How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager? Have you already seen the new Intune options in the MEM portal? If not, I would recommend watching the following video post to get an overview of the new Intune portal here.
We can have more granular restrictions for MDM enrollments in the new Intune portal. We don’t need any tweaking in on-prem services like ADFS or any federated access management system.
Now, we have the option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can set up this policy. “Enrolment restrictions” is the place where you can find the details about granular enrollment restriction policies.
Enrollment restriction policies help us restrict/block a set of devices from enrolling into Intune.
How to Restrict Personal iOS Devices
Within enrolment restriction rules, we can have two types of restrictions Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal, and that gives us the option to restrict or block specific platform devices from enrolling.
If you want to restrict Android devices from enrolling into your Intune MDM enrollment, you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY “Android for Work” enabled devices to enroll in Intune. I hope there could be some limitations from the Android platform side to restrict the Android devices which are not enabled for Android Work type of management.
The device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) from enrolling into Intune.
The most interesting feature which is very helpful for any organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company-owned iOS devices can be enrolled using the apple DEP program. In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, then go to Platform Configurations and then BLOCK personally owned iOS devices.
For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager?
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…