Block personally-owned devices

My last blog post just before a short vacation, is about using the differentiation between corporate-owned devices and personally-owned devices. The best scenario for this differentiation is preventing the MDM enrollment of personally-owned devices. In that scenario it’s still possible to use MAM-WE with personally-owned devices, as only the MDM enrollment will be blocked. In other words, it’s still possible to enable the end-users to securely access their corporate data on their personally-owned device. The ability to block personally-owned devices is introduced with Configuration Manager 1706 and was already available for a while in Microsoft Intune standalone. In this post I’ll walk through the configuration steps for Microsoft Intune hybrid and standalone. I’ll end this post with the end-user experience.

Configuration

Before starting with the configuration, it’s good to mention that Microsoft Intune hybrid and standalone classifies devices as personally-owned by default.

Microsoft Intune hybrid

The configuration for Microsoft Intune hybrid must be done by using the Configuration Manager administration console. At this moment Microsoft Intune hybrid only supports the restriction on personally-owned devices for Android and iOS. This can be configured by simply following the next steps.

1 Open the Configuration Manager administration console and navigate to Software Library > Overview > Cloud Services > Configure Platforms;
2 On the Home tab, click Configure Platforms > Android (3a) or iOS (3b) to open the Microsoft Intune Subscription Properties;
3a BlockPersonal_Android_HybridOn the General tab, select Block personally owned devices and click OK;
3b BlockPersonal_iOS_HybridOn the Enrollment Restrictions tab, select Block personally owned devices and click OK.

Note: To specify that a device is company-owned, add the IMEI or serial number to the Predeclared Devices list (as shown here), or enroll it using Apple DEP (iOS only).

Microsoft Intune standalone

The configuration for Microsoft Intune standalone must be done by using the Azure portal. At this moment Microsoft Intune standalone supports the restriction on personally-owned devices for Android, iOS and macOS. This can be configured by simply following the next steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Enrollment restrictions to open the Device enrollment – Enrollment restrictions blade;
2 On the Device enrollment – Enrollment restrictions blade, select Default in the Device Type Restrictions section, to open the All Users blade;
3 On the All Users blade, select Platform Configurations to open the All Users – Platform Configurations blade;
4

BlockPersonal_StandaloneOn the All Users – Platform Configurations blade, select Block, in the PERSONALLY OWNED column, for the platforms of which personal-owned devices must be blocked and click Save.

Note: To specify that a device is company-owned, ad the IMEI or serial number to the Predeclared Devices list (as shown here), or enroll it using Apple DEP (iOS only)..

End-user experience

Now let’s end this post by looking at the end-user experience for Android and iOS devices.

Screenshot_20170816-201942Android: Let’s walk through the steps, on an Android device, that the end-user needs to perform before the end-user will actually be told that it’s not allowed.

  • Open the Microsoft Intune Company Portal app and sign in;
  • On the Company Access Setup page, tap Begin;
  • On the Why enroll your device? page, tap Continue;
  • On the We care about your privacy page, tap Continue;
  • On the What comes next page, tap Enroll;
  • On the Activate device administrator? page, tap Activate;

Now a clear Couldn’t enroll your device message will show (as shown on the right). That message clearly mentions that the end-user is not authorized to enroll this device.

IMG_0112iOS: Let’s walk through the steps, on an iOS device, that the end-user needs to perform before the end-user will actually notice that it’s not allowed.

  • Open the Microsoft Intune Company Portal app and sign in;
  • On the Company Access Setup page, tap Begin;
  • On the Why enroll your device? page, tap Continue;
  • On the We care about your privacy page, tap Continue;
  • On the What comes next page, tap Enroll;
  • On the Install Profile page, tap Install;
  • On the dialog box, tap Install;

Now a terrible Profile Installation Failed message will show (as shown on the right). That message mentions that a connection to the server could not be established. This is ugly, but is currently the expected behavior.

More information

For more information about blocking personally-owned devices and how it can be configured via Microsoft Intune hybrid and standalone, please refer to the following articles:

Share

Easily predeclaring corporate-owned devices

This week another post about (easily) predeclaring corporate-owned devices. Starting next week, I’ll introduce some new feature of Configuration Manager 1706. This post is basically a part 2 of my post about predeclaring corporate-owned devices. The big difference, this time it’s about Microsoft Intune standalone were this feature is just recently introduced. Predeclaring corporate-owned devices is an easy method to differentiate between corporate and personal devices and immediately tag those devices. I’ll start this post with a little bit information, followed by the configuration. I’ll end this post with the administrator experience.

Information

Let’s start with some information about predeclaring corporate-owned devices. An Intune administrator can now create and import a comma-separated values (.csv) file that lists International Mobile Equipment Identifier (IMEI) numbers or serial numbers. Intune uses these identifiers to set Ownership as Corporate. IMEI numbers can be declared for all supported platforms and serial numbers can be declared for iOS and Android devices only. Each IMEI or serial number can have details specified in the csv file for administrative purposes.

Configuration

Before I’m going to walk through the required configuration steps, it’s good to provide some information about the format of the csv files that can be used. To create the list, create a two-column csv list without a header. Add the IMEI or serial numbers in the left column, and the device details in the right column. A csv file can only contain or IMEI numbers, or serial numbers. The device details are limited to 128 characters and are for administrative use only. Details aren’t displayed on the device. The current limit is 500 rows per csv file. An example for serial numbers would look like the following.

RF8xxxxRZP,Company-owned Android device
F9FxxxxxxHK9,Company-owned iOS device

With this information and the example, I’ll now walk through the configuration steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Corporate device identifiers;
2 On the Corporate device identifiers blade, select Add to open the Add identifiers blade;
3

AddIdentifiersOn the Add identifiers blade, select Serial as Identifier type, select the created csv file with Import identifiers and click Add to return to the Corporate device identifiers blade;

Note: When importing IMEI numbers, simply select IMEI as Identifier type. Also, notice the message below the selected csv file, it already shows the total number of device identifiers that are found within the csv file.

4

Back on the Device identifiers blade it will now provide an overview of the just imported device identifiers;

SuccesImport

Administrator experience

Let’s end this post with the administrator experience. After a device of the csv file is enrolled, there are a few good places to look in the Azure portal. The first place is Intune > Device enrollment > Corporate device identifiers. This location shows the imported device identifiers and will now also show Enrolled as the STATE of the imported device identifier.

SuccesEnroll

The second place is Intune > Devices > All devices. This location shows all the enrolled devices and now also shows Corporate as OWNERSHIP of the device.

EnrollCorporate

This is the easiest method for an administrator to differentiate between corporate and personal devices. It enables the administrator to target specific actions only to corporate-owned devices and even enables the administrator to create an easy road to blocking personal devices. More about that in a later post. Also, keep in mind that the ownership will not change for already enrolled devices. The corporate identifiers must be imported before the devices are enrolled.

More information

For more information about predeclaring corporate-owned devices, please refer to this article about adding corporate identifiers.

Share

Predeclaring corporate-owned devices

This week something related to last week. This week will be about predeclaring corporate-owned devices. In other words, making sure that the Device Owner of the specified devices is set to Company after enrollment. It’s also a much easier solution, for a scripted solution that I created more than year ago, for automagically setting the mobile Device Owner to Company. In this blog post I’ll provide some information about this feature, I’ll show the configuration of this feature and I’ll show the administrator experience of this feature. Please note that this functionality is only available for Microsoft Intune hybrid.

Information

Predeclaring corporate-owned devices allows organizations to identify corporate-owned devices by importing the International Mobile Equipment Identity (IMEI) numbers, or, for iOS devices, by importing the serial numbers. It’s possible to upload a comma-separated values (.csv) file containing device IMEI numbers, or to manually enter device information. Imported information will make sure that the Device Owner will be set to Company for the devices that are in lists of devices. Keep in mind that this is only applicable to devices that still need to enroll. Already enrolled devices that are on the list will not change the Device Owner.

Configuration

Before I’m going through the required configuration steps, it’s good to mention the format of the csv files that can be used. The lines in the csv file can contain a maximum of 4 columns with the following items in the following order: IMEI number, iOS serial number, Platform (iOS, Windows, Android), Details. Each row must contain an IMEI number, or iOS serial number, and a Platform. The Details are optional. An example would look like the following.

,F9FFFFFFFFK9,iOS,Company-owned iOS device
357777777777748,,Android,Company-owned Android device

With this information, I can go through the required configuration steps. During these steps I’ll use the example csv information. It’s good to keep in mind that it’s also possible to manually add a single IMEI number or iOS serial number. In that case the wizard will simply skip the import page, mentioned below.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > All Corporate-owned Device > Predeclared Devices;
2 On the Home tab ,click Create Predeclared Devices to open the Create Predeclared Devices wizard;
3 CPD_GeneralOn the General page, select Upload a CSV file containing IMEI or serial numbers and details, select the csv file and click Next;
4 On the Import page, click Next;
5

CDP_EntryOn the Entry page, verify the information and click Next:

Note: This page is similar to when a single IMEI number or iOS serial number, is added, using this wizard. It’s even possible, at this point, to still manually add an additional IMEI number, or iOS serial number.

6

CDP_ProfileOn the Profile page, select an iOS enrollment profile and click Next:

Note: This is an optional page that will only show when an iOS device is imported. The refresh button can be used to update the selection box for newly created iOS enrollment profiles.

7 On the Summary page, review the summary and click Next:
8 On the Completion page, review the results and click Close.

Note: After completing the wizard, the Configuration Manager administration console will not automatically refresh. This requires a manually activity.

Administrator experience

Now it’s time to look at a few interesting places in the Configuration Manager administration console. When I now navigate to Assets and Compliance > Overview > All Corporate-owned Devices > Predeclared Devices, I can see the predeclared devices, including the enrollment status of those devices. Once a device is enrolled the status will reflect in the Configuration Manager administration console, as shown below.

PD_Overview

When the predeclared devices also contained iOS devices, the iOS devices are assigned to the selected iOS enrollment profile. When I now navigate to Assets and Compliance > Overview > All Corporate-owned Devices > iOS > Enrollment Profiles, I can select the iOS enrollment profile and see the related device count, as shown below. If I want to see even more information, I can select the iOS enrollment profile and click Show Assigned Devices.

EP_Overview

When I enroll the predeclared devices, the devices will show in the Configuration Manager administration console with the Device Owner set to Company. I can easily see this information when I navigate to Assets and Compliance > Overview > Devices, as shown below.

DS_Overview

Keep in mind that the Device Owner will only be set to Company when the predeclared devices are imported before the devices are enrolled. The Device Owner will not change for already enrolled devices.

More information

For more information about predeclaring company-owned devices, please refer to this article about Predeclare devices with IMEI or iOS serial numbers.

Share