Microsoft Intune has been around for some time now, and the cloud service has matured quite a bit over the past years. Currently, the latest iteration of the service is out in Public preview, which is Intune in Azure. If you want to explore what’s coming in the latest version (code name Ibiza), you can setup a trial account and start exploring. In this blog post, we’ll take a look at one of the new features that I’m really excited about, enrollment restrictions. In the past, companies that wanted to prevent their users from enrolling their personal devices, or a certain type of device, did not have that possibility. Now, with Intune in Azure, we can manage exactly that. However, there are a few restrictions to what we can do which will be outlined in this post.

NOTE – This post contains information about a public preview version of Microsoft Intune, please note that the final release may appear differently.

Enrollment restrictions options

You are given the options when it comes to enrolment restrictions to perform the following:

  • Set device type restrictions
  • Set device limit restrictions

This means that you can set the types of devices that are allow to enrol, accomplished by simply choosing to Block or Allow a given device type platform like Android or iOS for instance. As for the maximum number of devices restriction option, you define a number of how many devices a single user is allowed to enrol, for instance 5 devices.

In the current release of Microsoft Intune, you also have an option to Allow or Block personally owned devices. This comes in handy when organizations only wants to allow devices registered in Apple Device Enrolment Program for instance (or manually prestage them by their serial number directly in Microsoft Intune), preventing end users from enrolling their personal devices. This would allow for a total control scenario of what devices are enrolled and managed by Microsoft Intune. As of writing, this is only available for iOS devices, but would much likely be extended for other platforms in the future releases.

Setting up device type restrictions

Like we discussed earlier, we can restrict what device type platforms we want to allow when devices are enrolled. An example would be where we’ve configured to only allow iOS devices to enrol. In the event that an end user attempts to enrol an Android device, this operation would be blocked from enrolling. Let’s take a look at how this scenario is configured.

1. Begin with logging into the Azure portal at portal.azure.com.
2. Open Intune (Preview). If you don’t have Intune in the left menu, click on More services and filter for Intune.
3. Open the Enroll Devices blade.

4. Under Manage, select Enrollment Restrictions.

5. In the Enrollment Restrictions blade, in the Device Type Restrictions table select Default.

6. In All Users blade, select Platforms. Here you’re given the option to either Allow or Block a particular platform from enrolling. In this example, we’re only going to allow iOS devices from enrolling, which would be configured as shown in the picture below.

7. Click on Save.

8. Optionally, we have the possibility to also Allow or Block personally owned devices (BYOD). This configuration can be set under the Platform Configurations settings, shown in the picture below.

9. Once you’ve made your configuration, close the blades that got open during this process.

Setting up device limit restrictions

Setting the maximum number of allowed devices to enroll per user is pretty straight forward. It’s done in the same Enrollment Restrictions blade as for when configuring the device type restrictions.

1. Click on the Enrol Devices blade in Intune in the Azure portal.
2. Click on Enrollment Restrictions and select Default in the table right under Device Limit Restrictions. Then select Device Limit and select the amount of devices a user is allowed to enroll.

End user enrolment experience

From an end user experience when the enrolment restrictions for device type platforms have been blocked for a certain platform, is shown with a popup during the registration phase when enrolling the device. Going back to the scenario that we discussed previously where only iOS devices where allowed to enrol, when an Android device is enrolled the user will be prompted with this (sorry for the Swedish):

The message states “Could not enroll the device”, and the rest if hopefully pretty clear. In my opinion, it’s great that we get an error message that the end user can interpret, but I’d like this to be shown much earlier in the enrollment experience. Hopefully, this will be improved once Intune in Azure becomes general available, but for now I think this is something that many organizations have been waiting for, and should definitely take a look at.

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows deployments and Automation. In 2015 Nickolaj was awarded as PowerShell Hero by the community for his script and tools contributions. Author of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService and a frequent speaker at user groups.

(407)

comments
  • Will Tao
    Posted at 07:14 May 14, 2017
    Will Tao
    Reply
    Author

    I`m certainly sure I`ve disabled personal owned device enrollment from platform configurations and then block personally owned IOS devices.

    But I still can enroll my personal iphone from company portal without any restriction. Anything I missed?

    Thanks for advise

  • Leave a Reply