To make managing devices easier, you can use device categories to automatically add devices to groups based on categories that you define.

This two step process involves creating your categories and then respective dynamic Azure AD groups which ties the entire mechanism togther.

Create Device Categories

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Devices > Device Categories.

Select the ‘Create Device Category’ button.

Set a Name and Description.
**Example**
Name: Marketing
Description: Device category for Marketing devices

Select ‘Next’ and keep the default Scope Tag selected.

Select ‘Next’ and then ‘Create.

You will see the Marketing device category appear in the list ready for use.

Create an Azure AD Dynamic Group

Sign in to your Azure portal by browsing to https://portal.azure.com

From the home dashboard, select ‘Azure Active Directory’.

From the left side menu, select ‘Groups’.

Select the ‘New Group’ button.

Complete the required information:

**Example**
Group Type: Security
Group Name: Marketing Devices
Group Description: Group for Marketing devices.
Azure AD roles can be assigned to the group: No
Membership Type: Dynamic Device
Owners: No

Select ‘Add Dynamic Query’

Within the query builder, we configure the query values as below:

Property: deviceCategory
Operator: Equals
Value: Marketing (Friendly name given to your device category in Endpoint Manager)

Clicking away from the query builder, we can see Azure AD automatically translates your configuration values into a Rule Syntax.

The Rule Syntax should look identical to this: (exception of the value between quotation marks is unique to your device category friendly name)

(device.deviceCategory -eq “Your_Device_Category_Name”)

Select the ‘Save’ button to save the dynamic query.

Select the ‘Create’ button to build the Azure AD dynamic group.

Once created, you will see Marketing Devices Azure AD dynamic group appear in the list ready for use.

See in Action

During enrolment to Endpoint Manager, Company Portal app will request the user select a device category from the list provided.

In this example, the Marketing device category is selected in order to demonstrate an Azure AD dynamic group at work.

Once enrolment has been completed, the Azure AD dynamic group triggers an evaluation of the tenant against criteria set in the dynamic rule syntax. If the evaluation finds a device matching the criteria, that device is automatically added as a member of the group.

We can see our iPhone is now a member of the Marketing Devices group.

• Number of devices.
• Operating systems and versions.

Configure Device Type Restrictions

Note – Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Android Enterprise (Work Profile)

• Platform: Allow
• Versions: 10.0 min
• Personally Owned: Block

Android Device Administrator

• Platform: Block

iOS/iPadOS

• Platform: Allow
• Versions: 13.0 min
• Personally Owned: Block

macOS

• Platform: Block

Windows (MDM)

• Platform: Allow
• Personally Owned: Block

Select ‘Review + Save’ and then ‘Save’.

Top Tip – A separate personally owned device type policy allows an organisation better control over whom and what has access to corporate resources. For example, an organisation may choose to limit personal device or BYOD enrolment to eligible users or personas. Device Type restriction enables such granular gate keeping.

To create a personally owned or BYOD policy, using the best practice example below, select the ‘Create Restriction’ button.

Select the ‘Device Type Restriction’ option.

Set a Name and Description:
**Example**
Name: Personally Owned/BYOD Policy
Description: A device type restriction policy that limits enrolment of personally owned and BYOD devices to an eligible group of users.

Select ‘Next’.

Set the policy Platform Settings:
**Example**
Android Enterprise (Work Profile)

• Platform: Allow
• Versions: 10.0 min
• Personally Owned: Allow

Android Device Administrator

• Platform: Block

iOS/iPadOS

• Platform: Allow
• Versions: 13.0 min
• Personally Owned: Allow

macOS

• Platform: Block

Windows (MDM)

• Platform: Allow
• Personally Owned: Block

Select ‘Next’, and then ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Personal BYOD Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

You will see the Device Type Restrictions policy appear ready for use.

See in Action

Top Tip – During Personally Owned/BYOD enrolment for an iOS/iPadOS device, the enrolment profile will fail to install. The Personally Owned Device Type Restrictions policy will block this device from being able to enrol. Generally, this means the user’s Azure AD/AD account does not yet reside in the eligible Azure AD Group.

Test User 01 Azure AD user account does not yet reside within any groups.

Attempting to enrol on an iOS device, installation of the profile will fail.

Observing Intune enrolment failures report under Devices > Monitor > Enrolment Failures, we can see the reason why enrolment was blocked.

Configure Device Limit Restrictions

Important – Device limit restrictions don’t apply for the following Windows enrollment types:
– Co-managed enrollments
– GPO enrollments
– Azure Active Directory joined enrollments
– Bulk Azure Active Directory joined enrollments
– Autopilot enrollments
– Device Enrollment Manager enrollments

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Device Limit: From 10 to 5

Select ‘Review + Save’ and then ‘Save’.

Create a DEM account

Important – Device Enrolment Manager accounts include their own set of limitations. Reference to Microsoft documentation for an exhaustive list.

Note – A Device Enrolment Manager account must be assigned an Intune license before the account can be added.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com
From the home dashboard, navigate to Devices > Enrol Devices > Device Enrolment Managers.

Select the ‘Add’ button.

Enter the UPN of the Azure AD account to be added as a Device Enrolment Manager, then select the ‘Add’ button.
**Example**
UPN: iOSEnrol@traininguemauthority.onmicrosoft.com

Intune will notify you as to a successful Device Enrolment Manager creation.

You will see the Device Enrolment Account present in the list, ready to enrol devices.

See in Action

To enrol using a DEM account, in this example an iPhone, we follow the standard manual enrolment process.

Once complete, Company Portal app confirms the device is enroled however using a DEM account carries limited capabilities.

Intune (Endpoint Manager) console also confirms the iPhone is enroled, observing iOS Enrol DEM account as the Primary User.