This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 38%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWC%3C/text%3E%3C/svg%3E)
Our company environment is in a hybrid setup. We have an on-prem Entra Connect server synchronizing our on-prem AD with Entra ID in the cloud. We also use Intune to manage our devices including Windows, iOS, and Android.
The new project I am working on is for setting the BYOD environment securely in Intune. So that users can use their personal devices with their corporate credentials to access company data securely.
There are two main things to set up. They are a Conditional Access Policy (CAP) and several Application Protection Policies (APP). Different APPs target different types of OS devices like Android, iOS, and Windows.
I need the CAP to drop access to corporate data access attempts if the devices are not assigned with any APP.
I do not need the APP to be applied to any current company devices including AD Joined, Azure AD Joined, and Hybrid Azure AD Joined devices.
Here is the difficult part that I need help with. It’s the expression to be applied to as an exclude filter to exclude all company device no matter what types from needing an APP to access corporate data. It is because all these setups are meant to be applied to any unknown or personally owned user devices trying to access corporate data. Company devices are being managed by either AD, Entra, or Intune already.
However, I found the terms or words being used in Intune for all these devices are confusing. That makes it very hard for me to come up with the expression to be used in the exclude filter. For example, (device.deviceOwnership -eq "Company") is not all financially company-owned devices but all Intune-enrolled devices. (device.deviceOwnership -eq "Personal") is not meant for all users personally owned devices, but all Entra-Registered devices, etc.
Would you be able to help compose the expression to precisely identify all company devices so that I can exclude them from needing an Application Protection Policy (APP) for attempting to access the corporate data, mostly in our Microsoft 365 environment, like Outlook, Teams, Word, Excel, etc.?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Anonymous Thanks for posting in our Q&A.
If you use BYOD enrollment method to enroll devices, ownership will show personal. If you use other enrollment method (for example: GPO enrollment, autopilot enrollment) to enroll devices, ownership will show corporate. We can check the ownership value:
So, (device.deviceOwnership -eq "Company") means filter the devices that ownership shows corporate.
(device.deviceOwnership -eq "Personal") means filter the device that ownership shows personal. We always called them the personal devices that enrolled to intune.
To clarify this issue, how did you define company devices? Devices are enrolled to intune and no matter its ownership shows corporate or personal? Or only its ownership shows corporate can be called company device?
If there is anything update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.