Niklas Blog

Exploring Device Management.

Special requirements for apps deployed trough Microsoft Intune

18 February 2025

Intune app requirements

Did you ever had the need to ensure that an app is only installed to primary users? I had this special usecase which will be covered in my next post where I needed to ensure that the currently logged on user is the one who is the primary or enrollment user of the device and only if this is the case an app would be installed.

With this post I want to share how i got a solution for that as I think this is a nice and easy way. If you did not knew it yet, in Microsoft Intune when you create an app you can set requirements as the os architecture or free storage that needs to be fullfilled for an app to install. And if your requirements cannot be configured in this simple UI in Intune….they gave us the option to write custom powershell scripts to require whatever we need for an app to install.

Using this I created a small powershell script that checks which user enrolled the device, what nicely is stored in the Windows registry with the UPN of the enrollment user. Then I used this to compare it against the currently signed in user and if it matches we give Intune an exit code 0 and a Message that we can check. If its not the enrollment user we exit with code 1 and another message.

So lets see the parts of my scripted solution for that.

  1. Get the upn of the user that enrolled this device:
#Get Join ID
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo"
$JoinInfoPath = (Get-ChildItem -Path $regPath).Name
$JoinID = Split-Path $JoinInfoPath -Leaf

#Get Enrolloment UPN
$PUUser = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\$JoinID" -Name UserEmail).UserEmail
$currentUser = (Get-Process -IncludeUserName -Name explorer | Select-Object UserName -Unique).UserName

#If on W365 and PUUSer is "fooUser@*" then set PUUser to current user
if (([regex]::Escape($PUUser) -like "fooUser@*") -and ((Get-WmiObject -Class Win32_ComputerSystem).Name -like "CPC*")) {
    $PUUser = $currentUser
}

This will give us the enrollment user upn in $PUUser and the upn on the currently signed in user that the Company Portal also sees in $currentUSer. As I also use Windows 365 where the enrollment isnt done with the user I build a simple workaround on that. It checks if the enrollment user starts with fooUser@ followed by the tenant domain and if the hostname starts with CPC (change that if you have a different naming convention in your environemnt.)

  1. Check if the current user is the enrollment user

Next we will compare those upns and check if they match. As oftentimes users are synced from the companys onprem AD to Entra ID Ive build a function around it to convert onprem and cloud upns so that we can compare those. To do so I simply create the SID for the enrollment upn and for the current users`s upn which I then compare. If they match the condition is fullfilled:

#Get Enrolloment UPN
$currentUser = (Get-Process -IncludeUserName -Name explorer | Select-Object UserName -Unique).UserName
$currentUserSid = (New-Object System.Security.Principal.NTAccount($currentUser)).Translate([System.Security.Principal.SecurityIdentifier]).Value

#Validate
if (Test-LocalGroupMember -GroupName $adminGroup -UserName $currentUserSid) {
    Write-Host "Successfully added $currentUser ($currentUserSid) to $adminGroup group."
    exit 0
} else {
    Write-Host "Failed to add $currentUser ($currentUserSid) to $adminGroup group."
    exit 1
}

So if the upn of the devices enrollment user matches with the currently signed in user the script exits with exitcode 0 and an OK

Which we can use like this in an app deployed through Microsoft Intune:

Conclusion

This solution can help to ensure that an app is only deployed to the user who owns or enrolled the device, what could prevent a user with a paid app to sign-in to another device and if he has an required app that is not free for it to be installed on other clients as his clients where he is the primary user. What I like with this is that we can even more granulary configure when an app or powershell script app will be installed or not. In my next post I will share a script that I needed to exclusively be installed on the clients where a user matches the enrollment user as devices might be shared.