Are you still waiting for the migration from Intune Silverlight to the Azure portal? I would recommend watching the following video post to get an overview of new Intune blade in Azure portal here. In the new Intune portal, we can have more granular restrictions for MDM enrollments. It’s amazing to see new features in Azure Intune portal. One month before I blogged about restricting personal iOS devices from enrolling Intune via enrollment restriction rules here.
More detailed explanation in the video tutorial here
iOS personal devices can be restricted from enrolling to Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune. This was one of the features that I was looking for to appear in the Azure portal. So, can we allow only Android for work supported devices to enroll into Intune MDM? With this enrollment or device type restriction option, the answer is NO. So what is the difference between company owned Android devices and personally owned Android devices?
|Features||Company-owned device||Personal device|
|Opt-out of Device Owner mode||No||Yes|
|With device approvals enabled, administrator must approve device||No||Yes|
|Administrators can receive an inactivity report every 30 days||Yes||No|
|Factory resets that users initiate block device re-enrollment||Yes||No|
|Account wipe available||No||Yes|
When you turn on “Block Android Personal Device” option from Intune blade in Azure portal then, all the personal Android devices will be blocked from enrollment. Personal android devices can be Android for Work (AfW) supported devices and non-Android for Work devices. Initially, I thought, Android for Work will not be treated as a personal device rather it would be treated as corporate Owned devices. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode which provides full device management.
Enroll Devices node is the place in Intune Azure portal where you can setup personally owned Android devices restriction policy. Within enrolment restrictions rules, we can have two types of restrictions Device Type restriction and Device Limit restrictions. In this scenario where we want to restrict personal Android devices, we need to create an enrollment type policy to allow Android platform to enroll in to Intune. Once Android platform has enabled for enrollment then, go to Platform Configurations and then BLOCK personally owned iOS devices.
Ideally, when you block personally owned Android devices from enrollment then, all the Android devices which are enrolled via non-corporate way should get blocked. As per my testing, this is not working. I have enrolled a couple of Android devices after enabling the “block Android personally owned devices” policy and those devices got enrolled without any issues.
As you can see in the below screen capture, I have enrolled two Android devices into Intune, and Intune console and Intune detects those as personal devices. I’m not sure why is it not getting blocked?