Custom enrollment restriction policy not working for iOS user enrollment

Question

question

jpawlowski asked Nov 8, '20 jpawlowski answered Feb 24, '21

Custom enrollment restriction policy not working for iOS user enrollment

I have disabled personally owned devices for all users in Intune's default enrollment restriction policy.

Now I would like to re-enable it for a subset of users. To achieve this, I have created a custom enrollment restriction policy with personally owned set to "Allow" for iOS/iPadOS devices. I created a security group and assigned this to the "Included groups" section. Obviously, I also added my test user account to that group as well.

Looking to the troubleshooting section in the Endpoint Manager web console, the custom enrollment restriction policy is active for that user. However, I can only use device enrollment with that user, it is not possible to use user enrollment only (error message "Platform not allowed for personal"). It will work however if I re-enable personally owned devices for the default restriction policy. Even though that policy is not active for that user because the custom policy has higher priority, the default policy is still applied here. Strangely enough the debug console does not show any OS information. Doesn't matter it seems because like I said, it does work as expected when the default enrollment restriction policy allows "personally owned" for everyone.

This really looks like a bug to me.

Anyone has a solution for this or knows how to file a bug report to MSFT to ensure this will be fixed soon?

mem-intune-enrollment

ios-user-enrollment-policy-issue.png (147.9 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2020-11-27T11:39:58.757Z

jpawlowski answered Nov 27, '20 Crystal-MSFT commented Nov 30, '20

Thanks for your feedback! Meanwhile I got several other tenants facing the same issue. Like I was saying device enrollment is working as expected but enrollment restrictions do not apply to user enrollment as expected.

Can't find any existing known issue on user voice, otherwise I had upvoted it already. Also, I don't agree this is a missing feature, it is rather a bug that is discovered as part as public preview of the user enrollment feature. I find this to be really annoying how to give feedback for bugs (not only for this MSFT product). A bug is different from a missing feature where you would up/downvote. A bug shall be fixed to provide the already defined feature set.

I have also opened a regular ticket for this, but it is also quite painful and extremely time consuming as this always feels like I as a customer (and on behalf of our joint customers) must proof that the bug is real rather than that MSFT is trying to proof that there is no bug. I mean, we're not in cort here but it always feels like we are and we are working against each other, not together. In the end, I am taking time, effort and money to help make Microsofts products better and don't feel this is really welcome by 1st and 2nd level support lines in Microsoft... they seem to be hired to block feedback away from the product groups. If I had no other ways to get in direct touch with the product groups, which definately not every customer has, I would be totally lost.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT · Nov 30, 2020 at 07:12 AM

@jpawlowski, Thanks for your reply. From your description, I know this issue occurs in multiple tenants. It sounds like a known issue. I notice a ticket has already opened and is working on it. I fully understand your feeling, But as I know, to identity if it is a bug, it needs time. We appreciate the patience on it. For the user voice, if this is not posted, we can create a new post to feedback out issue. Actually, user voice is a place when the Product team will review.

Hope it can help.

0 ·

Answer 2 · 2020-11-09T04:09:52.897Z

Crystal-MSFT answered Nov 9, '20

@jpawlowski, For our issue, I have tested with device enrollment. it is also working. For user enrollment, I have some limitation on it. To check our issue, we can test some more devices to see if the result is the same. If yes, it seems to be a known issue. We can feedback to Intune uservoice.
https://microsoftintune.uservoice.com/forums/291681-ideas

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2021-02-24T12:16:16.06Z

DanielNeto-4540 answered Feb 24, '21

I have the same scenario here. Exactly how @jpawlowski describes. I also open a ticket.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2021-02-24T12:30:39.313Z

jpawlowski answered Feb 24, '21

Support investigation results here where that the PG confirmed this to be an "expected behavior", however not willing to confirm this to be a bug.
"Feature improvements" are on the roadmap I was told, obviously it does not seem to have high priority at the moment.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question