New White Devils 42 Pat Jersey College Sun Tillman Stitched

As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune, including the:

  • number of devices
  • operating systems and versions You can create multiple restrictions and apply them to different user groups. You can set the priority order for your different restrictions.

Note

Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.

The specific enrollment restrictions that you can create include:

  • Maximum number of enrolled devices.
  • Device platforms that can enroll:
    • Android device administrator
    • Android Enterprise work profile
    • iOS
    • macOS
    • Windows
    • Windows Mobile
  • Platform operating system version for iOS, Android device administrator, Android Enterprise work profile, Windows, and Windows Mobile. (Only Windows 10 versions can be used. Leave this blank if Windows 8.1 is allowed.)
    • New White Devils 42 Pat Jersey College Sun Tillman Minimum version.
    • Maximum version.
  • Restrict personally owned devices (iOS, Android device administrator, Android Enterprise work profile, macOS, Windows, and Windows Mobile only).

Default restrictions

98 Orakpo Brian College Stitched Jersey Longhorns Orange

Default restrictions are automatically provided for both device type and device limit enrollment restrictions. You can change the options for the defaults. Default restrictions apply to all user and userless enrollments. You can override these defaults by creating new restrictions with higher priorities.

Create a device type restriction

  1. Sign in to the Azure portal.

  2. Select More Services, search for New White Devils 42 Pat Jersey College Sun Tillman Intune, and then choose Intune.

  3. Select Device enrollment > Enrollment restrictions > Create restriction > Device type restriction.

  4. On the Basics page, give the restriction a Name and optional Description.

  5. Choose Next to go to the Platform settings page.

  6. Under Platform, choose Allow for the platforms that you want this restriction to allow.

  7. Under Versions, choose the minimum and maximum versions that you want the allowable platforms to support. Version restrictions only apply to devices enrolled with the Company Portal. Supported version formats include:

    • Android device administrator and Android Enterprise work profile support major.minor.rev.build.
    • iOS supports major.minor.rev. Operating system versions don't apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.
    • Windows supports major.minor.rev.build for Windows 10 only.

    Note

    Windows 10 does not provide the build number during enrollment so for instance if you enter in 10.0.17134.100 and the device is 10.0.17134.174 it will be blocked during enrollment.

  8. Under Personally owned, choose Allow for the platforms that you want to permit as personally owned devices.

  9. Choose Next to go to the Assignments page.

  10. Choose Select groups to include and then use the search box to find groups that you want to include in this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction to at least one group, it won't have any effect. Then choose Select.

  11. Select New White Devils 42 Pat Jersey College Sun Tillman Next to go to the Review + create page.

  12. Select Create to create the restriction.

  13. The new restriction is created with a priority just above the default. You can change the priority.

Create a device limit restriction

  1. Sign in to the Azure portal.
  2. Select More Services, search for Intune, and then choose Intune.
  3. Select Device enrollment > Enrollment restrictions > Create restriction > Device limit restriction.
  4. On the Basics page, give the restriction a Name and optional Description.
  5. Choose Next to go to the Device limit page.
  6. For Device limit, select the maximum number of devices that a user can enroll.
  7. Choose Next to go to the Assignments page.
  8. Choose Select groups to include and then use the search box to find groups that you want to include in this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction to at least one group, it won't have any effect. Then choose Select.
  9. Select Next to go to the Review + create page.
  10. Select Create to create the restriction.
  11. The new restriction is created with a priority just above the default. You can change the priorityJersey College Mark Red Sanchez Trojans 6 Stitched.

During BYOD enrollments, users see a notification that tells them when they've met their limit of enrolled devices. For example, on iOS:

Important

Device limit restrictions don't apply for the following Windows enrollment types:

  • Co-managed enrollments
  • GPO enrollments
  • Azure Active Directory joined enrollments
  • Bulk Azure Active Directory joined enrollments
  • Autopilot enrollments
  • Device Enrollment Manager enrollments

Device limit restrictions are not enforced for these enrollment types because they're considered shared device scenarios. You can set hard limits for these enrollment types in Azure Active Directory.

Change enrollment restrictions

You can change the settings for an enrollment restriction by following the steps below. These restrictions don't effect devices that have already been enrolled. Devices enrolled with Intune PC agent can't be blocked with this feature.

  1. Sign in to the Azure portal.
  2. Select More Services, search for Intune, and then choose Intune.
  3. Select Device enrollment > Enrollment restrictions > choose the restriction that you want to change > Properties.
  4. Choose Edit next to the settings that you want to change.
  5. On the Edit page, make the changes that you want and proceed to the Review + save page, then choose Save.

Blocking personal Android devices

  • If you block personally owned Android device administrator devices from enrollment, personally owned Android Enterprise work profile devices can still enroll.
  • By default, your Android Enterprise work profile devices settings are the same as your settings for your Android device administrator devices. After you change your Android Enterprise work profile or your Android device administrator settings, that's no longer the case.
  • If you block personal Android Enterprise work profile enrollment, only corporate-owned Android devices can enroll with Android Enterprise work profiles.

Blocking personal Windows devices

If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.

The following methods qualify as being authorized as a Windows corporate enrollment:

The following enrollments are marked as corporate by Intune. But since they don't offer the Intune administrator per-device control, they'll be blocked:

The following personal enrollment methods will also be blocked:

* These won't be blocked if registered with Autopilot.

Change enrollment restriction priority

Priority is used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group that they are in. For example, Joe is in group A assigned to priority 5 restrictions and also in group B assigned to priority 2 restrictions. Joe is subject only to the priority 2 restrictions.

When you create a restriction, it's added to the list just above the default.

Device enrollment includes default restrictions for both device type and device limit restrictions. These two restrictions apply to all users unless they're overridden by higher-priority restrictions.

You can change the priority of any non-default restriction.

  1. Sign in to the Azure portal.
  2. Select More Services, search for Intune, and then choose Intune.
  3. Select Device enrollment > New White Devils 42 Pat Jersey College Sun Tillman Enrollment restrictions.
  4. Hover over the restriction in the priority list.
  5. Using the three vertical dots, drag the priority to the desired position in the list.