this article).
This property applies to:
Note
TheoperatingSystemVersion property is in public preview. For more information on what that means, go toPublic preview in Microsoft Intune.
osVersion (OS Version): Create a filter rule based on the Intune device operating system (OS) version. Enter the full string value (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
Tip
TheosVersion property is being deprecated. Instead, use theoperatingSystemVersion property. WhenoperatingSystemVersion is generally available (GA), theosVersion property will retire, and you won't be able to create new assignment filters using this property. Existing assignment filters that useosVersion continue to work.
Examples:
(device.osVersion -eq "14.2.1")(device.osVersion -in ["10.15.3 (19D2064)","10.14.2 (18C54)"])(device.osVersion -startsWith "10.0.18362")This property applies to:
Note
For Apple devices, theOSversion property doesn't include Apple's Security Patch Version (SPV) information. The SPV is the letter after the version number, like14.1.2a. When creating assignment filters for Apple devices, don't include the SPV in theOSversion rule syntax.
operatingSystemSKU (Operating System SKU): Create a filter rule based on the device's Windows client OS SKU. Enter the full string value (using-eq,-ne,-in,-notIn operators), or partial value (using-startswith,-contains,-notcontains operators).
Examples:
(device.operatingSystemSKU -eq "Enterprise")(device.operatingSystemSKU -in ["Enterprise", "EnterpriseS", "EnterpriseN", "EnterpriseEval"])(device.operatingSystemSKU -startsWith "Enterprise")You can use the following supported values for theOperating System SKU property. TheIntune admin center doesn't show the SKU names. So, be sure to use the supported values in the following table:
| Supported value | OS SKU definition |
|---|---|
| BusinessN | Windows 10/11 Professional N (49) |
| CloudEdition | CloudEdition (Windows 11 SE (203)) |
| CloudEditionN | CloudEditionN (Windows 11 SE N (202)) |
| Core | Windows 10/11 Home (10/111) |
| CoreCountrySpecific | Windows 10/11 Home China (99) |
| CoreN | Windows 10/11 Home N (98) |
| CoreSingleLanguage | Windows 10/11 Home single language (100) |
| Education | Windows 10/11 Education (121) |
| EducationN | Windows 10/11 Education (122) |
| Enterprise | Windows 10/11 Enterprise (4) |
| EnterpriseEval | Windows 10/11 Enterprise Evaluation (72) |
| EnterpriseG | Windows 10/11 Enterprise G (171) |
| EnterpriseGN | Windows 10/11 Enterprise G N (172) |
| EnterpriseN | Windows 10/11 Enterprise N (27) |
| EnterpriseNEval | Windows 10/11 Enterprise N Evaluation (84) |
| EnterpriseS | Windows 10 Enterprise LTSC (125) |
| EnterpriseSEval | Windows 10 Enterprise LTSC Evaluation (129) |
| EnterpriseSN | Windows 10 Enterprise LTSC N (126) |
| Holographic | Windows 10 Holographic (136) |
| IoTUAP | Windows 10 IoT Core (123) |
| IoTUAPCommercial | Windows 10 IoT Core Commercial (131) |
| IoTEnterprise | Windows 10/11 IoT Enterprise (188) |
| PPIPro | Windows 10 TeamOS (119) |
| Professional | Windows 10/11 Professional (48) |
| ProfessionalEducation | Windows 10/11 Professional Education (164) |
| ProfessionalEducationN | Windows 10/11 Professional Education N (165) |
| ProfessionalWorkstation | Windows 10/11 Professional for workstation (161) |
| ProfessionalN | Windows 10/11 Professional for workstation N (162) |
| ProfessionalSingleLanguage | Windows 10/11 Professional Single Language (138) |
| ServerRdsh | Windows 10/11 Enterprise multi-session (175) |
This property applies to:
Note
Get-WmiObject -Class Win32_OperatingSystem |select operatingsystemSKU command on a Windows device to return the SKU number.When you create a filter, you can manually create simple or complex rules in the rule syntax editor. You can also use common operators, such asor,contains, and more. The format is similar to Microsoft Entra dynamic groups:([entity].[property name] [operation] [value]).
The properties, operations, and values are case insensitive.
Parentheses and nested parentheses are supported.
You can useNull or$Null as a value with the-Equals and-NotEquals operators.
Some advanced syntax options, such as nested parentheses, are only available in the rule syntax editor. If you use advanced expressions in the rule syntax editor, then the rule builder is disabled.
For more information on the rule syntax editor and the rule builder, go toUse filters when assigning your apps, policies, and profiles
You can use the following operators in the rule syntax editor:
Or: Use for all value types, especially when grouping simple rules.
-or |or(device.manufacturer -eq "Samsung") or (device.model -contains "Galaxy Note")And: Use for all value types, especially when grouping simple rules.
-and |and(device.manufacturer -eq "Samsung") and (device.model -contains "Galaxy Note")Equals: Use for all value types, including simple rules, strings, arrays, and more.
-eq |eq(device.manufacturer -eq "Samsung") and (device.model -eq "Galaxy Note")NotEquals: Use for all value types, including simple rules, strings, arrays, and more.
-ne |ne(device.manufacturer -ne "Samsung") or (device.model -ne "Galaxy Note")StartsWith: Use for string value types.
-startsWith |startsWith(device.manufacturer -startsWith "Sams")In: Use for array value types, such as["1", "2"].
-in |in(device.manufacturer -in ["Samsung","Lenovo","Microsoft"])NotIn: Use for array value types, such as["1", "2"].
-notIn |notIn(device.manufacturer -notIn ["Samsung","Lenovo","Microsoft"])Contains: Use for string value types.
-contains |contains(device.manufacturer -contains "Samsung")NotContains: Use for string value types.
-notContains |notContains(device.manufacturer -notContains "Samsung")When you use theoperatingSystemVersion (Operating System Version) property, you can use the following operators in the rule syntax editor:
Equals: Use for all value types, including simple rules, strings, arrays, and more.
-eq |eq(device.operatingSystemVersion -eq "10.0.22000.1000")NotEquals: Use for all value types, including simple rules, strings, arrays, and more.
-ne |ne(device.operatingSystemVersion -ne "10.0.22000.1000")GreaterThan: Use for version value types.
-gt |gt(device.operatingSystemVersion -gt 10.0.22000.1000)LessThan: Use for version value types.
-lt |lt(device.operatingSystemVersion -lt 10.0.22000.1000)GreaterThanOrEquals: Use for version value types.
-ge |ge(device.operatingSystemVersion -ge 10.0.22000.1000)LessThanOrEquals: Use for version value types.
-le |le(device.operatingSystemVersion -le 10.0.22000.1000)Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?
Was this page helpful?
Want to try using Ask Learn to clarify or guide you through this topic?