How can I restrict Personal iOS Devices from Enrolling in Intune? Have you already seen the new Intune options in the MEM portal? If not, I recommend watching the following video post to get an overview of the new Intune portal.
The new Intune portal allows for more granular restrictions for MDM enrollments. On-prem services like ADFS or any federated access management system don’t need tweaking.
Now, we can block personal iOS devices from Intune enrollment. You can set this policy at the Enroll Devices node in the Intune Azure portal. Under “Enrolment restrictions,” you can find details about granular enrollment restriction policies.
Enrollment restriction policies help us restrict/block a set of devices from enrolling in Intune. This post explains how to Restrict Personal iOS Devices from Enrolling in Intune Endpoint Manager.
- 2403 Microsoft Intune New Features March Update
- Get Intune Environment Ready for iOS / Mac Devices Microsoft Endpoint Manager
- Microsoft Intune Vs Jamf macOS Device Management Enhancements
- Onboard iOS/iPadOS Devices to Microsoft Defender for Endpoint
- New Device Restriction Settings Available in Apple Settings Catalog
Table of Contents
How to Restrict Personal iOS Devices from Enrolling on Intune
There are two types of restrictions within enrolment restriction rules: device type and limit restrictions. Device limit restrictions are already available in the Intune Silverlight portal. In contrast, Device Type Restriction is new in the Intune Azure portal, allowing us to restrict or block specific platform devices from enrolling.
Read more – New Device Restriction Settings Available in macOS
New Device Restriction Settings Available in Apple Settings Catalog
Types of Restrictions |
---|
Device Type Restrictions |
Device Limit Restrictions |
You can disable/block Android device enrollment from the new portal to restrict Android devices from enrolling in your Intune MDM enrollment. However, I’m unsure how we can allow ONLY “Android for Work” enabled devices to enrol in Intune.
- I hope there are some limitations from the Android platform side to restrict the Android devices that are not enabled for the Android Work type of management.
- iOS iPadOS Intune Enrollment Method is Based on Web-based
- Intune to Introduce Account Driven User Enrollment for iOS/iPadOS
- Setup Enrollment Notification in Intune for Mac Devices
- Easiest Method to Configure iOS MacOS Devices Patching Schedule Using Intune
- Prevent iOS Managed Apps Removable using Intune
The device type restriction policy is very helpful if you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) to enrol on Intune.
- The most exciting feature, which is very helpful for any organization, is restricting personal iOS devices from enrolling on Intune.
- Corporate/company-owned iOS devices can be enrolled using the Apple DEP program.
- In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.
For example, when you try to enrol a device in Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties and user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user can enrol. After this positive verification, Intune will allow the user to enrol on the device.
How do you restrict personal iOS devices from enrolling in Intune Endpoint Manager?
New Intune Home Page Redesign
The newly redesigned Intune Admin Portal Home Page comprehensively reviews the changes and the updated Intune Admin Portal Journey. The dynamic Home Page is used for Intune Administrators, and spotlight options highlight premium features, ensuring easy access to key functionalities.
MEM Admin Portal
Below is a video on the Intune Admin Center Walkthrough for the latest updates. The Intune Admin Portal is one of the first things you must learn. This post explains where the Intune admin portal (aka Endpoint Manager) is. The official name of the Intune admin portal is the MEM Admin Center.
Resources
How to Configure Intune Enrollment Setup for iOS macOS Devices
Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
I’m not sure how we can allow ONLY “Android for Work”
Blocking all other platforms except android will do the trick?
Not exactly because Native Android MDM is different from Android for Work MDM 😉
Thanks for clarifying
Anoop.. Is there a way to prevent users from enrolling their personal devices for Android and iOS, if we have configured intune in hybrid mode with SCCM instead of standalone intune?
SCCM hybrid has parity issues and I don’t think there is any method to block personal Android and iOS devices. But I could be wrong.
Hi Anoop, I`m certainly sure I`ve disabled personal owned device enrollment from platform configurations and then block personally owned IOS devices.
But I still can enroll my personal iphone from company portal without any restriction. Anything I missed?
Thanks for advise
Hey Will! – The first step is to check whether the device is identified as “Personal” in Intune console or not. If it’s identified as personal then, there could be a bug but I never heard about any bug related to this feature. Just wanted to make sure that you set this setting in Enrollment rules….
Hi Anoop,
Is there a way in Intune to block MAM group user signing in to the Company portal by error as we don’t want BYOD’s users signing in to the Company Portal and thus turning their BYOD into Corporate devices.
You can restrict all the BYOD enrollment via the method which I explained -> https://www.anoopcnair.com/block-personal-windows-devices/#How_to_Block_Personal_Windows_Devices