How to Restrict Personal Android Devices from Enrolling into Intune

Security team within your organization is worried about personally owned Android devices? And as Intune Admin, you want to block personally owned Android devices from enrolling into Intune?

1
Advertisement

Are you still waiting for the migration from Intune Silverlight to the Azure portal? I would recommend watching the following video post to get an overview of new Intune blade in Azure portal here. In the new Intune portal, we can have more granular restrictions for MDM enrollments. It’s amazing to see new features in Azure Intune portal. One month before I blogged about restricting personal iOS devices from enrolling Intune via enrollment restriction rules here.

More detailed explanation in the video tutorial here

iOS personal devices can be restricted from enrolling to Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune. This was one of the features that I was looking for to appear in the Azure portal. So, can we allow only Android for work supported devices to enroll into Intune MDM? With this enrollment or device type restriction option, the answer is NO. So what is the difference between company owned Android devices and personally owned Android devices?

FeaturesCompany-owned devicePersonal device
Opt-out of Device Owner modeNoYes
With device approvals enabled, administrator must approve deviceNoYes
Administrators can receive an inactivity report every 30 daysYesNo
Factory resets that users initiate block device re-enrollmentYesNo
Account wipe availableNoYes

When you turn on “Block Android Personal Device” option from Intune blade in Azure portal then, all the personal Android devices will be blocked from enrollment. Personal android devices can be Android for Work (AfW) supported devices and non-Android for Work devices. Initially, I thought, Android for Work will not be treated as a personal device rather it would be treated as corporate Owned devices. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode which provides full device management.

Enroll Devices node is the place in Intune Azure portal where you can setup personally owned Android devices restriction policy. Within enrolment restrictions rules, we can have two types of restrictions  Device Type restriction and Device Limit restrictions. In this scenario where we want to restrict personal Android devices, we need to create an enrollment type policy to allow Android platform to enroll in to Intune. Once Android platform has enabled for enrollment then, go to Platform Configurations and then BLOCK personally owned iOS devices.

Conclusion :-

Ideally, when you block personally owned Android devices from enrollment then, all the Android devices which are enrolled via non-corporate way should get blocked. As per my testing, this is not working. I have enrolled a couple of Android devices after enabling the “block Android personally owned devices” policy and those devices got enrolled without any issues.

As you can see in the below screen capture, I have enrolled two Android devices into Intune, and Intune console and Intune detects those as personal devices. I’m not sure why is it not getting blocked?

References:-

  • Intune Set device type restrictions – here
  • Android Management Experience setup guide – Evaluate Android enterprise features – here
  • Add management for company-owned devices here
  • Manage your business’s mobile devices – here

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here