Have you already seen the new Intune options in Azure portal? If not, I would recommend to watch the following video post to get an overview of new Intune portal here. In the new Intune portal, we can have more granular restrictions for MDM enrollments and we don’t need to any kind of tweaking in on prem services like ADFS or any federated access management system.
Now, we have option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can setup this policy. “Enrolment restrictions“ is the place where you can find the details about granular enrollment restriction policies. Enrollment restriction policies are there to help us to restrict/block a set of devices from enrolling into Intune.
Within enrolment restriction rules, we can have two types of restrictions Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal and that gives us option to restrict or block specific platform devices from enrolling.
In case, if you want to restrict Android devices from enrolling into your Intune MDM enrollment then you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY “Android for Work” enabled devices to enroll in to Intune. I hope, there could be some limitations from Android platform side to restrict the Android devices which are not enabled for Android Work type of management.
Device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time you can allow Windows devices (desktop, laptops, surfaces etc..) from enrolling into Intune.
Most interesting feature which is very helpful for many organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company owned iOS devices can be enrolled using apple DEP program. In this scenario, you need to create an enrollment type policy with iOS platform is enabled for enrollment via Device Type Restrictions — Platforms. Once iOS platform is enabled for enrollment then go to Platform Configurations and then BLOCK personally owned iOS devices.
For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.