MEM – UEM Authority https://guides.uemauthority.com Learn. Test. Deploy Thu, 17 Feb 2022 14:49:03 +0000 en-GB hourly 1 https://wordpress.org/?v=6.5.3 https://guides.uemauthority.com/wp-content/uploads/2021/11/cropped-UEM_Authority_Logo_favicon-32x32.png MEM – UEM Authority https://guides.uemauthority.com 32 32 214635633 iOS Device Manual Enrolment https://guides.uemauthority.com/knowledge-base/ios-device-manual-enrolment/?utm_source=rss&utm_medium=rss&utm_campaign=ios-device-manual-enrolment https://guides.uemauthority.com/knowledge-base/ios-device-manual-enrolment/#respond Thu, 20 Jan 2022 13:47:50 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=978 In this guide, we look at steps on how to manually enrol an iOS device to Intune.

Note – A manually enroled iOS/iPadOS device will automatically be assigned a ‘Personal’ ownership designation. For this reason, Corporate Device Identifiers are used for pre-declaring known Corporate Owned devices, prior to enrolment.

Configure Corporate Device Identifiers

Note – Corporate Identifiers support both IMEI and Serial Numbers as a form of unqiue identifier. Endpoint Manager also provide the function to bulk upload identifiers using a CSV file.

From the home dashboard, navigate to Devices > Enrol Devices > Corporate Device Indentifiers.

Select ‘Add’ button.

Select ‘Enter Manually’.

In this example, Serial Number will be used as the chosen unique identifier.

Select ‘Serial Number’ from the Select identifier type drop down box.

It is possble to locate the serial number for an iOS/iPadOS device from the Settings app:

  1. Open the Settings app
  2. Select General > About
  3. Scroll down to find ‘Serial Number’

Once the serial number has been obatined, input this alphanumeric numerber into the text field in the column designated ‘Identifier’.

Next, provide details about the device, for example:

John Doe – iPhone SE 1st Gen

Select ‘Add’ button to finish.

You will see the Corporate Identifier ready for use.

]]>
https://guides.uemauthority.com/knowledge-base/ios-device-manual-enrolment/feed/ 0 978
Android Device Manual Enrolment (COBO) https://guides.uemauthority.com/knowledge-base/android-device-manual-enrolment-cobo/?utm_source=rss&utm_medium=rss&utm_campaign=android-device-manual-enrolment-cobo https://guides.uemauthority.com/knowledge-base/android-device-manual-enrolment-cobo/#respond Thu, 20 Jan 2022 13:46:07 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=980 In this guide, we look at steps on how to manually enrol an Android Enterprise device to Intune.

The enrolment type chosen for this demonstration is Fully Managed (otherwise known as Corporate Owned Business Only, shortened to COBO). Fully Managed management is invoked during the setup wizard so can only be achieved after factory reset.

Enable Android Enterprise Enrolment

To support Android Enterprise Corporate Owned Business Only enrolment to Endpoint Manager, the relevant enrolment profile must first be activated.

From the home dashboard, navigate to Devices > Android > Android Enrolment.

Under Enrolment Profiles, Select ‘Corporate-owned, fully managed user devices’.

Next to Allow users to enrol corporate-owned user devices, toggle to ‘Yes’.

Intune will generate a unique QR code and Token ID.

Once enrolment has been invoked using AFW#SETUP during Out of Box setup wizard, the Token ID must be inputted when prompted.

]]>
https://guides.uemauthority.com/knowledge-base/android-device-manual-enrolment-cobo/feed/ 0 980
Create an App Protection Policy (MAM) https://guides.uemauthority.com/knowledge-base/create-an-app-protection-policy-mam/?utm_source=rss&utm_medium=rss&utm_campaign=create-an-app-protection-policy-mam https://guides.uemauthority.com/knowledge-base/create-an-app-protection-policy-mam/#respond Thu, 20 Jan 2022 12:19:24 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=969 In this guide, we create an App Protection policy in order to demonstrate how to extend Data Protection and Data Loss Prevention (DLP) controls out to our managed and unmanaged devices.

App Protection for unmanaged devices is known as MAM without enrolment (MAM-WE). MAM-WE is commonly used for personal or bring your own devices (BYOD). Or, use on organisation-owned devices that need specific app configuration, or extra app security.

MAM-WE is also an option for users who don’t enroll their personal devices, but still need access to organisation email.

Create an App Protection Policy

Note – Outlook MAM protection requires an Azure AD account (Hybrid or Cloud) and Exchange Online mailbox (Hybrid or Cloud)

From the home dashboard, navigate to Apps > App Protection Policies.

Select the ‘Add’ button and then select ‘iOS/iPadOS’.

Set a Name and Description.
**Example**
Name: iOS – MAM Policy
Description: MAM Policy for iOS devices.

Select ‘Next’.

For the purposes of this training course, MAM will be targeted to both Managed and Unmanaged iOS devices.

The following App Protection settings will be set:
**Example**
Target to apps on all device types: Yes

Press ‘Select Public Apps’ and then select Outlook from the list.

Select ‘Next’.

Data Transfer

  • Backup org data to iTunes and iCloud backups: Block
  • Send org data to other apps: Policy managed apps
  • Select apps to exempt: Default
  • Save copies of org data: Block
  • Allow user to save copies to select services: OneDrive for Business & SharePoint
  • Transfer telecommunication data to: Any dialer app
  • Dialer App URL Scheme: None
  • Receive data from other apps: Policy managed apps
  • Open data into Org documents: Block
  • Allow to user open data from select services: OneDrive for Business, SharePoint & Camera
  • Restrict cut, copy, and paste between other apps: Policy managed apps
  • Cut and copy character limit for any app: 0
  • Third-party keyboards: Allow

Encryption

  • Encrypt org data: Require

Functionality

  • Sync policy managed app data with native apps: Allow
  • Printing org data: Block
  • Restrict web content transfer with other apps: Microsoft Edge
  • Unmanaged browser protocol: None
  • Org data notifications: Allow

Access Requirements

  • Pin for Acces: Not Required
  • Work or school account credentials for access: Not Required
  • Recheck the access requirements after (minutes of inactivity): 30

Conditional Launch

  • Offline grace period: 720 – Block access (minutes)
  • Offline grace period: 90 – Wipe data (days)
  • Jailbroken/Rooted devices: Block access

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the App Protection Policy appear in the list ready for use.

See in Action

App Protection can be validated on the device by the user. Observing our enroled device in Outlook, we can test cut, copy and paste restrictions that are being enforced by our App Protection policy.

For the purposes of this demonstration, we have received an email from our fictional organisation that contains sensitive information. We will attempt to exfiltrate this information by means of Copy and Paste.

Copying text from the body of the email, we close Outlook and then open the native Notes app. Attempting to paste the copied information, App Protection replaces the original text in the clipboard cache with “Your orginastion’s data cannot be pasted here”.

Within the Endpoint Manager portal, we can validate which apps App Protection is applied to by app or user. Navigating to Apps > Monitor > App Protection Status > Reports.

Selecting the User Report, we choose the enroled user – johndoe@traininguemauthority.onmicrosoft.com.

The report shows iOS – MAM Policy is successfully applied against Microsoft Outlook.

]]>
https://guides.uemauthority.com/knowledge-base/create-an-app-protection-policy-mam/feed/ 0 969
Create an App Configuration Policy https://guides.uemauthority.com/knowledge-base/create-an-app-configuration-policy/?utm_source=rss&utm_medium=rss&utm_campaign=create-an-app-configuration-policy https://guides.uemauthority.com/knowledge-base/create-an-app-configuration-policy/#respond Thu, 20 Jan 2022 12:04:33 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=962 In this guide, we create an App Configuration policy in order to demonstrate how to pre-provision the Outlook app.

App Configuration is a way to streamline, and somewhat automate (to a degree), setup of work deployed/managed apps, to ensure employees are productive within minutes.

Create an App Configuration Policy

Note – Save Contacts settings refers to the enablement of Outlook Contacts and Calendar synchronization with your respective Native contacts and calendar apps. At present, only contacts sync is supported with Outlook for iOS. Outlook for Andoird supports both contacts and calendar sync. Refer to Microsoft documentation for further guidance.

Important – Outlook for Android supports bi-directional contact synchronization. However, if a user edits a field in the native contacts app that is restricted (such as the Notes field), then that data will not synchronize back into Outlook for Android.

From the home dashboard, navigate to Apps > App Configuration Policies.

Select the ‘Add’ button and then select ‘Managed Devices’.

Set a Name and Description.
**Example**
Name: iOS – Outlook App Configuration Policy
Description: App Configuration policy for Outlook on iOS.

Select iOS/iPadOS from the Platform dropdown.

Press the ‘Select app’ button, select Outlook from the list and then press ‘Ok’.

Select ‘Next’.

Select ‘Use Configuration Designer’ from the Configuration Settings Format dropdown.

For the purposes of this training course, the following Outlook App Configuration settings will be set:
**Example**
Email Account Configuration

  • Configure email account settings: Yes
  • Authentication type: Basic authentication
  • Username attribute from AAD: User Principal Name
  • Email address attribute from AAD: Primary SMTP Address
  • Email Server: outlook.office365.com
  • Email Account Name: Corporate Email

General App Configuration

  • Focused Inbox: On
  • Require Biometrics to access app: Off
  • Save Contacts: On
  • Allow user to change settings: Yes
  • Default app signature: On

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the App Configuration Policy appear in the list ready for use.

See in Action

App Configuration can be enabled and validated on the device by the user. Observing our enroled device in Outlook, we can see App Configuration has detected and pre-populated our enroled user account – johndoe@traininguemauthority.onmicrosoft.com

After selecting ‘Add Account’, we sign in to complete authentication.

Within the Endpoint Manager portal, we can validate the App Configuration policy has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under App Configuration on the left side menu, we can see the App Configuration policy we created successfully installed.

]]>
https://guides.uemauthority.com/knowledge-base/create-an-app-configuration-policy/feed/ 0 962
Add an Android Managed Google Play App https://guides.uemauthority.com/knowledge-base/add-an-android-managed-google-play-app/?utm_source=rss&utm_medium=rss&utm_campaign=add-an-android-managed-google-play-app https://guides.uemauthority.com/knowledge-base/add-an-android-managed-google-play-app/#respond Wed, 19 Jan 2022 17:13:52 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=959 In this guide, we look at the steps to add an Android app to Intune from the Managed Google Play store.

Remember, Managed Google Play must first be integrated to your Intune tenant.

Follow these guides to learn how:

  1. Create a Managed Google Play account
  2. Configure Managed Google Play for Intune
Add Outlook for Android

Note – By default, once Managed Google Play Store has been integrated with Endpoint Manager, Endpoint Manager will pre-populate four Microsoft apps.
– Intune Company Portal
– Managed Home Screen
– Microsoft Authenticator
– Microsoft Intune

From the home dashboard, navigate to Apps > Android > Android apps.

Select the ‘Add’ button.

Select ‘Managed Google Play Store’ from the App Type drop-down and then press ‘Select’.

Managed Google Play Store will render within the Endpoint Manager console using an integrated API called iFrame.

Enter Outlook into the search field.

Select Outlook from the search results.

Select ‘Approve’.

Select ‘Approve’ and then select ‘Done’.

Invoke a manual synchronisation by selecting the ‘Sync’ button.

Allow up to 5 minutes whilst Managed Google Play syncs with Endpoint Manager.

Select the ‘Refresh’ button in order to update the apps list.

Now select ‘Outlook’ from the list and then select ‘Properties’.

Under Assignments, select ‘Edit’.

Choose the correct type of assignment relevant to your organisation requirements.

For the purpose of this training course, we assign Outlook as ‘Required’.

Select ‘Add Group’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Save’.

See in Action

After assigning your chosen application as ‘Required’, Endpoint Manager will automatically install the application. Gesturing down from the top of the screen, Google Play Store displays a notification “Installing apps from your organisation”.

Pressing the notification, Google Play Store shows the chosen app being installed.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Managed App on the left side menu, we can see the application successfully installed.

]]>
https://guides.uemauthority.com/knowledge-base/add-an-android-managed-google-play-app/feed/ 0 959
Add an iOS Store App https://guides.uemauthority.com/knowledge-base/add-an-ios-store-app/?utm_source=rss&utm_medium=rss&utm_campaign=add-an-ios-store-app https://guides.uemauthority.com/knowledge-base/add-an-ios-store-app/#respond Wed, 19 Jan 2022 17:06:41 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=957 In the guide, we look at the steps to add an iOS Store app to Intune.

Add Outlook for iOS

Note – Apps deployed straight from the public app store require an Apple ID account signed in on the device. If an Apple ID account isn’t present, the operating system will prompt the user to sign in before apps can be installed.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Apps > iOS/iPadOS > iOS/iPadOS apps.

Select the ‘Add’ button.

Select ‘iOS store app’ from the App Type drop-down and then press ‘Select’.

Select ‘Search the App Store’.

Ensure the correct locale is selected before search for an app. (United States is the default)

Enter Outlook into the search field.

Select ‘Microsoft Outlook’ from the list and then press ‘Select’.

In the App Information section, observe that Endpoint Manager will conveniently pull all information about the app from the app store.

Select ‘Next’.

Choose the correct type of assignment relevant to your organisation requirements.

For the purpose of this training course, we assign Outlook as ‘Required’.

Select ‘Add Group’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Save’.

Once created, you will see Outlook app appear in the list ready for use.

See in Action

After assigning your chosen application as ‘Required’, Endpoint Manager will automatically prompt the user to install the application. Should the user select, ‘Cancel’, Endpoint Manager will prompt again upon the next scheduled device check-in.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Managed App on the left side menu, we can see the application successfully installed.

]]>
https://guides.uemauthority.com/knowledge-base/add-an-ios-store-app/feed/ 0 957
Create an iOS Configuration Profile https://guides.uemauthority.com/knowledge-base/create-an-ios-configuration-profile/?utm_source=rss&utm_medium=rss&utm_campaign=create-an-ios-configuration-profile https://guides.uemauthority.com/knowledge-base/create-an-ios-configuration-profile/#respond Wed, 19 Jan 2022 16:09:42 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=950 In this guide, we create an iOS Configuration Profile using the Restrictions profile type in order to define baseline security and device password requirements.

Create an iOS Configuration Profile

Note – Apple iOS/iPadOS supervised mode gives administrators more options when managing Apple devices, making it useful for corporate-owned devices deployed at scale. For example, you can restrict AirDrop or prevent users from changing the name of the device. For a list of settings that require supervised mode, see iOS device restriction settings in Intune.

From the home dashboard, navigate to Devices > Configuration Profiles.

Select the ‘Create Profile’ button.

Select ‘iOS/iPadOS’ as the platform.

Select ‘Device Restrictions’ as the Profile Type and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Device Restrictions Profile
Description: Device Restrictions profile for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example baseline configuration profile settings will be tailored to an Unsupervised device:
**Example**
App Store, Doc Viewing, Gaming

  • Treat AirDrop as an unmanaged destination: Yes

Cloud and Storage

  • Force encrypted backup: Yes

Password

  • Require password: Yes
  • Block simple passwords: Yes
  • Required password type: Numeric
  • Number of non-alphanumeric characters in password: 1
  • Minimum password length: 6
  • Maximum minutes after screen lock before the password is required: Immediately
  • Maximum minutes of inactivity until screen locks: 5 minutes

Show or Hide Apps

  • Type of apps list: Hidden apps
  • Apps list: (Microsoft kindly provide a list of known Apple native app bundle ID’s)
    • App bundle ID: com.apple.gamecenter
    • App Name: Game Center

Wireless

  • Block data roaming: Yes

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the configuration profile appear in the list ready for use.

See in Action

Installed configuration can be validated on the device by the user. Observing our enrolled device with the setting app, under General > Device Management > Management Profile, we can see “2 Restrictions” and “Password Policy” listed in the Contains list.

Selecting Restrictions, we can further validate device restriction settings match the Endpoint Manager deployed configuration profile we created.

Drilling down into more detail by selecting the password policy, again, we can validate the password policy being enforced on the device matches the Endpoint Manager deployed configuration profile.

Within the Endpoint Manager portal, we can validate the configuration profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Device Configuration on the left side menu, we can see the configuration profile we created successfully installed.

]]>
https://guides.uemauthority.com/knowledge-base/create-an-ios-configuration-profile/feed/ 0 950
Create an iOS Compliance Policy https://guides.uemauthority.com/knowledge-base/create-an-ios-compliance-policy/?utm_source=rss&utm_medium=rss&utm_campaign=create-an-ios-compliance-policy https://guides.uemauthority.com/knowledge-base/create-an-ios-compliance-policy/#respond Wed, 19 Jan 2022 16:01:26 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=948 In this guide, we create an iOS Compliance Policy in order to define a baseline compliance criteria that devices, to be managed by Intune, must meet.

Create an iOS Compliance Policy

Note – Compliance requires users and devices to meet criteria set by an organisation. Rules and settings are defined which Endpoint Manager compliance engine will assess users and against to determine their respective compliance status. Compliance does not configure the device.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com
From the home dashboard, navigate to Devices > Compliance Policies.

Select the ‘Create Policy’ button.

Select ‘iOS/iPadOS’ as the platform and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Compliance Policy
Description: Compliance policy for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example baseline compliance settings will be set:
**Example**
Email

  • Unable to set up email on the device: Require

Device Health

  • Jailbroken devices: Block
  • Require the device to be at or under the Device Threat Level: Not Configured

Device Properties

  • Minimum OS version: 13.0
  • Microsoft Defender for Endpoint: Not Configured

System Security

  • Require a password to unlock mobile devices: Require
  • Simple passwords: Block

Minimum password length: 6

  • Required password type: Numeric
  • Number of non-alphanumeric characters in password: 1
  • Maximum minutes after screen lock before the password is required: Immediately
  • Maximum minutes of inactivity until screen locks: 5 minutes

Select ‘Next’.
Actions for non-compliance will remain unchanged.

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the compliance policy appear in the list ready for use.

See in Action

Device compliance status can be validated on the device by the user. Observing our enrolled device within the Company Portal app, we can see the status says “Can access company resources”.

Within the Endpoint Manager portal, we can validate the compliance status of a device by navigating to Devices > All Devices.

Observing the device in question, we can see the compliance column indicates the device is compliant.

Selecting the device entry, under Device Compliance on the left side menu, we can see the compliance policy we created successfully assessed the device.

]]>
https://guides.uemauthority.com/knowledge-base/create-an-ios-compliance-policy/feed/ 0 948
Create Device Categories https://guides.uemauthority.com/knowledge-base/create-device-categories/?utm_source=rss&utm_medium=rss&utm_campaign=create-device-categories https://guides.uemauthority.com/knowledge-base/create-device-categories/#respond Wed, 19 Jan 2022 15:57:03 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=945 In this guide, we explore Intune Device Categories feature.

To make managing devices easier, you can use device categories to automatically add devices to groups based on categories that you define.

This two step process involves creating your categories and then respective dynamic Azure AD groups which ties the entire mechanism togther.

Create Device Categories

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Devices > Device Categories.

Select the ‘Create Device Category’ button.

Set a Name and Description.
**Example**
Name: Marketing
Description: Device category for Marketing devices

Select ‘Next’ and keep the default Scope Tag selected.

Select ‘Next’ and then ‘Create.

You will see the Marketing device category appear in the list ready for use.

Create an Azure AD Dynamic Group

Sign in to your Azure portal by browsing to https://portal.azure.com

From the home dashboard, select ‘Azure Active Directory’.

From the left side menu, select ‘Groups’.

Select the ‘New Group’ button.

Complete the required information:

**Example**
Group Type: Security
Group Name: Marketing Devices
Group Description: Group for Marketing devices.
Azure AD roles can be assigned to the group: No
Membership Type: Dynamic Device
Owners: No

Select ‘Add Dynamic Query’

Within the query builder, we configure the query values as below:

Property: deviceCategory
Operator: Equals
Value: Marketing (Friendly name given to your device category in Endpoint Manager)

Clicking away from the query builder, we can see Azure AD automatically translates your configuration values into a Rule Syntax.

The Rule Syntax should look identical to this: (exception of the value between quotation marks is unique to your device category friendly name)

(device.deviceCategory -eq “Your_Device_Category_Name”)

Select the ‘Save’ button to save the dynamic query.

Select the ‘Create’ button to build the Azure AD dynamic group.

Once created, you will see Marketing Devices Azure AD dynamic group appear in the list ready for use.

See in Action

During enrolment to Endpoint Manager, Company Portal app will request the user select a device category from the list provided.

In this example, the Marketing device category is selected in order to demonstrate an Azure AD dynamic group at work.

Once enrolment has been completed, the Azure AD dynamic group triggers an evaluation of the tenant against criteria set in the dynamic rule syntax. If the evaluation finds a device matching the criteria, that device is automatically added as a member of the group.

We can see our iPhone is now a member of the Marketing Devices group.

]]>
https://guides.uemauthority.com/knowledge-base/create-device-categories/feed/ 0 945
Configure Enrolment Restrictions https://guides.uemauthority.com/knowledge-base/configure-enrolment-restrictions/?utm_source=rss&utm_medium=rss&utm_campaign=configure-enrolment-restrictions https://guides.uemauthority.com/knowledge-base/configure-enrolment-restrictions/#respond Mon, 17 Jan 2022 16:22:22 +0000 http://guides.uemauthority.com/?post_type=ht_kb&p=939 In the guide, we explore Device Type Restrictions and Enrolment Limit Restriction. Combined, both settings allow an organisation to define what devices can enrol into management with Intune, including the:

  • Number of devices.
  • Operating systems and versions.
Configure Device Type Restrictions

Note – Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Android Enterprise (Work Profile)

  • Platform: Allow
  • Versions: 10.0 min
  • Personally Owned: Block

Android Device Administrator

  • Platform: Block

iOS/iPadOS

  • Platform: Allow
  • Versions: 13.0 min
  • Personally Owned: Block

macOS

  • Platform: Block

Windows (MDM)

  • Platform: Allow
  • Personally Owned: Block

Select ‘Review + Save’ and then ‘Save’.

Top Tip – A separate personally owned device type policy allows an organisation better control over whom and what has access to corporate resources. For example, an organisation may choose to limit personal device or BYOD enrolment to eligible users or personas. Device Type restriction enables such granular gate keeping.

To create a personally owned or BYOD policy, using the best practice example below, select the ‘Create Restriction’ button.

Select the ‘Device Type Restriction’ option.

Set a Name and Description:
**Example**
Name: Personally Owned/BYOD Policy
Description: A device type restriction policy that limits enrolment of personally owned and BYOD devices to an eligible group of users.

Select ‘Next’.

Set the policy Platform Settings:
**Example**
Android Enterprise (Work Profile)

  • Platform: Allow
  • Versions: 10.0 min
  • Personally Owned: Allow

Android Device Administrator

  • Platform: Block

iOS/iPadOS

  • Platform: Allow
  • Versions: 13.0 min
  • Personally Owned: Allow

macOS

  • Platform: Block

Windows (MDM)

  • Platform: Allow
  • Personally Owned: Block

Select ‘Next’, and then ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Personal BYOD Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

You will see the Device Type Restrictions policy appear ready for use.

See in Action

Top Tip – During Personally Owned/BYOD enrolment for an iOS/iPadOS device, the enrolment profile will fail to install. The Personally Owned Device Type Restrictions policy will block this device from being able to enrol. Generally, this means the user’s Azure AD/AD account does not yet reside in the eligible Azure AD Group.

Test User 01 Azure AD user account does not yet reside within any groups.

Attempting to enrol on an iOS device, installation of the profile will fail.

Observing Intune enrolment failures report under Devices > Monitor > Enrolment Failures, we can see the reason why enrolment was blocked.

Configure Device Limit Restrictions

Important – Device limit restrictions don’t apply for the following Windows enrollment types:
– Co-managed enrollments
– GPO enrollments
– Azure Active Directory joined enrollments
– Bulk Azure Active Directory joined enrollments
– Autopilot enrollments
– Device Enrollment Manager enrollments

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Device Limit: From 10 to 5

Select ‘Review + Save’ and then ‘Save’.

]]>
https://guides.uemauthority.com/knowledge-base/configure-enrolment-restrictions/feed/ 0 939