I was going through one of the TechNet documentation and got confused with enrollment restriction policies and device restriction policies. I have posted about both these policies. 1. “Video Experience Intune Device Restriction Policy Deployment to Windows 10 Device” and 2. “How to Restrict Personal Android Devices from Enrolling into Intune“. Device restrictions are entirely different from Enrollment restrictions. Both options have different use cases and that will be explained in this post. These two policies are used in modern device management solutions like Intune and Azure AD.
Intune Device Restriction Profiles (Similar to GPO?):-
Intune Device restriction profiles are the policies similar to GPO from traditional device management world. Most of the enterprise organizations use GPO to restrict corporate owned devices. These are security policies which need to apply on devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android and Windows 10). This type of policies could be applicable on different categories including security, browser, hardware, and data sharing settings. For example, you could create a device restriction profile policy that prevents users of Windows devices from sharing the internet or using Cortana, etc.
Intune device restriction profiles can be deployed to specific user/device in AAD groups where as Intune Enrolment restriction policies can’t be deployed to specific user/device groups in Azure AD. More details available in the following section of this post.
Enrollment is the first part of Mobile Device Management (MDM). Why do we need to enroll a mobile device into Intune? Enrollment is the first step for the management. When a device is enrolled in Intune, they have issued an MDM certificate, which that device then uses to communicate with the Intune service.
In several scenarios, we need to block employees from enrolling their personal devices into corporate management platform. You want to block devices which are not secured enough to enroll into Intune. For example, You want to block personal devices from enrolling. Also, we could be able to block lower OS version devices How is this possible from Intune?
Navigate through Microsoft Intune – Device Enrollment – Enrollment restrictions. You would be able to see two Intune enrollment restrictions policies called 1. Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can define which platforms, versions, and management types can enroll. So all other devices are blocked from Intune enrollment.
The only problem with Intune enrollment restriction that I can think of is: – Device type restrictions in Intune is deployed to “All Users, ” and we can’t deploy or assign Intune enrollment restriction policies to “specific user group”. At the moment, the device type restrictions policies are tenant wide configuration.