App and device properties, operators, and rule editing when creating filters in Microsoft Intune
When you create an app, compliance policy, or configuration profile, you assign that app or policy to groups (users or devices). When you assign the app or policy, you can also use assignment filters.
You can use filters on managed devices (devices enrolled in Intune) and managed apps (apps managed by Intune).
When you create a filter, you enter the app or device properties to use in your filter. For example:
- In your managed device filter, enter the device manufacturer so the policy only applies to Microsoft devices.
- In your managed app filter, enter the OS version so the policy only applies to devices with that specific OS version.
Advanced rule editing is also available. You can use common operators, such as and
, contains
, and startsWith
to create expressions. These expressions are saved and used in your filter.
This article describes the different managed device properties, managed app properties, and operators you can use in your filters, and gives examples.
Important
Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.
Managed device properties
You can use the following device properties in your managed device filter rules:
cpuArchitecture
(CPU Architecture): Create a filter rule based on the Intune device CPU architecture property.For Windows, your options are (with
-eq
,-ne
,-in
,-notIn
operators):- amd64
- x86
- arm64
- unknown
For macOS, your options are (with
-eq
,-ne
,-in
,-notIn
operators):- x64
- arm64
- unknown
Examples:
(device.cpuArchitecture -eq "arm64")
(device.cpuArchitecture -in ["x64", "arm64"])
(device.cpuArchitecture -eq "unknown")
This property applies to:
- macOS
- Windows 11
- Windows 10
Note
Currently, enrollment scenarios don't support the
cpuArchitecture
property. Support will be added in a future update (no ETA).deviceCategory
(Device Category): Create a filter rule based on the Intune device category property. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(device.deviceCategory -eq "Engineering devices")
(device.deviceCategory -contains "Engineering")
(device.model -startsWith "E")
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
deviceName
(Device Name): Create a filter rule based on the Intune device name property. Enter a string value for the device's full name (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(device.deviceName -eq "Scott's Device")
(device.deviceName -in ["Scott's device", "Sara's device"])
(device.deviceName -startsWith "S")
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
deviceOwnership
(Ownership): Create a filter rule based on the device's ownership property in Intune. SelectPersonal
,Corporate
, or unknown values using the-eq
and-ne
operators.Example:
(device.deviceOwnership -eq "Personal")
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
deviceTrustType
(Microsoft Entra join type): Create a filter rule based on the device's Microsoft Entra join type. Choose between Azure AD joined, Azure AD registered, Hybrid Azure AD joined, or Unknown values (with-eq
,-ne
,-in
,-notIn
operators).Examples:
(device.deviceTrustType -eq "Azure AD joined")
(device.deviceTrustType -ne "Azure AD registered")
(device.deviceTrustType -in ["Hybrid Azure AD joined","Azure AD joined"])
This property applies to:
- Windows 11
- Windows 10
Note
The
deviceTrustType
property exists in Microsoft Entra ID and Intune. The values in this Intune filters article apply to Intune. They don't apply to Microsoft Entra ID.enrollmentProfileName
(Enrollment profile name): Create a filter rule based on the enrollment profile name. This property is applied to a device when the device enrolls. It's a string value created by you, and matches the Windows Autopilot, Apple Automated Device Enrollment (ADE), or Google enrollment profile applied to the device. To see your enrollment profile names, sign in to the Intune admin center, and go to Devices > Enroll devices.Enter the full string value (using
-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(device.enrollmentProfileName -eq "DEP iPhones")
(device.enrollmentProfileName -startsWith "Autopilot Profile")
(device.enrollmentProfileName -ne $null)
This property applies to:
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- Windows 11
- Windows 10
IsRooted
(Rooted or jailbroken): Create a filter rule based on the device's rooted (Android) or jailbroken (iOS/iPadOS) device property. SelectTrue
,False
, or unknown values using the-eq
and-ne
operators.Example:
(device.isRooted -eq "True")
This property applies to:
- Android device administrator
- Android Enterprise (Work profile only)
- Android (AOSP)
- iOS/iPadOS
manufacturer
(Manufacturer): Create a filter rule based on the Intune device manufacturer property. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(device.manufacturer -eq "Microsoft")
(device.manufacturer -startsWith "Micro")
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
model
(Model): Create a filter rule based on the Intune device model property. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).For iOS/iPadOS and macOS devices, use the model, not the product name. Only the model is recognized for Apple devices. For example, for iPhone 8 devices, enter the model as
iPhone 8
.Examples:
(device.model -eq "Surface Book 3")
(device.model -in ["Surface Book 3", "Surface Book 2"])
(device.model -startsWith "Surface Book")
(device.model -startsWith "MacBookPro")
(device.model -startsWith "iPhone 8")
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
operatingSystemVersion
(Operating System Version): Create a filter rule based on the Intune device operating system (OS) version. Enter a version value (using-eq
,-ne
,-gt
,-ge
,-lt
,-le
operators).Examples:
(device.operatingSystemVersion -eq 14.2.1)
(device.operatingSystemVersion -gt 10.0.22000.1000)
(device.operatingSystemVersion -le 10.0.22631.3235)
For a list of supported operators, go to operatingSystemVersion supported operators (in this article).
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
Note
The
operatingSystemVersion
property is in public preview. For more information on what that means, go to Public preview in Microsoft Intune.osVersion
(OS Version): Create a filter rule based on the Intune device operating system (OS) version. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Tip
The
osVersion
property is being deprecated. Instead, use theoperatingSystemVersion
property. WhenoperatingSystemVersion
is generally available (GA), theosVersion
property will retire, and you won't be able to create new filters using this property. Existing filters that useosVersion
continue to work.Examples:
(device.osVersion -eq "14.2.1")
(device.osVersion -in ["10.15.3 (19D2064)","10.14.2 (18C54)"])
(device.osVersion -startsWith "10.0.18362")
This property applies to:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
Note
For Apple devices, the
OSversion
property doesn't include Apple's Security Patch Version (SPV) information. The SPV is the letter after the version number, like14.1.2a
. When creating filters for Apple devices, don't include the SPV in theOSversion
rule syntax.operatingSystemSKU
(Operating System SKU): Create a filter rule based on the device's Windows client OS SKU. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(device.operatingSystemSKU -eq "Enterprise")
(device.operatingSystemSKU -in ["Enterprise", "EnterpriseS", "EnterpriseN", "EnterpriseEval"])
(device.operatingSystemSKU -startsWith "Enterprise")
You can use the following supported values for the Operating System SKU property. The Intune admin center doesn't show the SKU names. So, be sure to use the supported values in the following table:
Supported value OS SKU definition BusinessN Windows 10/11 Professional N (49) CloudEdition CloudEdition (Windows 11 SE (203) CloudEditionN CloudEditionN (Windows 11 SE N (202) Core Windows 10/11 Home (10/111) CoreCountrySpecific Windows 10/11 Home China (99) CoreN Windows 10/11 Home N (98) CoreSingleLanguage Windows 10/11 Home single language (100) Education Windows 10/11 Education (121) EducationN Windows 10/11 Education (122) Enterprise Windows 10/11 Enterprise (4) EnterpriseEval Windows 10/11 Enterprise Evaluation (72) EnterpriseG Windows 10/11 Enterprise G (171) EnterpriseGN Windows 10/11 Enterprise G N (172) EnterpriseN Windows 10/11 Enterprise N (27) EnterpriseNEval Windows 10/11 Enterprise N Evaluation (84) EnterpriseS Windows 10 Enterprise LTSC (125) EnterpriseSEval Windows 10 Enterprise LTSC Evaluation (129) EnterpriseSN Windows 10 Enterprise LTSC N (126) Holographic Windows 10 Holographic (136) IoTUAP Windows 10 IoT Core (123) IoTUAPCommercial Windows 10 IoT Core Commercial (131) IoTEnterprise Windows 10/11 IoT Enterprise (188) PPIPro Windows 10 TeamOS (119) Professional Windows 10/11 Professional (48) ProfessionalEducation Windows 10/11 Professional Education (164) ProfessionalEducationN Windows 10/11 Professional Education N (165) ProfessionalWorkstation Windows 10/11 Professional for workstation (161) ProfessionalN Windows 10/11 Professional for workstation N (162) ProfessionalSingleLanguage Windows 10/11 Professional Single Language (138) ServerRdsh Windows 10/11 Enterprise multi-session (175) This property applies to:
- Windows 11
- Windows 10
Tip
In Windows PowerShell, use the Get-WmiObject -Class Win32_OperatingSystem |select operatingsystemSKU
command on a Windows device to return the SKU number.
Managed app properties
You can use the following app properties in your managed app filter rules:
appVersion
(App Version): Create a filter rule based on the client reported application version. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(app.appVersion -eq "14.2.1")
(app.appVersion -in ["10.15.3","10.14.2"])
(app.appVersion -startsWith "10.0")
This property applies to:
- Android
- iOS/iPadOS
- Windows
deviceManagementType
(Device Management Type): Create a filter rule based on the Intune device management type. Select from the following values using the-eq
and-ne
operators:Value Supported platforms Unmanaged
Android
iOS/iPadOSManaged
iOS/iPadOS Android device administrator
Android Android Enterprise
Android AOSP userless devices
Android AOSP user-associated devices
Android Corporate-owned dedicated devices with Azure AD Shared mode
Android Example:
(app.deviceManagementType -eq "Unmanaged")
This property applies:
- Android
- iOS/iPadOS
deviceManufacturer
(Manufacturer): Create a filter rule based on the client reported device manufacturer. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(app.deviceManufacturer -eq "Microsoft")
(app.deviceManufacturer -startsWith "Micro")
This property applies:
- Android
- iOS/iPadOS
- Windows
deviceModel
(Model): Create a filter rule based on the client reported device model. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Examples:
(app.deviceModel -eq "Surface Duo")
(app.deviceModel -in ["Surface Duo", "Surface Duo 2"])
(app.deviceModel -startsWith "Surface Duo")
(app.deviceModel -startsWith "RealityDevice")
This property applies to:
- Android
- iOS/iPadOS/visionOS
- Windows
Note
The
app.deviceModel -startsWith "RealityDevice"
property is in preview and is only supported on the Microsoft Teams app. If your app protection policy is targeted to the iOS/iPadOS platform, it will also apply to visionOS. However, when targeting specific conditional launch settings to visionOS, such as "Min/Max OS version" or "Min app version", you can use the app propertyapp.deviceModel -startsWith "RealityDevice"
in your managed app filter rules.operatingSystemVersion
(Operating System Version): Create a filter rule based on the Intune device operating system (OS) version. Enter a version value (using-eq
,-ne
,-gt
,-ge
,-lt
,-le
operators).Examples:
(app.operatingSystemVersion -eq 14.2.1)
(app.operatingSystemVersion -gt 10.0.22000.1000)
(app.operatingSystemVersion -le 10.0.22631.3235)
For a list of supported operators, go to operatingSystemVersion supported operators (in this article).
This property applies to:
- Android
- iOS/iPadOS
- Windows
Note
The
operatingSystemVersion
property is in public preview. For more information on what that means, go to Public preview in Microsoft Intune.osVersion
(OS Version): Create a filter rule based on the client reported operating system (OS) version. Enter the full string value (using-eq
,-ne
,-in
,-notIn
operators), or partial value (using-startswith
,-contains
,-notcontains
operators).Tip
The
osVersion
property is being deprecated. Instead, use theoperatingSystemVersion
property. WhenoperatingSystemVersion
is generally available (GA), theosVersion
property will retire, and you won't be able to create new filters using this property. Existing filters that useosVersion
continue to work.Examples:
(app.osVersion -eq "14.2.1")
(app.osVersion -in ["10.15.3","10.14.2"])
(app.osVersion -startsWith "10.0")
This property applies to:
- Android
- iOS/iPadOS
- Windows
Advanced rule editing
When you create a filter, you can manually create simple or complex rules in the rule syntax editor. You can also use common operators, such as or
, contains
, and more. The format is similar to Microsoft Entra dynamic groups: ([entity].[property name] [operation] [value])
.
What you need to know
The properties, operations, and values are case insensitive.
Parentheses and nested parentheses are supported.
You can use
Null
or$Null
as a value with the-Equals
and-NotEquals
operators.Some advanced syntax options, such as nested parentheses, are only available in the rule syntax editor. If you use advanced expressions in the rule syntax editor, then the rule builder is disabled.
For more information on the rule syntax editor and the rule builder, go to Use filters when assigning your apps, policies, and profiles
Supported operators
You can use the following operators in the rule syntax editor:
Or: Use for all value types, especially when grouping simple rules.
- Allowed values:
-or
|or
- Example:
(device.manufacturer -eq "Samsung") or (device.model -contains "Galaxy Note")
- Allowed values:
And: Use for all value types, especially when grouping simple rules.
- Allowed values:
-and
|and
- Example:
(device.manufacturer -eq "Samsung") and (device.model -contains "Galaxy Note")
- Allowed values:
Equals: Use for all value types, including simple rules, strings, arrays, and more.
- Allowed values:
-eq
|eq
- Example:
(device.manufacturer -eq "Samsung") and (device.model -eq "Galaxy Note")
- Allowed values:
NotEquals: Use for all value types, including simple rules, strings, arrays, and more.
- Allowed values:
-ne
|ne
- Example:
(device.manufacturer -ne "Samsung") or (device.model -ne "Galaxy Note")
- Allowed values:
StartsWith: Use for string value types.
- Allowed values:
-startsWith
|startsWith
- Example:
(device.manufacturer -startsWith "Sams")
- Allowed values:
In: Use for array value types, such as
["1", "2"]
.- Allowed values:
-in
|in
- Example:
(device.manufacturer -in ["Samsung","Lenovo","Microsoft"])
- Allowed values:
NotIn: Use for array value types, such as
["1", "2"]
.- Allowed values:
-notIn
|notIn
- Example:
(device.manufacturer -notIn ["Samsung","Lenovo","Microsoft"])
- Allowed values:
Contains: Use for string value types.
- Allowed values:
-contains
|contains
- Example:
(device.manufacturer -contains "Samsung")
- Allowed values:
NotContains: Use for string value types.
- Allowed values:
-notContains
|notContains
- Example:
(device.manufacturer -notContains "Samsung")
- Allowed values:
operatingSystemVersion supported operators
When you use the operatingSystemVersion (Operating System Version)
property, you can use the following operators in the rule syntax editor:
Equals: Use for all value types, including simple rules, strings, arrays, and more.
- Allowed values:
-eq
|eq
- Example:
(device.operatingSystemVersion -eq "10.0.22000.1000")
- Allowed values:
NotEquals: Use for all value types, including simple rules, strings, arrays, and more.
- Allowed values:
-ne
|ne
- Example:
(device.operatingSystemVersion -ne "10.0.22000.1000")
- Allowed values:
GreaterThan: Use for version value types.
- Allowed values:
-gt
|gt
- Example:
(device.operatingSystemVersion -gt 10.0.22000.1000)
- Allowed values:
LessThan: Use for version value types.
- Allowed values:
-lt
|lt
- Example:
(device.operatingSystemVersion -lt 10.0.22000.1000)
- Allowed values:
GreaterThanOrEquals: Use for version value types.
- Allowed values:
-ge
|ge
- Example:
(device.operatingSystemVersion -ge 10.0.22000.1000)
- Allowed values:
LessThanOrEquals: Use for version value types.
- Allowed values:
-le
|le
- Example:
(device.operatingSystemVersion -le 10.0.22000.1000)
- Allowed values: