In the guide, we explore Device Type Restrictions and Enrolment Limit Restriction. Combined, both settings allow an organisation to define what devices can enrol into management with Intune, including the:
- Number of devices.
- Operating systems and versions.
Configure Device Type Restrictions
Note – Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.
From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions
Under Device Type Restrictions, select the Default Policy called All Users.
Select Properties. Under Platform Settings, select Edit.
In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Android Enterprise (Work Profile)
- Platform: Allow
- Versions: 10.0 min
- Personally Owned: Block
Android Device Administrator
- Platform: Block
iOS/iPadOS
- Platform: Allow
- Versions: 13.0 min
- Personally Owned: Block
macOS
- Platform: Block
Windows (MDM)
- Platform: Allow
- Personally Owned: Block
Select ‘Review + Save’ and then ‘Save’.
Top Tip – A separate personally owned device type policy allows an organisation better control over whom and what has access to corporate resources. For example, an organisation may choose to limit personal device or BYOD enrolment to eligible users or personas. Device Type restriction enables such granular gate keeping.
To create a personally owned or BYOD policy, using the best practice example below, select the ‘Create Restriction’ button.
Select the ‘Device Type Restriction’ option.
Set a Name and Description:
**Example**
Name: Personally Owned/BYOD Policy
Description: A device type restriction policy that limits enrolment of personally owned and BYOD devices to an eligible group of users.
Select ‘Next’.
Set the policy Platform Settings:
**Example**
Android Enterprise (Work Profile)
- Platform: Allow
- Versions: 10.0 min
- Personally Owned: Allow
Android Device Administrator
- Platform: Block
iOS/iPadOS
- Platform: Allow
- Versions: 13.0 min
- Personally Owned: Allow
macOS
- Platform: Block
Windows (MDM)
- Platform: Allow
- Personally Owned: Block
Select ‘Next’, and then ‘Next’.
Under Assignments, select ‘Add Groups’.
In this example, the ‘Personal BYOD Devices’ group will be selected.
Select ‘Select’ to add your Azure AD Group.
Select ‘Next’ and then ‘Create’.
You will see the Device Type Restrictions policy appear ready for use.
See in Action
Top Tip – During Personally Owned/BYOD enrolment for an iOS/iPadOS device, the enrolment profile will fail to install. The Personally Owned Device Type Restrictions policy will block this device from being able to enrol. Generally, this means the user’s Azure AD/AD account does not yet reside in the eligible Azure AD Group.
Test User 01 Azure AD user account does not yet reside within any groups.
Attempting to enrol on an iOS device, installation of the profile will fail.
Observing Intune enrolment failures report under Devices > Monitor > Enrolment Failures, we can see the reason why enrolment was blocked.
Configure Device Limit Restrictions
Important – Device limit restrictions don’t apply for the following Windows enrollment types:
– Co-managed enrollments
– GPO enrollments
– Azure Active Directory joined enrollments
– Bulk Azure Active Directory joined enrollments
– Autopilot enrollments
– Device Enrollment Manager enrollments
From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions
Under Device Type Restrictions, select the Default Policy called All Users.
Select Properties. Under Platform Settings, select Edit.
In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Device Limit: From 10 to 5
Select ‘Review + Save’ and then ‘Save’.