When configuring sign-in rules with Device Groups, it’s important to
understand how criteria logic works. This section explains how to achieve
AND or OR behavior depending on how you group your
criteria.
Default Behavior: AND Logic within a Single Device Group
If you define multiple criteria within the same Device Group, the system
evaluates them using the AND operator. This means all conditions must
be true for the Device Group to apply.
Example:
Result:
If a user attempts to sign in from a macOS device without Avira
installed:
The OS does not match the "not macOS" condition (because it
is macOS).
The Device does match the "not Avira" condition.
Since the Device Group uses AND logic, the rule does not
match both conditions, so sign-in is allowed.
How to Use OR Logic: Create Separate Device Groups
To evaluate criteria using the OR operator, you need to create two or
more separate Device Groups, each with its own condition. Then, add all
of those Device Groups to the same sign-in rule.
To create OR logic:
Create one Device Group with the condition:
Create a second Device Group with the condition:
In your sign-in rule (set to Block), select both Device
Groups under the Device Groups option.
Result:
If a user signs in from a macOS device without Avira:
The device does not match the first Device Group ("not
macOS").
But it does match the second Device Group ("not Avira").
Since the rule uses OR logic across the two Device Groups,
matching either group triggers the rule.
Therefore, sign-in is blocked as expected.