How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager? Have you already seen the new Intune options in the MEM portal? If not, I would recommend watching the following video post to get an overview of the new Intune portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. We don’t need any tweaking in on-prem services like ADFS or any federated access management system.

Now, we have the option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can set up this policy. “Enrolment restrictions” is the place where you can find the details about granular enrollment restriction policies.  

Patch My PC

Enrollment restriction policies help us restrict/block a set of devices from enrolling into Intune.

How to Restrict Personal iOS Devices

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

Within enrolment restriction rules, we can have two types of restrictions  Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal, and that gives us the option to restrict or block specific platform devices from enrolling.

If you want to restrict Android devices from enrolling into your Intune MDM enrollment, you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY “Android for Work” enabled devices to enroll in Intune. I hope there could be some limitations from the Android platform side to restrict the Android devices which are not enabled for Android Work type of management.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

The device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) from enrolling into Intune.

The most interesting feature which is very helpful for any organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company-owned iOS devices can be enrolled using the apple DEP program. In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, then go to Platform Configurations and then BLOCK personally owned iOS devices.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager?

Resources

How to Configure Intune Enrollment Setup for iOS macOS Devices

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a logger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

9 thoughts on “How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager”

  1. Anoop.. Is there a way to prevent users from enrolling their personal devices for Android and iOS, if we have configured intune in hybrid mode with SCCM instead of standalone intune?

    Reply
  2. Hi Anoop, I`m certainly sure I`ve disabled personal owned device enrollment from platform configurations and then block personally owned IOS devices.

    But I still can enroll my personal iphone from company portal without any restriction. Anything I missed?

    Thanks for advise

    Reply
    • Hey Will! – The first step is to check whether the device is identified as “Personal” in Intune console or not. If it’s identified as personal then, there could be a bug but I never heard about any bug related to this feature. Just wanted to make sure that you set this setting in Enrollment rules….

      Reply
  3. Hi Anoop,

    Is there a way in Intune to block MAM group user signing in to the Company portal by error as we don’t want BYOD’s users signing in to the Company Portal and thus turning their BYOD into Corporate devices.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.