Exclude specific groups of users or devices from an app assignment

This week another post about apps. This week it’s all about the ability to exclude a specific group of users or devices from an app assignment. That ability is not completely new, but it’s new enough to be still a little bit unfamiliar for many. It can be useful for assigning an app to a big group and still being able to exclude a small group. That can be users that should be treated a little different than the standard, like for example a test group, a demo group, or an executive group. In this post I want to have a look at those configuration options. Often I’ll also have a look at the end-user or administrative experience, but in this case there is nothing to show. It’s just an assignment configuration.

Configuration options

When working with apps the administrator has the option to assign the app to a specific group of users or devices. That can even be multiple groups. Now the administrator also has the option to exclude a specific group of users or devices. That exclusion will take precedence over an inclusion. At least for the following same group type configurations:

  • Include user groups and exclude user groups when assigning an app
  • Include device groups and exclude device group when assigning an app

An example of this would be for an administrator to assign an app to the users of the All users group and to exclude the users of the All demo users group. In that example all users except for the users of the demo users group, would get the assignment of the app. Simply because both groups are user groups. That would enable the administrator to treat the demo users differently for demo purposes.

It’s good to keep in mind that Microsoft Intune doesn’t evaluate user-to-device group relationships. When the administrator would assign apps to mixed groups, the results may not be expected. That also means that the exclusions are a service-side evaluation and not a client-side evaluation. On the service the results of the included and excluded groups are “calculated” and the result is used as the target of the assignment.

An example of this would be for an administrator to assign an app to the users of the All users group and to exclude the devices of the All demo devices group. That creates a mixed group app assignment that would result in all users (of the All users group) getting the app assignment. In other words, the exclusion does not apply. That means that it’s not recommended to mixed group app assignments.

Configuration example

Now let’s have a look at a configuration example of assigning a Win32 app in Microsoft Intune. In the following example I’ve added an assignment of the Win32 app to the users of the All users group and I want to add an exclusion for the users of the All demo users group. The following steps show how to add that exclusion by editing an existing assignment.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Apps Windows > Windows apps to open the Windows – Windows apps blade
  2. On the Windows – Windows apps blade, select a Win32 app (or create a new one), click Properties and navigate to the Assignment section and click Edit to open the Edit application blade
  3. On the Edit application blade, on the Assignments page, click Add group, select the All demo users group and click Select
  1. By default, the newly added group will be added with the Included MODE. To adjust this, click on Included, of the newly added group entry, switch the Mode to Excluded and click OK
  1. Now the All users group should show as Included and the All demo users group should show as Excluded. Click on Review + save to navigate to the Review + save page
  1. On the Review + save page, verify the new configuration and click Save

Note: The Review + save page will, just like the Assignments section in the Properties of the app, show both groups like both groups are a required assignment.

More information

For more information about excluding specific users or groups from an app assignment, refer to the documentation about Include and exclude app assignments in Microsoft Intune and Intune Standalone – Win32 app management.

8 thoughts on “Exclude specific groups of users or devices from an app assignment”

  1. Hi Peter

    I wonder if after creating an all staff group install you now have to go back and exclude say, support staff.
    If I create required to install:
    all staff included and support staff excluded.
    Then add support staff to uninstall.

    Will intune recalculate who the program should be assigned to or is it a one-off that occurs when we first create the package?

    Thanks
    A

    Reply
    • Hi AAA,
      I’m not completely sure what you mean. When the app was already installed for a user, you would still need to create an uninstall for that user. The include-exclude will not trigger the uninstall of an already installed app.
      Regards, Peter

      Reply
  2. Hi Peter,

    I am trying to figure out if there is a way to exclude a device which is an Apple DEP device not yet enrolled, from a group which targets “All iPhones”. I believe I would have to enrol the device first to let it create a device record in AAD, then add the device to a group to then exclude it.

    The context is as follows, there is an app which is assigned to “All iPhones” but I want to exclude a group of devices from this to test out VPP app deployment method.

    Reply
  3. Hi Peter

    Great explanation about exclude groups.
    there is one critical thing that I’m not sure about:

    In my environment, I have configuration profile for password setting (named “pw for all corp”, for example).
    l also have dynamic group for all our devices (that applying the “pw for all corp” and all other configuration profiles automatically)

    I creating a new password profile(name it pass2 for example)
    applying it only tp specific group(helpDesk)
    In the main password profile(“pw for all corp”) I exclude the HelpDesk group

    Quastion: After saving – does the reassigned process may affect and cause to all other users(included in the role) and trigger a password change?
    or it just change what I set to HD as I set

    Thanks, Leon

    Reply
  4. I realize this is an old article but I had a scenario to run by you:
    There is a device group (say, “App Installs”) that is used for installation of multiple apps in Azure.
    A user of one of these devices does not want one of the apps to be rolled out to him. If I created a new device group called “App Exclusions” and added his machine, would the exclusion take precidence?

    Shorter scenario: A device exists in a group that’s INCLUDED in an app deployment and in a group that’s Excluded. Will the app be pushed in that instance?

    Secondary Scenario: the app is already installed and the user wants it removed. Same grouping/members as above…will he be able to uninstall on his machine w/o it being reinstalled via the Azure push? Thanks!!!

    Reply

Leave a Reply to Rob Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.