We had a need in our organisation to be able to push out mobile policies simply based on the username. This article describes a method to create a filter which looks up the users of another filter, then determines what mobile device they use and populates those devices.
A prerequisite of this example is that the mobile device is associated with an asset user owner. I have an article on how this can be done here: https://www-secure.symantec.com/connect/articles/mdm-device-ownership
The below steps will create a filter which get the user resources from a second filter, then determines what mobile devices those users are owners of. The instructions assume you've already created a filter with the user resources you need (In this example, the user filter is called "MobileTestFilter".
Creating the Filter (Filter is attached):
1) Create a new filter, set the Query Mode to Query Builder and set the base query to Mobile.
2) In the Query tab, click on the Use Resource Type Associations link and select Asset User Owners to User
3) Then create an Inner Join to CollectionMembership, using User.Guid in the left field and ResourceGuid on the right.
4) Create another Inner Join to vCollection, using CollectionMembership.CollectionGuid in the left field and Guid on the right.
5) Click on the Filter Expressions tab and change the base query to Equals (switch to Advanced mode if it isn't already).
6) Under Filter Expression Operands, change the Integer setting next to {0}: to Field and select vCollection.name
7) Change the Integer setting next to {1}: to Text and type the name of the filter containing your user list (in this example, the filter name is MobileTestFilter.
9) Click on Save Changes and then click Update Membership on the filter. You should see the Mobile resource types owned by the users listed in the first filter. From there you just need to apply this filter to your mobile management policy. Your servicedesk staff (or self-service workflows) just need to update the first filter with the user resources, and the filter we just created does the rest.
This provides an easy way to add users for a mobile related payload (such as EAS or an RSS feed for a software push) without needing to know what their mobile device is called (or if they get a new device). It also eliminates an issue where when you update a mobile policy at all (including the target membership), the policy gets pushed out to all devices again.
This example could be used in tandem with an AD import or CMDB rule to import AD users to a filter if you prefer to do your mobile management groups through ADUC.
You can also use this same methodology for a computer filter to apply policy content that isn't available to apply per user, such as eiPower settings, etc.