How to Restrict Personal iOS Devices from Enrolling into Intune

All global enterprise organizations have their own used cases and scenarios. Your MDM solution would be capable to provide solutions for all those scenarios without spending loads of time in house customizations

7
Advertisement

Have you already seen the new Intune options in Azure portal? If not, I would recommend to watch the following video post to get an overview of new Intune portal here. In the new Intune portal, we can have more granular restrictions for MDM enrollments and we don’t need to any kind of tweaking in on prem services like ADFS or any federated access management system.

Now, we have option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can setup this policy. “Enrolment restrictions is the place where you can find the details about granular enrollment restriction policies.  Enrollment restriction policies are there to help us  to restrict/block a set of devices from enrolling into Intune.

Within enrolment restriction rules, we can have two types of restrictions  Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal and that gives us option to restrict or block specific platform devices from enrolling.

In case, if you want to restrict Android devices from enrolling into your Intune MDM enrollment then you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY Android for Work” enabled devices to enroll in to Intune. I hope, there could be some limitations from Android platform side to restrict the Android devices which are not enabled for Android Work type of management.

Device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time you can allow Windows devices (desktop, laptops, surfaces etc..) from enrolling into Intune.

Most interesting feature which is very helpful for many organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company owned iOS devices can be enrolled using apple DEP program. In this scenario, you need to create an enrollment type policy with iOS platform is enabled for enrollment via Device Type RestrictionsPlatforms. Once iOS platform is enabled for enrollment then go to Platform Configurations and then BLOCK personally owned iOS devices.

For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.

7 COMMENTS

  1. Anoop.. Is there a way to prevent users from enrolling their personal devices for Android and iOS, if we have configured intune in hybrid mode with SCCM instead of standalone intune?

  2. Hi Anoop, I`m certainly sure I`ve disabled personal owned device enrollment from platform configurations and then block personally owned IOS devices.

    But I still can enroll my personal iphone from company portal without any restriction. Anything I missed?

    Thanks for advise

    • Hey Will! – The first step is to check whether the device is identified as “Personal” in Intune console or not. If it’s identified as personal then, there could be a bug but I never heard about any bug related to this feature. Just wanted to make sure that you set this setting in Enrollment rules….

LEAVE A REPLY

Please enter your comment!
Please enter your name here