How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM? Are you still waiting for the migration from Intune Silverlight to the Azure portal? I would recommend watching the following video post to get an overview of the new Intune blade in the MEM portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. It’s amazing to see new features in the MEM Intune portal. One month before, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules here.

More detailed explanation in the video tutorial

Please go through the video here.

iOS personal devices can be restricted from enrolling in Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune.

This was one of the features I was looking for to appear in the Azure portal. So, can we allow only Android for work-supported devices to enroll in Intune MDM? With this enrollment or device type restriction option, the answer is NO. So what is the difference between company-owned Android devices and personally owned Android devices?

Features	Company-owned device	Personal device
Opt-out of Device Owner mode	No	Yes
With device approvals enabled, the administrator must approve the device	No	Yes
Administrators can receive an inactivity report every 30 days	Yes	No
Factory resets that users initiate block device re-enrollment	Yes	No
Account wipe available	No	Yes

When you turn on the “Block Android Personal Device” option from Intune blade in the Azure portal, all the personal Android devices will be blocked from enrollment. Personal android devices can be Android for Work (AfW) supported devices and non-Android for Work devices.

Initially, I thought Android for Work would not be treated as a personal device. Rather it would be treated as a corporate Owned device. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode which provides full device management.

Enroll Devices node is the place in Intune Azure portal where you can set up a personally owned Android devices restriction policy. Within enrolment restrictions rules, we can have two types of restrictions  Device Type restrictions and Device Limit restrictions.

In this scenario where we want to restrict personal Android devices, we need to create an enrollment type policy to allow the Android platform to enroll in Intune. Once the Android platform has enabled enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate way should get blocked. 

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM?

In the below screen capture, I have enrolled two Android devices into Intune and Intune console, and Intune detects those as personal devices. I’m not sure why is it not getting blocked?

References:-

• Android Management Experience setup guide – Evaluate Android enterprise features – here
• Add management for company-owned devices here
• Manage your business’s mobile devices – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…