TEXAS A&M UNIVERSITY
Universal App Requirement Rules
Audience: Platform Engineering, app deployment administrators
Purpose: Ensure applications deploy correctly across shared, kiosk, and personal devices
Overview
This procedure configures universal requirement rules for applications in Microsoft Intune to ensure:
- Required apps assigned directly to shared devices install correctly
- User-assigned required apps don't auto-install on shared devices
- Ownership and user-based restrictions are respected on personal devices
Key Concepts
| Term | Definition |
|---|---|
| Requirement Rules | Conditions that must be met before an application installs |
| Shared Device Mode | Multi-user environment configuration (labs, classrooms) |
| Kiosk Mode | Single-purpose device restriction |
| Primary User | User assigned during enrollment or set in Intune |
| Exit 0 | App can install |
| Exit 1 | App installation blocked |
Shared Device Filter
Use a filter to exclude non-user enrolled devices:
| Property | Value |
|---|---|
| Filter Name | Shared Device - Filter |
| Filter Query | (device.enrollmentProfileName -ne "_TAMU User Driven with Pre Provision") |
This filter ensures only non-user-enrolled devices (kiosks, shared PCs) are included when needed.
Scope Group Strategy
Leverage Policy Scope Groups (PSGs) for application assignment:
- PSGs organize assignments by unit or infrastructure needs
- ESGs define user and device-level assignments
- Apply filter to PSGs to include/exclude non-user devices
Requirement Script
The following PowerShell script determines installation based on device type and ownership:
# Step 1: Detect if the device is a shared device
$SharedDevice = $false
try {
$SharedDevice = (Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_SharedPC).IsShared -eq $true
} catch {
$SharedDevice = $false
}
# Step 2: Detect if the device is in Kiosk mode
$KioskMode = $false
try {
$KioskMode = Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\AssignedAccessConfiguration"
} catch {
$KioskMode = $false
}
# Step 3: Get the primary user and current user
$PrimaryUser = (Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_DevDetail_Ext01).PrimaryUser
$CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# Step 4: Apply installation rules
If ($SharedDevice -or $KioskMode) {
Write-Output "Device is Shared PC or Kiosk mode. Allowing installation."
Exit 0
} ElseIf ([string]::IsNullOrEmpty($PrimaryUser)) {
Write-Output "Device has no primary user. Allowing installation."
Exit 0
} ElseIf ($CurrentUser -eq $PrimaryUser) {
Write-Output "Current user is the primary user. Allowing installation."
Exit 0
} Else {
Write-Output "Current user is not the primary user. Blocking installation."
Exit 1
}
Script Logic
| Condition | Result |
|---|---|
| Shared Device or Kiosk Mode | Allow — Direct device assignment |
| No Primary User | Allow — Unassigned device |
| Current User = Primary User | Allow — User owns device |
| Current User ≠ Primary User | Block — Prevent cross-user install |
Configuration Procedure
Step 1: Prepare the Script
Save the PowerShell script to a .ps1 file for upload to Intune.
Step 2: Configure Requirement Rule
- Navigate to Intune Admin Center → Apps → All Apps
- Select the target application
- Go to Properties → Requirements → Edit
- Add a new requirement rule:
| Setting | Value |
|---|---|
| Rule Type | Custom Script |
| Output Data Type | Integer |
| Operator | Equals |
| Value | 0 |
- Upload the PowerShell script
- Save the configuration
Step 3: Assign the Application
Configure assignments based on deployment needs:
| Device Type | Assignment Target | Filter |
|---|---|---|
| Shared Devices | Device groups | None (or include shared devices) |
| Personal Devices | User groups | Exclude shared devices |
| Both | PSG with ESG members | Apply filter appropriately |
Step 4: Validate Deployment
Test on various device types:
| Device Type | Expected Behavior |
|---|---|
| Shared device | App installs directly |
| Kiosk device | App installs directly |
| Personal device (primary user logged in) | App installs |
| Personal device (non-primary user) | App blocked |
Step 5: Monitor
- Apps → App Install Status — Check deployment status
- Device logs — Review
IntuneManagementExtension.log - Adjust script for edge cases as discovered
PatchMyPC Integration
For organizations using PatchMyPC:
- Apply the requirement rule universally across managed applications
- Ensures consistent logic across all app deployments
- Reduces per-app configuration overhead
Related Resources
- Intune Documentation — Endpoint management
- Scope Groups & Naming — PSG/ESG configuration
- Microsoft Intune App Management — Official documentation
- Shared PC Mode — Configuration guide