Intune Assignment Options
Updated: Feb 2
SUMMARY: |
Whether deploying an application, configuration profile, script, or policy, you must configure the assignment: who does or does not receive the deployment? Also, what happens if we remove the assignment configuration from a deployment? This article will answer these two questions. |
Table of Contents
Adding an Assignment
Assignment Scope - who or what?
First, let's look at the different scope options Intune gives us when configuring the who or what that receives the deployment. The following three options are consistent whether you are deploying an application, configuration profile, script, or policy.
Scope | Description |
All Devices or All Users | You can assign the deployment to all of the devices in your tenant that match the OS chosen for the deployment. If assigned to all users, the deployment will be assigned to all OS-appropriate devices that the user is the primary owner of (user affinity). |
User/Device Security Group | You can assign to a security group(s). All group members will then receive the app, policy, profile, etc. As mentioned above, if the member is a device, then it will only receive the deployment if it is OS-appropriate; if the member is a user, then the deployment will be installed on all of the OS-appropriate devices that the user is the primary owner of (user affinity). |
All Devices or All Users with an Assignment Filter | You can create assignment filters to narrow the scope of a deployment. First, create a filter, then select the scope of “All Devices” or “All Users” and apply the filter you created. Using a filter allows you to deploy to a very specific subset of devices/users and it allows for the list to be dynamic (changes over time). Click here to learn more about Filters. |
Assignment Modes - include or exclude?
When you choose your assignment scope, you must also decide whether the scope should be included or excluded in the deployment. The default mode is include.
IMPORTANT: |
If you use both the Include and Exclude assignment modes with different assignment scopes, ensure that all scopes are the same type. Both groups should contain users or both groups should contain devices; avoid mixing and matching.
|
NOTE: |
For application deployments where a device is in both the included and excluded assignment scopes, the excluded group will only take precedence if the assignment scope for both the include and exclude assignment options are the same (ex. user and user groups). |
Assignment Types - deploy or remove?
For each type below, you define the application scope and whether to include or exclude the scope for the assignment type. See the table below to learn about the different assignment types:
Type | Description |
|---|---|
Required | The assigned scope will receive the deployment if the assignment mode is include, or it will not receive the deployment if the mode is exclude. |
Available for enrolled devices | The deployment will only appear as available to the user and their devices in the Intune Company Portal application. The user has the option whether to install the application or not. There are some caveats for this assignment type; click the link below to learn more: https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy Note that this assignment type is only available for applications. |
Uninstall | The assigned scope will have the deployment removed if the assignment mode is include. If the mode is exclude, the assigned scope will NOT have the deployment removed. Note that this assignment type is only available for applications. |
See the examples below that show some different assignment configuration combinations:
Example 1
If I want to deploy an application to all devices in my organization, I would choose the following assignment configuration:
Assignment Type: Required
Assignment Mode: Include
Application Scope: all devices or all users
Example 2
If I want to deploy an application to all devices in my organization but want to exclude a specific group of devices, I would choose the following assignment configuration (notice that I have one assignment type but will have two assignment modes and corresponding scopes):
Assignment Type: Required
Assignment Mode A: Include
Application Scope A: all devices or all users
Assignment Mode B: Exclude
Assignment Mode B: the security group that contains the devices I want to exclude
Deleting an Assignment
The information above pertains to adding assignment scopes, modes, and types for an application, configuration profile, script, or policy deployment. But, what happens if I open the same deployment and just delete the assignment configuration? See below:
Please note that I am NOT referring to changing the assignment type to Uninstall; I am referring to deleting the configured assignment scope, type, and modes altogether.
Applications
Removing a group assignment does not remove the related app except on Android Enterprise: dedicated, fully managed, and corporate-owned work profile devices. The installed app will remain on the device. — Microsoft
If you need software to uninstall when a member is removed from a group, use the steps below:
Assign the application to the user/device group.
Add “All users” or “All devices” to the Uninstall Section
Add the user/device group to the exclusion list for the Uninstall section
Configuration Profiles & Policies
Removing the group assignment may or may not remove the profile or policy settings from the device. Microsoft recommends creating a new configuration profile or policy, setting it to not configured or the desired new setting, and deploying it to the same assignment scope. See below:
To change a setting to a different value, create a new policy, configure the setting to Not configured, and assign the policy. When the policy applies to the device, users should have control to change the setting to their preferred value. -- Microsoft
Scripts
Remember that platform scripts execute only once on each device unless the initial execution is unsuccessful. If a script fails or errors out, Intune will attempt to try again three more times, one for each next check-in. After three tries, it won't run again.
Removing an assignment scope will only affect the deployment if the script failed the first time it executed, and it hasn't tried again three times. Other than that, removing the assignment will only prevent new users/devices, added to the original assignment scope, from getting the script.
コメント