Configure device restriction settings in Microsoft Intune
Intune includes device restriction policies that help administrators control Android, iOS/iPadOS, macOS, and Windows devices. These restrictions let you control a wide range of settings and features to protect your organization's resources. For example, administrators can:
- Allow or block the device camera.
- Control access to Google Play, app stores, viewing documents, and gaming.
- Block built-in apps, or create a list of apps that allowed or prohibited.
- Allow or prevent backing up files to cloud and storage accounts.
- Set a minimum password length, and block simple passwords.
These features are available in Intune, and are configurable by the administrator. Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After you add these features in a profile, you can then push or deploy the profile to devices in your organization.
This article shows you how to create a device restrictions profile. You can also see all the available settings for the different platforms.
Create the profile
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
Platform: Choose the platform of your devices. Your options:
- Android device administrator
- Android Enterprise
- Windows 10 and later
- Windows 8.1 and later
Profile: Select Device restrictions.
To create a device restrictions profile for Windows 10 Team devices, such as Surface Hub, then choose Device restrictions (Windows 10 Team).
In Basics, enter the following properties:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is iOS/iPadOS: Block camera on devices.
- Description: Enter a description for the policy. This setting is optional, but recommended.
In Configuration settings, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as
US-NC IT Teamor
JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.
In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.