Rubix

View Original

Personal Devices and the Intune Management Extension Part 2: Another PSA

Here’s a quick (but important) follow up on the first post. After some additional testing on our end, Steve Weiner and I were able to come up with a solution to assign applications to user-based groups, while excluding corporate (autopilot) devices at the same time.

All Windows 10 devices have a basic registry path that acts as a placeholder for Autopilot settings. When devices are deployed through Autopilot, there are some additional registry settings that are populated with tenant-specific information. Here is one of the unique values that populates with Autopilot enrollment:

Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot

Value: CloudAssignedMdmId

The data for that particular value is the Azure tenant ID, but we don’t even need the data. For any intunewin packages that are assigned to user groups, we can add an additional requirement to install the app only if the registry value exists. See below:

One more gotcha…

After we made these changes, we performed a test byo enrollment for the specific tenant. Things were looking good, as we saw the Intune Management Extension push down but none of the unwanted applications appeared to install. We even saw Intune reporting the application status as “Not applicable” with the required install. Perfect.

Then all of a sudden, Google Chrome installed. The surprise here was that Google Chrome was only assigned to an Autopilot dynamic device group, yet here it was on a personally enrolled device.

After some digging in Endpoint Manager and some logs, we noticed that the guid for Chrome was listed as a “ChildId” in the Intune Management Extension log:

What this tells us is that Google Chrome was listed as a dependency for the original application, and the console had the dependency configured to automatically install (For those who aren’t aware, the app guid appears in your browser’s url bar when looking at a specific application: https://endpoint.microsoft.com/#blade/Microsoft_Intune_Apps/SettingsMenu/0/appId/11010011-abcd-efgh-1011-abcdefghijkl). In this screenshot, we are looking at the primary application to view the Chrome dependency:

…so what does this mean? Intune will process and execute any required dependencies before it actually calculates the requirements for the primary application… yikes. 

But hey – there’s a solution. Add the same registry requirement to the chrome application so that it can’t install on any personal devices. I suppose you could also set the automatic install switch on the dependency to No, but I like the registry check better. And that’s it.

Anyway, hopefully that closes the gap on managing personal devices.