The specific enrollment restrictions that you can create include: Default restrictions are automatically provided for both device type and device limit enrollment restrictions. This site uses Akismet to reduce spam. Use these settings to control the password, access Google Play, allow or prohibit apps, control the browser settings, block apps, backup to the Google cloud, and control the message, voice, data roaming, Wi-Fi, and Bluetooth connection options. How to deploy Cloud-based user policies to Office ProPlus with out a management system, Block personal Windows devices from enrolling into Intune, https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set#blocking-personal-windows-devices, Hybrid joined Windows device with automatic MDM enrollment GPO set, Bulked enrolled with WCD or set up school PC, Enrollment with a Device Enrollment Manager, Ensure that you are allowing Windows (MDM) enrollment set to allow or all Windows enrollment will be blocked, Click on block for Windows personally owned. By default users are able to un-enroll their devices and thus become unmanaged. You can change the settings for an enrollment restriction by following the steps below. I have enrolled a couple of Android devices after enabling the “block Android personally owned devices” policy and those devices got enrolled without any issues. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode which provides full device management. Select Next to go to the Review + create page. A Windows device that the end user is enrolling into Intune is personal unless that you tell Intune that it is a corporate device or you AzureAD join from OOBE.A corporate Windows devices is also: Start the Microsoft 365 device management portal, From a end user perspective they will get a welcome message when the device is a Autopilot device. For an overview of all OMA-URI for Windows Phone settings see PolicyManager configuration service provider and Windows Phone 8.1 MDM Protocol documentation. First we disable the un-enrollment of Window Phone devices by using the following OMA-URI string: Secondly we disable the ability to factory reset by using the following OMA-URI string: We configured two settings using OMA-URI. For more information about scope tags, see Use role-based access control and scope tags for distributed IT. Then choose Select. If both platforms are allowed for the same group, then users will be enrolled with a work profile if their device supports it, otherwise they will enroll as DA. If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. The first step is to distinguish between corporate and personal. In Intune go to Device Enrollment > Corporate Device Identifiers. Learn how your comment data is processed. ( Log Out /  Change ), You are commenting using your Facebook account. Change ), You are commenting using your Google account. Choose Next to go to the Platform settings page. Under properties click “Configure Platforms” and next to android change the selection from “allow” to “block” for personally owned devices and click ok. You have now successfully blocked personal android devices from being enrolled into Intune. Enter your email address to follow this blog and receive notifications of new posts by email. ( Log Out /  Enrolled by using Automated Device Enrollment (formerly Device Enrollment Program). For example, if you configure this list to include "App 1," "App 2," and "App 3" and … Azure, Hybrid Identity & Enterprise Mobility + Security.

As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune, including the: You can create multiple restrictions and apply them to different user groups. Learn how your comment data is processed. So, can we allow only Android for work supported devices to enroll into Intune MDM? A good example is to block the removal of Workplace of your managed Windows Phones. By using these setting you are able to prevent Windows Phones devices in one way or another and not be taken out of management.