A problem is just a solution waiting to be found

Assign Intune device category based on users department property

Posted on by Remy Kuster

macOS devices enrolled via Apple Business Manager don’t have the option to be enrolled to Intune with a group tag like Windows devices. With a group tag you can create a dynamic device group and then auto assign a scope tag to those devices. So it would be nice to think of something so macOS devices also could be added to a dynamic group and then auto assign a scope tag to those devices. In order to achieve this I created a PowerShell script with Intune Graph to auto assign a (department) category to the macOS Intune managed devices based on the users department property. You can read my post to find out how you can achieve this.

Requirements

In order to use this script and change device categories you need an Entra ID account with the correct permissions. You can change permissions on default Roles or create a custom role by going to:

Tenant AdministrationRoles

Endpoint manager roles section

The minimum permissions required to add or change a device category is: Managed devicesUpdateYes

managed device update permissions

And Organization – Read – Yes

Organization Read permissions

The build in Help Desk Operator role has got the required permissions to do this or the Intune Administrator Role. But you can also create a custom role if you want.

Why?

So we are starting to managed macOS devices with Intune but have got different (IT) departments that are responsible for those macOS devices. So it would be nice to also be able to put the macOS devices for the correct (IT) department in a dynamic device group and be able to auto assign a scope tag to those devices.

We also wanted to use this dynamic device group to scope it to it-department admins so that they can only deploy apps, policies or remote tasks to these macOS devices. You can also use this post and script to do the same for Windows or Linux devices.

In my previous post I showed how you can assign a device category to one device. But in this case it has to be automated for more then one device based on the users department property.

Device category

In order to make this work you need to create the device category you are planning to assign to the macOS devices. In this case I created a device category called IT-Services (department name).

To create a device category log into the Intune Portal and go to: Devices – Device categories and click on Create device category

Now enter a category Name and description. In this example: IT-Services, Device category for Department IT-Services.

Click Next.

Add a scope tag if you want, if not click Next.

Click Create.

NOTE: If you don’t want user to get a pop-up in the company portal to select the category you can change the default customization policy:

Go to: Tenant administration – Customization – Settings Edit

Change the Device Setting: Let users select device categories in the Company Portal to BLOCK

Dynamic user department group

UPDATE April 2024: I changed the PowerShell script to assign the correct category to the device based on the users department. The script doesn’t need a separate EntraID group with the users of the department anymore AND the script now works with parameters. So the creation of the dynamic user department group is optional.

Once you created the device category you must create a dynamic user group based on the users department property.
Because you will use this user group to get the users UPN and compare it to the users UPN that is assigned to an Intune managed device.

In this example I will create a dynamic user group based on the department: IT-Services

Go to: Groups – All Groups – Select New group

Enter the following:

  • Group type: Security
  • Group name: Enter a name for the group (Example: Employees IT-Services Department)
  • Group description: Enter a matching description (Example: Dynamic user group for IT-Services department employees)
  • Membership type: Dynamic User

At the section: Dynamic user members click on Add dynamic query

Enter the dynamic query by giving in the following:

Property (department), Operator (Equals) and a value (Example: IT-Services) and then click Add expression so it is set in the Rule syntax.

You can check if the Rule syntax works by validating the rule. Click on Validate Rules (Preview) next to Configure Rules.
Click Add users to select a user that you know is a member of the department. If the rule applies to the user the status will be:

Click on Save and then Create to create the group.

Script

You can download the script I created form my Github repo.

# Change assign device category to macOS or Windows devices based on User department
# author: Remy Kuster
# website: www.iamsysadmin.eu
# Version: 2.0
# Added parameters so script doesn't have to be changed every time
# Changed the flow of the scipt to be more efficient: First check Intune managed devices then the assigned primary user and the department of the user.

# This script allows you to check the intune managed devices and the primary users upn. 
# Then check if the user is a member of the department and assign the correct device (department) category to the device.
# Usage: Assign-device-category-based-on-users-department.ps1 -NewCategoryName [Value] -OperatingSystem (macOS or Windows) -Department [Value] (users department)

Param(
     [Parameter(Mandatory)]
     [string]$NewCategoryName,

     [Parameter(Mandatory)]
     [string]$OperatingSystem,

     [Parameter(Mandatory)]
     [string]$Department
 )

$moduleName = "Microsoft.Graph.Intune"
if (-not (Get-Module -Name $moduleName)) {
    try {
        Write-Host Module $moduleName not detected starting installing module $moduleName
        Install-Module $moduleName -Scope CurrentUser -Force
        Write-Host Module $moduleName installed
    }catch {
        Write-Error "Failed to install $moduleName"
        Write-host "Script wil exit!"
        pause
        Exit
    }
}

else

{
Write-Host Module $moduleName detected no install needed

}


# Authenticate 

Try {

    Connect-MsGraph -Quiet -ErrorAction Continue
}
Catch {
    Write-Host "An error occurred:" -ForegroundColor Red
    Write-Host $_ -ForegroundColor Red
    pause
    exit
}

$ConnectMsGraph = Connect-MsGraph

$ErrorActionPreference= "continue" # If you don't want the errors to be supressed change this into Continue, stop or Inquire

$NewCategoryID = (Get-IntuneDeviceCategory | Where-Object DisplayName -EQ "$NewCategoryName" | Select-Object ID).ID 

$EmployeesUPN = (Get-IntuneManagedDevice | Where-Object OperatingSystem -EQ $OperatingSystem | Select-Object -Property DeviceName,ID,UserPrincipalName)

function Change-DeviceCategory {
	param(
		[Parameter(Mandatory)]
		[string]$DeviceID,
		
		[Parameter(Mandatory)]
		[string]$NewCategoryID
	)

    $body = @{ "@odata.id" = "https://graph.microsoft.com/beta/deviceManagement/deviceCategories/$NewCategoryID" }
    Invoke-MSGraphRequest -HttpMethod PUT -Url "deviceManagement/managedDevices/$DeviceID/deviceCategory/`$ref" -Content $body

   if( $error[0].Exception -like "*User is not authorized to perform this operation*")

   {

   write-host User $ConnectMsGraph.UPN is not authorized to perform this operation! -ForegroundColor Red
   write-host Please check the permissions of the account and try again. -ForegroundColor Red
   $Error.Clear()
   
   }

} 

# Check for every user based on the UPN if there is a Intune managed macOS device assigned to the user, if so assign the new category to the device

ForEach ($array in $EmployeesUPN)

{

$UPN = $array.userPrincipalName


# Run the function to add or change the category IF the user is member of the department.

if ((Invoke-MSGraphRequest -Url "https://graph.microsoft.com/beta/users/$UPN" -HttpMethod Get | Select-Object Department) -match $Department) 

{  

Write-Host User $UPN is member of department $Department -ForegroundColor Green 

# Check if the new category isn't already assigned to the device

$DeviceCategoryCurrent = ( Get-IntuneManagedDevice | Where-Object DeviceName -EQ $array.deviceName | Select-Object DeviceCategoryDisplayName).DeviceCategoryDisplayName

if ($NewCategoryName -eq "$DeviceCategoryCurrent") 

{
  write-host Category $NewCategoryName is already assigned to device: $array.deviceName -ForegroundColor Red
  
}

else

{

Write-host Category $NewCategoryName is NOT assigned to device: $array.deviceName -ForegroundColor Yellow
Write-host Adding category $NewCategoryName to device: $array.deviceName -ForegroundColor Yellow

Change-DeviceCategory -DeviceID ($array).ID -NewCategoryID $NewCategoryID

# Check if the assignment of the new category is completed

do {

$DeviceCategoryCurrent = ( Get-IntuneManagedDevice | Where-Object DeviceName -EQ $array.deviceName | Select-Object DeviceCategoryDisplayName).DeviceCategoryDisplayName

Write-Host Please wait! -ForegroundColor Yellow

Start-Sleep -Seconds 10

} 

until ($DeviceCategoryCurrent-like $NewCategoryName)

Write-Host Category of $array.deviceName is changed to $NewCategoryName -ForegroundColor Green

}

}

else

{

Write-Host User $UPN is NOT member of department $Department so category: $NewCategoryName not assigned to Device: $array.deviceName -ForegroundColor Red

}

}


Run the script by entering the parameters:

-NewCategoryName [enter the category name you want to assign to the devices]

-OperatingSystem [macOS, Windows or Linux]

-Department [enter the users department you want to check on]

In my case I wanted to add the category IT-Services to the Devices with the Operatingsystem macOS based on the users department: IT-Services.

.\Assign-device-category-based-on-users-department.ps1 -NewCategoryName IT-Services -OperatingSystem macOS -Department IT-Services


Enter your Entra ID admin account when prompted and perhaps MFA.

The script returns if an user with a Intune managed macOS device is found that has the department attribute: IT-Services. Then the script will add the new category to the users device.

If the device category is already set the script will not change it again.

The device category is changed if we check it in the Intune portal.

Dynamic device category group

Now that you have assigned device categories to the macOS devices used by the employees of the department you can create a dynamic device group based on the device category and the Operating system macOS.

To create the dynamic device group go to: GroupsNew group

Enter the following:

  • Group type: Security
  • Group name: Enter a name for the group (Example: macOS devices department IT-Services)
  • Group description: Enter a matching description (Example: Dynamic query for macOS devices with device category IT-services)
  • Membership type: Dynamic Device

At the section: Dynamic device members click on Add dynamic query

Enter the dynamic query:

Property (deviceCategory), Operator (Equals) and a value (Example: IT-Services)

AND

Property (deviceOSType), Operator (Equals) and a value (MacMDM)

Rule syntax:
(device.deviceCategory -eq “IT-Services”) and (device.deviceOSType -eq “MacMDM”)

Click on Save and then Create to create the group.

Auto assign device scope tag

Now that you created the dynamic device group you can now use this group to assign a device scope tag to the devices in this group. This is optional but if you want to hide these devices from certain admins in the Intune portal you can use scope tags.

More information about scope tags:

Use role-based access control (RBAC) and scope tags for distributed IT – Microsoft Intune | Microsoft Learn

To create a scope tag go to: Tenant Administration – Roles – Scope tags – Create

Enter the following:

  • Name: Enter a name for the Scope tag (Example: IT-Services)
  • Description: Enter a description for the Scope tag (Example: Scope tag for IT-Services)

Click Next.

Assign the dynamic device group so they will get the scope tags assigned. Click add groups and select the group. (Example: macOS devices department IT-Services).

Click Next and Create.

Don’t forget to assign the scope tag to a Intune admins group if you only want them to see objects assigned with this scope tag.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags#to-assign-a-scope-tag-to-a-role

Assign Group tag to Intune admin Role

You can even use this dynamic device group to scope it to an admins group so they can only deploy apps, policies or remote tasks to these (macOS) devices.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags#to-assign-a-scope-tag-to-a-role

Go to: Tentant administration – Roles – All Roles and select an already created and assigned Intune role. In this example I use the role: IT-Services helpdesk

Go to: Assignments and on the assignment Name.

Go to: Scope (Groups) Edit.

Remove already included groups and only include the dynamic device group you created. In this example: macOS devices department IT-Services.

Click Review and Save and then Save.

Conclusion

We know macOS devices don’t have a group tag when enrolled in Intune you can still automatically add them in a dynamic device group based on a device category and OS attribute.

With the script in this post you can automatically assign a device (department) category to macOS (Windows of Linux) devices based on users in a dynamic user department group. We can do this by checking the users UPN and then compares it with registered devices in Intune and the assigned UPN to the devices.

If the UPN’s match a device category is then assigned to the device and after the device category is assigned the device is added to the dynamic device group.

With this dynamic device group you can do more nice stuff:

Auto assigning a scope tag to the devices in the group or assign a group tag to IT admins so they can only deploy apps, policies or remote tasks to the devices in this group.

Hope you like my post, in my next post I will show how you can run this script without entering User credentials. So stay tuned!

Theme: Overlay by Kaira