I had a dynamic device group for macOS devices, and a few policies assigned to that group. The problem was that some iOS devices started showing those macOS policies too.
The group criteria included Apple DEP enabled, so I’m guessing that may be pulling in both Mac and iPhone/iPad devices. What is the recommended way to make sure a dynamic group contains only macOS devices?