Assign apps to groups in Microsoft Intune (2024)

Table of Contents
In this article Assign an app Prevent iCloud app backup setting for iOS/iPadOS and macOS apps How conflicts between app intents are resolved Managed Google Play app deployment to unmanaged devices App uninstall setting for iOS managed apps Next steps FAQs
  • Article

After you've added an app to Microsoft Intune, you can assign the app to users and devices. It is important to note that you can deploy an app to a device whether or not the device is managed by Intune.

Note

The Available for enrolled devices deployment intent is supported for user groups and device groups when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally-enabled (COPE) devices.

The following table lists the various options for assigning apps to users and devices:

OptionDevices enrolled with IntuneDevices not enrolled with Intune
Assign to usersYesYes
Assign to devicesYesNo
Assign wrapped apps or apps that incorporate the Intune SDK (for app protection policies)YesYes
Assign apps as AvailableYesYes
Assign apps as RequiredYesNo
Uninstall appsYesNo
Receive app updates from IntuneYesNo
End users install available apps from the Company Portal appYesNo
End users install available apps from the web-based Company PortalYesYes

Note

Currently, you can assign iOS/iPadOS and Android apps (line-of-business and store-purchased apps) to devices that aren't enrolled with Intune.

To receive app updates on devices that aren't enrolled with Intune, device users must go to their organization's Company Portal and manually install app updates.

For almost all app types and platforms, Available assignments are only valid when assigning to user groups, not device groups. Win32 apps can be assigned to either user or device groups.

If managed Google Play pre-production track apps are assigned as required on Android Enterprise personally-owned work profile devices, they will not install on the device. To work around this, create two identical user groups and assign the pre-production track as "available" to one and "required" to the other. The result will be that the pre-production track successfully deploys to the device.

Assign an app

  1. Sign in to the Microsoft Intune admin center.

  2. Select Apps > All apps.

  3. In the Apps pane, select the app you want to assign.

  4. In the Manage section of the menu, select Properties.

  5. Scroll down to Properties and select Assignments.

  6. Select Add Group to open the Add group pane that is related to the app.

    See Also
    What is Microsoft IntuneUnderstand Intune and Microsoft Entra device limit restrictions - Microsoft IntuneGet data from the Data Warehouse API with a REST client - Microsoft IntuneSync devices with Microsoft Intune

  7. For the specific app, select an assignment type:

    • Available for enrolled devices: Assign the app to groups of users who can install the app from the Company Portal app or website.

    • Available with or without enrollment: Assign this app to groups of users whose devices are not enrolled with Intune. Users must be assigned an Intune license, see Intune Licenses.

    • Required: The app is installed on devices in the selected groups. Some platforms may have additional prompts for the end user to acknowledge before app installation begins.

    • Uninstall: The app is uninstalled from devices in the selected groups if Intune has previously installed the application onto the device via an "Available for enrolled devices" or "Required" assignment using the same deployment.

      Note

      For iOS/iPadOS apps only:

      • To configure what happens to managed apps when devices are no longer managed, you can select the intended setting under Uninstall on device removal. For more information, see App uninstall setting for iOS/iPadOS managed apps.
      • If you have created an iOS/iPadOS VPN profile that contains per-app VPN settings, you can select the VPN profile under VPN. When the app is run, the VPN connection is opened. For more information, see VPN settings for iOS/iPadOS devices.
      • To configure whether a required iOS/iPadOS app is installed as a removable app by end users, you can select the setting under Install as removable.
      • To configure a way to prevent the iCloud backup of the managed iOS/iPadOS app, you can click on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see Prevent iCloud app backup setting for iOS/iPadOS and macOS apps.

      For macOS apps only:

      • To configure a way to prevent the iCloud backup of the managed macOS app, you can click on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see Prevent iCloud app backup setting for iOS/iPadOS and macOS apps.

      For Android apps only:

      • If you deploy an Android app as Available with or without enrollment, reporting status will only be available on enrolled devices.

      For Available for enrolled devices:

      • The app is only displayed as available if the user logged into the Company Portal is the primary user who enrolled the device and the app is applicable to the device.

  8. To select the groups of users that are affected by this app assignment, select Included Groups.

  9. After you have selected one or more groups to include, select Select.

  10. In the Assign pane, select OK to complete the included groups selection.

  11. If you want to exclude any groups of users from being affected by this app assignment, select Exclude Groups.

  12. If you have chosen to exclude any groups, in Select groups, select Select.

  13. In the Add group pane, select OK.

  14. In the app Assignments pane, select Save.

The app is now assigned to the groups that you selected. For more information about including and excluding app assignments, see Include and exclude app assignments.

See Also
Add apps to Microsoft Intune

Tip

Intune supports assigning apps to nested groups too. For example, if you assigned an app to the "Engineering Global" group and have "Engineering APAC", "Engineering EMEA" and "Engineering US" nested as child groups, the members of those child groups will also be targeted with the assignment.

Prevent iCloud app backup setting for iOS/iPadOS and macOS apps

Admins will have the option to no longer backup managed App Store apps and line-of-business (LOB) apps on iOS/iPadOS and managed App Store apps on macOS devices, for both user and device licensed VPP/non-VPP apps. macOS LOB apps won’t support this setting. This functionality will include both new and existing App Store/LOB apps sent with and without VPP that are being added to Intune and targeted to users and devices. Preventing the backup of the specified managed apps will ensure that these apps can be properly deployed via Intune when the device is enrolled and restored from backup. If you configure the new setting for new/existing apps in your tenant, managed apps can and will be re-installed for devices, but Intune will no longer allow them to be backed up.

Note

While we don't expect managed apps on devices to backup data to iCloud, note that data saved locally for managed apps may not be available after a backup and restore.

For existing devices, when Prevent iCloud app backup is set to Yes for an app/apps, the new behavior will be automatically updated for all required App Store/LOB apps (with or without VPP). Required apps previously installed on devices will be automatically re-configured for all devices once the setting value is saved to Yes. Available apps will require the user to re-download the available app from the Company Portal app or the Company Portal website. Additionally, depending on the app’s configurations and licensing, a sync between Intune and the device may be needed.

How conflicts between app intents are resolved

A single group is prevented from being targeted for multiple app assignment intents, however if a user or a device is a member of multiple groups that are each assigned with different intents it will result in a conflict. Creating assignment conflicts for applications is not recommended.The information in the following table can help you understand the resulting intent when a conflict occurs:

Group 1 intentGroup 2 intentResulting intent
User RequiredUser AvailableRequired and Available
User RequiredUser UninstallRequired
User AvailableUser UninstallUninstall
User RequiredDevice RequiredBoth exist, Intune treats Required
User RequiredDevice UninstallBoth exist, Intune resolves Required
User AvailableDevice RequiredBoth exist, Intune resolves Required (Required and Available)
User AvailableDevice UninstallBoth exist, Intune resolves Available.

App shows up in the Company Portal.

If the app is already installed (as a required app with previous intent), the app is uninstalled.

If the user selects Install from the Company Portal, the app is installed, and the uninstall intent is not honored.

User UninstallDevice RequiredBoth exist, Intune resolves Required
User UninstallDevice UninstallBoth exist, Intune resolves Uninstall
Device RequiredDevice UninstallRequired
User Required and AvailableUser AvailableRequired and Available
User Required and AvailableUser UninstallRequired and Available
User Required and AvailableDevice RequiredBoth exist, Required and Available
User Required and AvailableDevice UninstallBoth exist, Intune resolves Required (Required and Available)
User Available without enrollmentUser Required and AvailableRequired and Available
User Available without enrollmentUser RequiredRequired
User Available without enrollmentUser AvailableAvailable
User Available without enrollmentDevice RequiredRequired and Available without enrollment
User Available without enrollmentDevice UninstallUninstall and Available without enrollment.

If the user didn't install the app from the Company Portal, the uninstall is honored.

If the user installs the app from the Company Portal, the install is prioritized over the uninstall.

Note

For managed iOS store apps only, when you add these apps to Microsoft Intune and assign them as Required, the apps are automatically created with both Required and Available intents.

iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device at the time of the device check-in and will also show in the Company Portal app.

When conflicts occur in Uninstall on device removal setting, the app is not removed from the device when the device is no longer managed.

Note

Apps deployed as Required to corporate-owned work profile devices cannot be uninstalled manually by the user.

Managed Google Play app deployment to unmanaged devices

For unenrolled Android devices, you can use managed Google Play to deploy store apps and line-of-business (LOB) apps to users. Once deployed, you can use Mobile Application Management (MAM) to manage the applications. Managed Google Play apps targeted as Available with or without enrollment will appear in the Play Store app on the end user's device, and not in the Company Portal app. End user will browse and install apps deployed in this manner from the Play app. Because the apps are being installed from managed Google Play, the end user will not need to alter their device settings to allow app installation from unknown sources, which means the devices will be more secure. If the app developer publishes a new version of an app to Play that was installed on a user's device, the app will be automatically updated by Play.

Steps to assign a Managed Google Play app to unmanaged devices:

  1. Connect your Intune tenant to managed Google Play. If you have already done this in order to manage Android Enterprise personally owned, dedicated, fully managed, or corporate-owned work profile devices, you do not need to do it again.

  2. Add apps from managed Google Play to your Intune admin center.

  3. Target managed Google Play apps as Available with or without enrollment to the desired user group. Required and Uninstall app targeting are not supported for non-enrolled devices.

  4. Assign an App Protection Policy to the user group.

  5. User logs in any protected app.

  6. The next time the end user opens the Company Portal app and completes the log in process, they will see a message indicating in the Apps section that there are apps available for them. The user can select this notification to navigate to the Play Store.

    Note

    You can configure device enrollment setting options to be Available, no prompts or Unavailable. This setting will prevent user from unintentionally enrolling their device or receiving notifications to enroll their device after they logged in to the Company Portal.

  7. The end user can expand the context menu within the Play Store app and switch between their personal Google account (where they see their personal apps), and their work account (where they will see store and LOB apps targeted to them). End users install the apps by tapping Install in the Play Store app.

When an APP selective wipe is issued in the Intune admin center, the work account will be automatically removed from the Play Store app and the end user will from that point no longer see work apps in the Play Store app catalog. When the work account is removed from a device, apps installed from the Play Store will remain installed on the device and will not uninstall.

App uninstall setting for iOS managed apps

For iOS/iPadOS devices, you can choose what happens to managed apps on unenrolling the device from Intune or removing the management profile using Uninstall on device removal setting. This setting only applies to apps after the device is enrolled and apps are installed as managed. The setting cannot be configured for web apps or web links. Only data protected by Mobile Application Management (MAM) is removed after retirement by an App Selective Wipe.

Default values for the setting are prepopulated for new assignments as follows:

iOS app typeDefault setting for "Uninstall on device removal"
Line-of-business appYes
Store appNo
VPP appNo
Built-in appNo

Note

"Available" assignment types: If you're updating this setting for "available for enrolled devices" or "available with or without enrollment" groups, users who already have the managed app won't get the updated setting until they sync the device with Intune and re-install the app.

Pre-existing assignments: The App uninstall setting was introduced in May 2019. Assignments that existed prior to this date are unmodified and all managed apps will be removed on device removal from management. If your assignment was created before May 2019, you may need to explicitly set the App uninstall setting, as the default settings above may not apply.

Next steps

To learn more about monitoring app assignments, see How to monitor apps.

Assign apps to groups in Microsoft Intune (2024)

FAQs

How do I assign an app to a group in Intune? ›

Assign an app
  1. Sign in to the Microsoft Intune admin center.
  2. Select Apps > All apps.
  3. In the Apps pane, select the app you want to assign.
  4. In the Manage section of the menu, select Properties.
  5. Scroll down to Properties and select Assignments.
  6. Select Add Group to open the Add group pane that is related to the app.
Apr 19, 2023

Explore More
What is the difference between dynamic and assigned group? ›

You can add the following types of groups: Assigned groups - Manually add users or devices into a static group. Dynamic groups (Requires Microsoft Entra ID P1 or P2) - Automatically add users or devices to user groups or device groups based on an expression you create.

Know More
How do I distribute an app with Intune? ›

Here's how to deploy with Intune on Windows 10 devices: Log in to the Microsoft Endpoint Manager admin center. Navigate to Apps and click "All Apps." Then, click "Add." Select the app type you want to deploy.

Get More Info Here
Is it possible to assign multiple devices to Windows Deployment Profile in Intune? ›

If you intend to deploy the policy broadly to all applicable devices, select Add all users or Add all devices. If you select "All Devices" and "All Users", the option to add additional Microsoft Entra groups disables. Select Review + Save.

Know More
What are the different types of groups in Intune? ›

Group Types

In Intune, we have two types of the group. Security Group :- Security group define that who can access the resources in Intune. Security groups can contain users or devices or both. Security group can be created as Device or User Dynamic group, both rule can't be adding in one group.

Read The Full Story
What is a dynamic group in Intune? ›

Rather than specifying the users or devices to add to a group, we set criteria to define the members of a Dynamic Group. When the specified condition applies for a user or device, it is added to the group automatically. Should a member no longer satisfy the rule, it is removed from the group.

See More
What is the Intune group policy? ›

In summary, Group Policy is focused on managing Windows-based devices within an on-premises Active Directory domain, while Intune Policy is designed to manage mobile devices (iOS, Android) and Windows 10 devices both on-premises and remotely through a cloud-based solution.

View More
How do I set up apps on Intune? ›

You can add an app in Microsoft Intune by selecting Apps > All apps > Add. The Select app type pane is displayed and allows you to select the App type. An LOB app is one that you add from an app installation file.

Get More Info
How long does it take Intune to deploy an app? ›

TL;DR Intune Apps and Settings can take between 20-30 minutes to deploy on new devices using standard deployment methods.

Learn More Now
Can Intune see what apps are installed? ›

Intune discovered apps is a list of detected apps on the Intune enrolled devices in your tenant. It acts as a software inventory for your tenant. Discovered apps is a separate report from the app installation reports. For personal devices, Intune never collects information on applications that are unmanaged.

Read The Full Story

How do I add bulk devices to a group in Intune? ›

Open the group to which you're adding members and then select Members. On the Members page, select bulk operations and then choose Import members. On the Bulk import group members page, select Download to get the CSV file template with required group member properties.

Read More
What is the maximum devices per user in Intune? ›

By default, a user can enroll up to 15 devices in Intune, but this limit can be adjusted as needed, ranging from 1 to 15, in the admin center.

Explore More
What is the difference between all users and all devices in Intune? ›

Intune All users and All devices groups

The All devices group targets all devices that are enrolled into management. The All users group is a simple way to target all users that are assigned an Intune license. These groups are considered "virtual" because you don't create them or view them in Microsoft Entra ID.

See More
How do I add an Azure app to a group? ›

Go to Applications > Enterprise applications to open All applications in the Application Gallery. Select an application that you added from the Application Gallery to open it. On the left pane, select Users and groups, and then select Add user/group.

Explore More
How do I add an app registration to my Azure group? ›

Azure Active Directory (App Registration)
  1. Sign in to Office 365.
  2. Navigate to the Office 365 Admin Center.
  3. Open the Admin centers menu options located on the left menu.
  4. Select Azure AD. ...
  5. Create a new application.
  6. Configure the permissions.
  7. Allow access from external organizations (optional).
  8. Create the key.

Read More
How do I add a group to an app role in Azure? ›

Log in to Azure AD as an administrator who has privileges for assigning Azure AD users and groups to app roles. Access the app registration for the application. Under Manage, select API permissions. In the Configured permissions area, select + Add a permission.

View More
What is app permission policies assign to group? ›

In the "Permissions" section, select the permissions that you want to grant to the app and click "Next" to continue. In the "Assignments" section, choose the groups that you want to apply the app permission policy to and click "Save" to create the policy.

Read On
Top Articles
10 Essential Life Skills to Help Your Child Succeed
Mahendra Coaching Fees | All Courses (Bank, SSC, UPSC) Fees Structure - Recruitment Result 2022
Cabarrus County Food Truck Friday Concord, NC - Reviews, Location - HungryFoody
Tapas | Food Trucks | Übersicht
Latest Posts
Printable July 2023 Calendar Templates With Holidays [FREE]
Classroom English Games for Every Age Group
Article information

Author: Amb. Frankie Simonis

Last Updated:

Views: 6525

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Amb. Frankie Simonis

Birthday: 1998-02-19

Address: 64841 Delmar Isle, North Wiley, OR 74073

Phone: +17844167847676

Job: Forward IT Agent

Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance

Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.