In November 2021 Microsoft added a feature to control the update priority of Android Managed play store apps on enrolled devices. This is great functionality to see, but if you read on you will see that this starts to create a point in time problem with app assignments.
IMPORTANT NOTE – this ONLY applies to:
Managed Play Store applications
App updates only, not new app installs
Devices managed as Device Owner e.g. Fully Managed, Dedicated
The options at the point of release are quite simple in that we can set the assigment of an app to a particular group to be high priority which equates to the app being updated on the device regardless of the devices data connection, charge state and current usage. The tool tip is shown below and a default priority takes account of these settings before attempting update the app in order to have limited disruption or impact to the device.
For clarification of terms, DO in this tooltip = Device Owner
Some use cases I can immediately think of for this are for devices that may be in some kind of re-provisioning or later stage provisioning state after being sat on a shelf for some time and can be updated fast, or those that could be considered for privileged access or VIP in some way and need to have updates applied sooner than your average device. A device without the latest app updates generally constitutes a greater risk.
What to look out for
This is all good and I’m very happy to see progression like this in Intune. In testing of this new feature however, I came across a scenario which I can foresee others asking questions around and unless Microsoft change some of the behaviour in the product which I don’t expect any time soon, we have to consider it and workaround accordingly.
This observation is when you want to use this in combination with the recent filters functionality as you may want to have different behaviour of update priority based on a filter. Filters are being widely adopted at the time of writing this and in short, you can’t assign an app (or other things for that) to the same group more than once. In turn, you can’t select more than one filter or indeed update priority per group that you are assigning to, it’s a kind of one way or the other scenario.
If I use this new functionality and set a high priority update policy to my assignment which is filtered on VIP devices it looks like this.
Now as you can see I’ve used a wide and dynamic group in the assignment (to capture all fully managed devices), then filtered on VIP devices using the enrolmentProfile name. These will be updated as high priority.
However, what I want to do next is add an assignment to the same wide group but with a different filter so they can also recieve high priorty updates. You will soon see that you can’t.
I have to stress that this experience is nothing to do with the new app update priority updates but by adding additional options into an assigment whilst still having a relatively inflexible assignment model starts to create these scenarios.
In order to work around this you would EITHER
- Need to create another group of exactly the same members for the purposes of assignment to the different filter OR
- Create another filter for this purpose which combines both filters with an OR expression.
The problem I have with these is that case 1 goes against what we’re advised by Microsoft in this article and just creates a lot of admin overhead.
Case 2 creates another filter for a single purpose which is wasteful as so many people don’t realise there is a limit of just 50 filters per tenant.
If I come across a better way after posting this, I’ll be sure to make an edit. Otherwise, enjoy the new update priority feature, it’s great to see such an addition.