This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 41%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
We have a large number of shared desk phones running Android version 9 (latest version from the vendor). Any of our users can login into the shared devices, to complicate matters we also have a BYO Intune app protection policy applied to all users that prohibits devices from running such a low version of Android. I have been looking at creating a 2nd policy App protection policy for the desk phones and then look to exclude them from the main policy, to do this I have created a Dynamic AAD group that is auto populated when these devices register in AAD. however the documentation for Intune states that App protection policies apply only to user accounts and not dynamic resource groups. so I'm a bit stuck. Other than having a group that we populate manually when a user wants to use shared desk phone or not running app protection, does any one have an automated approach to resolve this issue ? Thanks in advance!
Have you considered using Device filters for the assignments instead? You can create a filter for desk phones and exclude it from your APP assignment. Maybe this can help - https://rahuljindalmyit.blogspot.com/2021/06/a-pinch-of-settings-catalog-dash-of.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Nick Stewart, Thanks for posting in Q&A. Just as you know, App protection policy can only assign to user group. To prevent the Intune app protection policy which prohibits devices from running a low version on these shared devices. You can check if the filter in Intune can filter these devices. For app protection policy, it uses managed app type.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters#restrictions
For managed app properties, I find one named deviceManagementType with a value "Corporate-owned dedicated devices with Azure AD Shared mode". If these shared devices are enrolled with this. We can choose this as a filter to avoid your app protection policy to apply to these devices.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Nick Stewart, Hope the above information can help. If there's anything else we can help, feel free to let us know.
not working : (app.deviceManagementType -eq "Corporate-owned dedicated devices with Microsoft Entra Shared mode")
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 59%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Hello, did you find a solution? i'm facing the same problem.
Would be great to know.