My last blog post just before a short vacation, is about using the differentiation between corporate-owned devices and personally-owned devices. The best scenario for this differentiation is preventing the MDM enrollment of personally-owned devices. In that scenario it’s still possible to use MAM-WE with personally-owned devices, as only the MDM enrollment will be blocked. In other words, it’s still possible to enable the end-users to securely access their corporate data on their personally-owned device. The ability to block personally-owned devices is introduced with Configuration Manager 1706 and was already available for a while in Microsoft Intune standalone. In this post I’ll walk through the configuration steps for Microsoft Intune hybrid and standalone. I’ll end this post with the end-user experience.
Before starting with the configuration, it’s good to mention that Microsoft Intune hybrid and standalone classifies devices as personally-owned by default.
Microsoft Intune hybrid
The configuration for Microsoft Intune hybrid must be done by using the Configuration Manager administration console. At this moment Microsoft Intune hybrid only supports the restriction on personally-owned devices for Android and iOS. This can be configured by simply following the next steps.
Note: To specify that a device is company-owned, add the IMEI or serial number to the Predeclared Devices list (as shown here), or enroll it using Apple DEP (iOS only).
Microsoft Intune standalone
The configuration for Microsoft Intune standalone must be done by using the Azure portal. At this moment Microsoft Intune standalone supports the restriction on personally-owned devices for Android, iOS and macOS. This can be configured by simply following the next steps.
|1||Open the Azure portal and navigate to Intune > Device enrollment > Enrollment restrictions to open the Device enrollment – Enrollment restrictions blade;|
|2||On the Device enrollment – Enrollment restrictions blade, select Default in the Device Type Restrictions section, to open the All Users blade;|
|3||On the All Users blade, select Platform Configurations to open the All Users – Platform Configurations blade;|
On the All Users – Platform Configurations blade, select Block, in the PERSONALLY OWNED column, for the platforms of which personal-owned devices must be blocked and click Save.
Note: To specify that a device is company-owned, ad the IMEI or serial number to the Predeclared Devices list (as shown here), or enroll it using Apple DEP (iOS only)..
Now let’s end this post by looking at the end-user experience for Android and iOS devices.
For more information about blocking personally-owned devices and how it can be configured via Microsoft Intune hybrid and standalone, please refer to the following articles:
- Set enrollment restrictions: https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set
- Set up iOS hybrid device management with System Center Configuration Manager and Microsoft Intune – Configure enrollment restrictions: https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-ios-mac#configure-enrollment-restrictions
- Set up Android hybrid device management with System Center Configuration Manager and Microsoft Intune – Enable Android enrollment: https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-android#enable-android-enrollment
4 thoughts on “Block personally-owned devices”
Hi Peter is this possible?
I have a scenario that I believe is common at many companies.
User with multiple devices, some corporate some personal.
When users open outlook it asks.
BYOD personal devices to register their phones not enroll
CYOD corporate devices should enroll
I have turned on App Protection policy and this works well it forces the user on both personal and personal devices to use Outlook otherwise they cannot access email.
But I cannot make Intune automatically —— force a corporate device to enroll and the same user on a personal device to Register not enroll.
I have tried importing devices IMEI or serial number, I thought this would then once the user uses oulook it would recognize it’s a corp device and make them enroll, it does not it is still down to the user to Enroll themselves by their own choice.
I have also tried blocking personal devices from enrolling this works but still no way of telling a corporated device it must enrol and a personal device it only needs to register.
My real question is this possible? for a user to have 2 devices one corporate that when he first uses outlook it say Corporate device please enroll.
Then the same user using a personal device it just asks to register only?
I have turned on conditional access but then that asks all users to enroll no matter which device.
A colleague of mine, Arjan Vroege, has done a nice series about this subject. Please have a look at it here: http://www.vroege.biz/?p=3455
Thanks very much for this information. I’m looking at enabling this option in my Intune environment but had a question. For ‘personal’ devices which have already been enrolled, will enabling this option block those devices from being used, or does the block only take effect when the user is actually trying to enrol?
If it blocks devices already enrolled as a personal, I’ll need to be performing some housekeeping to make sure that all our corporate devices are listed correctly.
This only affects new enrollments.