This is a quick and short blog post to create awareness about the existence of token types. Token types are basically just variables that can be used within a property list of an app configuration policy in Microsoft Intune hybrid and Microsoft Intune standalone. This blog post will provide a quick overview about the available token types with example values.
Overview
The following table contains the currently available token types for Microsoft Intune hybrid and Microsoft Intune standalone. Before going through this table, it’s good to know that the {{ and }} characters are used by token types only and should not be used for other purposes.
Token type | Example value |
{{userprincipalname}} | pvanderwoude@petervanderwoude.nl |
{{mail}} | pvanderwoude@petervanderwoude.nl |
{{partialupn}} | pvanderwoude |
{{accountid}} | fcc00012-123e-f479-aabe-abe2a1123b45 |
{{deviceid}} | c7d01dd3-136f-40c5-b843-711e958c4eef |
{{userid}} | 2dda638e-28b7-4bdc-a4fd-70faaa811010 |
{{username}} | Peter van der Woude |
{{serialnumber}} | F9FPVD86FCM5 |
{{serialnumberlast4digits}} | FCM5 |
More information
For more information about iOS apps with mobile app configuration policies, in Microsoft Intune standalone and Microsoft Intune hybrid, please refer to:
- Configure iOS apps with app configuration policies in System Center Configuration Manager: https://technet.microsoft.com/en-us/library/mt627960.aspx
- Configure iOS apps with mobile app configuration policies in Microsoft Intune: https://docs.microsoft.com/en-us/intune/deploy-use/configure-ios-apps-with-mobile-app-configuration-policies-in-microsoft-intune
- App Configuration Policies for iOS apps: https://www.petervanderwoude.nl/post/app-configuration-policies-for-ios-apps/
Hi Peter, thanks for the write up. Do you know, is this also available for Intune IOS Configuration Policies – Custom Configurations? We are wanting to build an IOS SSO profile using mail as a variable in the config. e.g.
“PrincipleName”
“{{mail}}”
Alternatively, any examples of how to deliver an SSO profile for IOS?
Thanks
John
To my knowledge these token types are only available for app configuration polices.
Peter,
I have had an open ticket with MS since may as this setting doesn’t work on InTune Hybrid. The token type is passed as a literal value. Have you also seen this and/or have any insight?
Thanks!
Hi Alex,
Yes, I’ve seen that behavior. It has been identified as a bug and should be fixed in the 1606 release.
Peter
I was hoping so too but it doesn’t appear to be. I’m told by MS it’s on roadmap for 1610 now.
Thanks!
Hi there,
sorry to re-open this old topic, but are there any news on this?
Struggling since weeks with a configuration profile which I want to send as a CI to our iOS devices to enable SSO (Kerberos) for our internal authentication.
Appreciate all information.
Thanks in advance
Hi Julius,
What news are you referring to? The token types are already available in the hybrid environment. However, keep in mind that hybrid is deprecated and that these tokens are app configuration only.
Regards, Peter
Hi Peter,
thank you for your answer.
Yes, I also got this information and am currently trying to accomplish the needed kerberos-authentication with a built-in Intune profile.
Still struggling with some tech-issues like missing (enrolled) devices in Intune (OS-type sometimes is “iOS” (then devices are shown in Intune) and sometimes it is “iPhone” (then they are not listed in Intune, but only as AzureAD devices).
Way to go for me and my 4500 devices 🙂
Regards
Julius
Hi Julius,
Sounds like a nice challenge. About those devices, it sounds like the enrollment wasn’t completed. Maybe the management profile wasn’t installed, or something like that..
Regards, Peter
Hi Peter,
was (so far) not too big, as I learned, that if a primary user of a managed device is not part of the SCCM-Intune-sync-collection, but enrolls a device, Intune (standalone) is grabbing this device, even if no policies or similar is in place in Intune.
By excluding (test)-users from the Intune-collection in SCCM, you can “shift” the management for this users’ device(s) over to Intune.
This procedure is also part of the recommended migration path from hybrid to Intune standalone MDM from Microsoft via a so called “Mixed MDM authority” (see: https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-mixed-authority).
Migrated my own user already and it looks good with KerberosSSO so far, but have some new challenges now (like connecting my existing NDES-server to allow devices/Intune to issue certificates, which are needed for Wifi, VPN and other purposes.
Will keep you updated 🙂
Hi Julius,
That is correct. I’ll be interested to know how it all worked out for you.
Regards, Peter
Hi Peter,
do you know if it is possible to add externsion attributes to the app configuration?
Hi Markus,
When you have the key-value pairs, you can configure it.
Regards, Peter
Hi Peter,
I want to use e.g. the samaccountname or the mailnick as token in the iOS App Configuration Policy.
Is it possible to use custom/create tokens that can be used in the iOS App Configuration Policy.
Thank you
Hi Tim,
Have a look here for the latest options: https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios#tokens-used-in-the-property-list
Regards, Peter