Personal Devices should be restricted from enrolling into the MDM solution
Description
By default, any device can enroll into Intune whether or not it is classified as corporate or personal. To prevent device users from accidently enrolling their personal device, device restrictions should be configured. Users should only be enrolling corporate owned devices that have specifications that meet corporate standards.
Policy
Device restrictions should be configured to restrict personal devices from enrolling in the MDM solution
Only device types (i.e. Windows, Linux, macOS, etc.) defined by the corporation shall be supported for Intune enrollment
Licensing Considerations
Any tenant with Intune licensing can access this setting.
Set-Up Instructions
Overview of enrollment restrictions - Microsoft Intune | Microsoft Learn
Create device platform restrictions - Microsoft Intune | Microsoft Learn
To block personally owned devices from enrolling into Intune:
Follow the steps outlined here
Under Personally-Owned, select Block for each device type
End-User Impact
Level: Medium
Users will not be able to enroll any device that is classified as personal. If you have Windows autoenrollment enabled, users will be prompted to enroll their devices when access common office applications like Teams. If they select Yes to enroll the device and the device is personally owned, they will be prevented from enrolling that device.
Tips
• If you have a Conditional Access Policy set up to block legacy authentication, this setting is not necessary
PowerShell Scripts
Videos
Last updated