Requirement rules in Microsoft Intune offer a powerful way to manage application deployments . By ensuring that applications are installed only on devices that meet specific criteria, organizations can enhance security, improve user experience, and streamline IT processes.
Limitations of Intune's GUI Requirement Rules
Intune provides requirement rules through its GUI, but these options are somewhat limited to operating system and hardware checks. If you come from a SCCM/ConfigMgr background, you may be familiar with "global conditions," which allow you to reuse conditions across multiple applications. Unfortunately, Intune does not currently support this feature.
Custom Scripts for Flexibility
One of the unique aspects of Intune is the ability to create custom scripts for requirement rules specific to individual applications. These scripts determine whether a device satisfies the necessary conditions before allowing the application installation. If a device meets the defined criteria, the application is installed; otherwise, the installation is skipped.
It's important to note that if you create multiple requirement rules through either script or the UI, they operate on an AND basis. If you need an OR operation, you must create a custom script to achieve that.
Real-World Example: Hybrid Azure AD Joined Devices
While working with a customer, we had a requirement to allow application installations on hybrid joined devices while excluding Azure AD joined devices. To fulfill this need, we can create a custom script to identify whether a device is hybrid joined.
To determine the device state, we utilized the dsregcmd command. Here are some key parameters to check:
- AzureADJoined
- DomainJoined
When both parameters return "YES," the device is classified as "Microsoft Entra hybrid joined."
Here’s a sample output of the dsregcmd /status command for reference:
And the output of the PowerShell script will look like this:
Implementing the Script in Intune Requirement Rules
To use the script in Intune requirement rules, follow these steps:
- Edit Your Win32 Application: Navigate to the application you want to modify and go to the "Requirement Rules" section.
-
Add a Script: Click on "Add" and choose "Script."
-
Upload the Script: Download the script from GitHub repository, then upload or select it in Intune.
-
Set the "Select output data type" to "String," operator to "Equals," and the value to "Yes"
-
Review and Save: After configuring the settings, click on "Review" and then "Save."
-
Now, Intune will validate whether the device state is hybrid joined before allowing the application installation. If the device is not hybrid joined, the application installation will be skipped, and the status will be updated accordingly.
References