Create and Manage Device Categories in Intune

Photo of author
Jatin Makhija
0

This post is about showing you how to create and manage device categories in Intune. Device categories let you label devices at enrollment or after enrollment so you can target policies, apps, and compliance settings more precisely. Think of categories as simple tags like Sales, Finance, Kiosk, Lab, or VIP.

For example, you can group devices by department, such as Sales, HR, or Lab devices. Users can set a device category through the Company Portal, or admins can configure it in the Intune portal. After that, you can create a dynamic Entra security group that automatically includes devices based on their assigned category. This group can then be used to apply policies and assign apps specific to each department, helping streamline departmental segregation and management.

Requirements

  • Intune administrator role.
  • Access to Company Portal app or website.

Device Category Platform Support

You can set a device category for the following types of devices:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

Important Points

  • If your tenant has device categories configured, users on targeted devices will be prompted to choose a category when they sign in to the Company Portal. To prevent this, set Let users select device categories in the Company Portal to Block. You can find this setting in the Intune admin center by navigating to: Tenant administration > End user experiences > Customization > Create, then scroll down to locate the Let users select device categories in the Company Portal option.

If you want users to select a device category via Company portal app or website, then keep Let users select device categories in the Company Portal to Allow (default). If users skip and do not select the category, they will be prompted again next time until a category is set.

Let users select device categories in the Company Portal
  • If Multi-Admin Approval is configured in your environment, you may need approval before creating, editing, or deleting device categories.

Plan Device Categories Schema

It’s best to plan your device categories before implementation to ensure consistency and avoid potential issues that may arise if you need to rename them later. Renaming a device category can break the dynamic Entra security group rules associated with it. Although this can be quickly fixed by updating the group’s dynamic membership rule query, proper planning upfront helps save time and effort that would otherwise be needed to readjust device categories later.

  • Decide and list your device categories e.g., Sales, Finance, HR, Field-Kiosk, Lab-Shared, Exec-VIP, Training, Test, Remote-Loaner etc.
  • List the dynamic Entra security groups according to your organization’s group naming convention. These groups will be associated with each device category you create. Below table shows this structure, If you have this documented, then it will be quick to setup device categories in Intune.
Device CategoryAssociated Dynamic Entra Group
SalesDG-Sales-Devices
FinanceDG-Finance-Devices
HRDG-HR-Devices
TrainingDG-Training-Devices
Remote-LoanerDG-Remote-Loan-Devices
Lab-SharedDG-Lab-Shared-Devices
DG=Dynamic Group

Step 1: Create Device Categories

Once you have decided on which device categories to create and their associated dynamic Entra security groups. Setting this up is quick and easy, use below steps to create a device category in Intune.

Create Device Categories in Intune
  • Basics tab: Enter the name of the new device category you want to create and provide a description.
  • Scope tags (optional): A scope tag in Intune is an RBAC label you add to resources (policies, apps, devices) to limit which admins can see and manage them. For more Information, read: How to use Scope tags in Intune.
  • Review + create: Review the summary and click Create.
Enter the name of the new device category

Similarly, create all the required device categories in Intune. The screenshot below shows that the Sales, HR, Lab-Shared, Remote-Loaner, Finance, and Training device categories have been successfully created.

Create device category for each purpose

Step 2: Assign Device Categories

Once you have created the required device categories, assign it to the devices by using below steps:

  • Sign in to the Intune admin center > Go to Devices > click on any device.
  • Go to Properties page and use the Device category drop-down to select the device category you want to assign to this device.
  • Similarly, assign the device category to all your devices.
Assign Device Categories

Step 3: Create Dynamic Device Groups Based on Categories

Now to group the devices and build a group structure based on the device categories, create dynamic entra security groups in Entra ID. Let’s check the steps:

  • Sign in to the Intune admin center > Groups > All groups > click on New Group.
  • Group type: Security
  • Group name: DG-Sales-Devices
  • Membership type: Dynamic Device
  • Click Add dynamic query and add below rule. Replace the category name from Sales to the one you are using.
(device.deviceCategory -eq "Sales")
Create Dynamic Device Groups Based on Categories

Create one dynamic Entra security group for each device category to automatically group devices based on their assigned category. Once all the groups are created, check membership of each group to ensure the correct devices are included in each group. After verification, you can use these groups in Intune to assign policies, applications, and other configurations.

Device Category Maintenance

There is as such no big maintenance required when it comes to device category checks. It’s good to keep the documentation up to date to reflect what’s actually provisioned when you rename or delete a device category or its associated dynamic groups.

View and Export Category Info of All Devices

You can easily view and export the device category information of all devices using Intune admin center. Let’s check the steps:

  • Sign in to the Intune admin center > Go to Devices > All devices.
  • Click on Columns drop-down and select Category to show category information of devices on the portal.
View and Export Category Info of All Devices
  • For simplicity, I’ve unchecked all other columns except Device name and Category. The screenshot below shows the devices in Intune along with their assigned category information.

Assign Scope tags to Device Categories

You can assign a scope tag to a device category during creation. If you want to assign a scope tag after the category has been created, you can do that as well using below steps.

  • Sign in to the Intune admin center > Go to Devices > Device Categories > click on ellipses (…) and select Assign scope tags. If Multi-admin approval is enabled, your change may require approval.
Assign Scope tags to Device Categories

Selecting the Device category via Company Portal

When users will sign in to the Company portal app or website

Conclusion

Device categories are useful for grouping devices by department or by specific use cases, such as training or kiosk. Create dynamic groups to collect devices based on their assigned categories, and use those groups to deploy policies and apps to targeted devices accordingly.

Leave a Comment

Step-by-Step Guides: Setup /Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.