In this blogpost I will show how you can restrict the self-enrollment of devices in Azure AD/Intune. With enrollment policies it’s possible to restrict the enrollment of corporate/personal devices. By default all azure ad users are able to register and enroll devices in the Azure Active Directory.
Before we dive into the enrollment restrictions it’s important to know that there are two types of ownership in Intune:
Personal devices – These devices are registered in the Azure AD (Azure AD registered), when a user registers a personal device he/she can access your organization’s Azure Active Directory controlled resources using a personal device. (BYOD)
Corporate devices – These devices are joined to the Azure AD (Azure AD joined), enabling access to both cloud and on-premises apps and resources. (COD)
For more detail about when a device is marked corporate by Intune you can find (here)
There are 2 locations in to configure this settings, depending if you’re using Intune. The first location to adjust the enrollment settings is the device settings in the Azure AD. Here you configure the main settings, you can compare them with the fuse box in your house. Here you can turn the main settings on and off. The settings here are very general, in the device settings the following settings are possible:
|Users may join devices to Azure AD||All/Selected/None|
|Users may register their devices with Azure AD||All/None|
|Maximum number of devices per user||Number|
There is no possibility to make distinction between users/operating systems or create multiple groups with different settings. The settings are applied to the whole Azure AD.
Where in the Device Settings you can only turn settings on and off, in Intune it’s possible to create multiple enrollment policies with fine-grained settings just like the light switches in a house. But it’s important to know that as in a house when you turn pull out a fuse the light switches will not work. So you need to enable the settings in device settings before you are going to tweak the enrollment policies in Intune.
In Intune by default a policy is created where all platforms, versions, devices, etc. are allowed. This default policy is assigned to all users. It’s not possible to remove this policy or change the assignment. This policy has the lowest priority.
For each type the following settings the following settings can be configured:
|platform||allow/block the device platform.|
|version||Configure the allowed OS version|
|Personally owned||allow/block the enrollment of Personal devices|
|Device manufacturer||Enter manufacturers you want to block|
How to assign a group to enroll devices
So what do you need to configure to allow only allow a certain group users to enroll there devices into Intune. In this example I will show you how you can archieve this.
1. Because the default policy enables enrollment for all users, you first need to disable the platforms you don’t want to use and block the personally owned in the default policy and save.
2. Create a new “Device type restriction”
3. Enter a name and description.
4. Select the Device platforms which will be allowed to enroll by the group. In this example I will block Android device administrator and Windows Mobile enrollment. The users in the group will be able to enroll Personal owned devices.
5. Assign the new policy to the group which will be allowed to enroll devices.
6. Review the settings and press “Create”
6. The new Policy has a priority 1 and therefore overrules the default settings for all users. (more about priority)
Limit the amount of devices
If you want to limit the amount of devices which can be enrolled by a user you need to use a device limit restrictions. This works almost the same as with the device type restrictions with the diference that you can only change the total amount of devices a user can enroll. By default this is set to 15 as you can see in screenshot.
This is in a nutshell how you can restrict AAD Joining and registration of devices types to a group of users and also limit the amount of devices which can be enrolled.
Let’s see what will happen when I try to register or join my W10 device with an account which is not member of the enrollment policy I’ve just created.
- When I try to register my device by adding a work account I’m getting the following error:
- When I try to join my device to the Azure Active Directory I’m getting the following error:
If you can register your device check your MAM user-scope or maybe the device was already registrated.
These errors can be cryptic, but luckily Microsoft created a page with most of these error messages and what to do. For more information about error messages a user may recieve, have a look at this page Troubleshoot device enrollment in Microsoft Intune.
It’s important to know that these restrictions do not apply to device enrollment managers and do not apply to devices which have already been enrolled. Also Device limit restrictions are not enforced for these enrollment types which are considered as shared device scenarios like:
- Co-managed enrollments
- GPO enrollments
- Azure Active Directory joined enrollments
- Bulk Azure Active Directory joined enrollments
- Autopilot enrollments
- Device Enrollment Manager enrollments
Device enrollment restrictions are essential to control you’re cloud environment, but you need to be careful with the settings you’re configuring. To get access to work or school resources from your personal personal device you need to register your device before you get access. If you disable device registration this will not be possible, therefore always test Personal and Corporate scenarios before you implement them into production.