Filters in Intune or Microsoft Endpoint Manager are a gamechanger for the product and can help us assign profiles, policies and apps with greater accuracy then ever before. There’s still improvements that can be made for sure but it’s definitely the way forward.

If you want the explanation of the logic behind this – read on. If you want to fast forward to the query then just scroll to the end.

If you have not used filters before, I encourage you to go and check it out in your tenant – Tenant admin – Microsoft Endpoint Manager admin center
The Microsoft docs on this can be found here – https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters

I wanted to create a filter for Android Fully Managed devices, but for this one we have to think outside of the box.

For example, to create an Azure AD dynamic device group, the dynamic query is this:

(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)

The logic here is that it is Android Enterprise, but as Fully Managed just uses an enrolment token and there is only a single enrolment profile it is subsequently translated to having no value.

If we try to achieve the same with Filters, the obvious choice it to recreate the same but this is not the case.

We can easily create a filter for Android Enterprise in the wizard, but in the rule builder it will actually take the word null as a string value i.e. the word “null”

Shoutout to Katy Nicholson who was with me when we looked at this and quickly spotted the issue – we need to remove the quotes in the rule syntax using the Edit link.

Great – but that’s not all as there’s a couple of gotchas. If you make any changes to that filter with the rule builder (e.g. change equals to Contains) you will need to go in and edit again.

Second important gotcha here – if we leave it like this we will just get all Android Enterprise devices that don’t have the name of an enrolment profile and that also includes Personally Owned Work Profile devices. So you guessed it – we need to also add a corporate ownership to the filter. Remember though, when you edit this you will need to remember gotcha 1 above.

Before:

After:

So, to finally get to the point of the post – the filter rule syntax you will need to use is this:

(device.enrollmentProfileName -eq null) and (device.deviceOwnership -eq "Corporate")

Hopefully that helps someone out there as it’s not an immediately obvious thing.

/Peter