Daniel Gerrity | Program Manager, Intune
updated 5/26/2017 - changed the query rule picture to show you don't need quotes anymore on the query criteria.
For the last few months, we have been migrating group management out of Intune and into Azure Active Directory. This change will bring us some exciting new features, but it also means we have to make some changes to existing features that use Intune groups, like the Corporate Device Enrollment profile.In this post, I’ll share more detail on what’s changing and then what you’ll want to do check on post-migration to ensure you understand how automatic grouping will work going forward.
Automatic Grouping Before You Get Migrated
Let’s say you have a bunch of iOS devices purchased by your organization, and you want to pre-enroll them using the Apple Device Enrollment Program or the Apple Configurator tool. During enrollment, you want all of these iOS devices to configured the same way. In the Intune classic console, you can create a Corporate Device Enrollment profile under Policy->Corporate Device Enrollment:
If you want all of these devices to belong to the same Intune group, you can set that under the Corporate Device Enrollment Profile, using the setting “Assign devices to the following group”:
This optional setting made it easy for you to get all those devices into the correct Intune device group automatically. As new devices enroll, you can deploy policy, apps, and terms and conditions consistently.
Automatic Grouping After You Get Migrated
After we have moved your Intune groups to Azure AD, you won’t have the option to “Assign devices to the following group” because that would be looking for an Intune group.
We’ll make sure any existing Corporate Device Enrollment profiles still give you the same result, but you’ll configure new profiles a bit differently, so they work with Azure AD groups.
Working with New Profiles and Groups
If you want a new Corporate Device Enrollment profile, go ahead and create it either in the Intune classic portal, or in the Intune on Azure portal; in either case, you won’t designate the group in the profile anymore.
If you want corporate iOS devices to end up in a new group, you’ll need to create it in Azure AD. You can go to http://portal.azure.com , click Microsoft Intune, and then click Groups.
(Even though the breadcrumbs at the top say Microsoft Intune, if you look under Users and Groups, it tells you that you are really in Azure Active Directory.)
Create a new Azure AD group with the Membership type = Dynamic Device.
And add a simple query rule so it will find something that matches your enrollmentProfileName.
This group will now automatically collect all devices as they enroll, just as before.
Managing Existing Profiles and Groups
If you already had Corporate Device Enrollment profiles, they will still work. The migration process will automatically create dynamic versions of existing groups so you don’t need to do any of the steps above for existing profiles. Actually, the migration process creates two groups, one to account for any existing devices and one to handle any newly enrolled devices.
Migration creates a dynamic AAD device group for each profile. The name of the group is based on the Corporate Device Enrollment profile’s name, for example, “EnrollmentProfile: Kiosk Devices”, and the membership criterion makes enrollmentProfileName equal to the existing enrollment profile name. Any new devices that enroll using this profile are automatically added to this dynamic group.
The dynamic group won’t capture any devices that have already enrolled, so the migration process also creates a static or “assigned” membership AAD group with the same name as your old Intune device group, for example, “CP Kiosk”. The static group contains all the devices in your Intune group at the time of migration. The static group also contains the dynamic group as a nested group. In this example, they dynamic group EnrollmentProfile: Kiosk Devices would be a member of the assigned group CP Kiosk.
During the migration process, any policies, terms and conditions, or apps you had targeted at your Intune enrollment group are re-targeted to the static group. This means all existing groups members get the policy (because they are in the static, parent group) and all newly enrolled devices get the policy (because they are in the dynamic, child group.)
We hope this post was helpful in describing the changes you will see in your device enrollment profiles after your account is migrated to the new Intune on Azure experience.