Set enrollment restrictions
As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune, including the:
- Number of devices.
- Operating systems and versions.
You can create multiple restrictions and apply them to different user groups. You can set the priority order for your different restrictions.
Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.
The specific enrollment restrictions that you can create include:
- Maximum number of enrolled devices.
- Device platforms that can enroll:
- Android device administrator
- Android Enterprise work profile
- Platform operating system version for iOS/iPadOS, Android device administrator, Android Enterprise work profile, and Windows.
- Minimum version.
- Maximum version.
- Restrict personally owned devices (iOS, Android device administrator, Android Enterprise work profile, macOS, and Windows).
Default restrictions are automatically provided for both device type and device limit enrollment restrictions. You can change the options for the defaults. Default restrictions apply to all user and userless enrollments. You can override these defaults by creating new restrictions with higher priorities.
Create a device type restriction
Sign in to the Microsoft Endpoint Manager admin center > Devices > Enroll Devices > Enrollment restrictions > Create restriction > Device type restriction.
On the Basics page, give the restriction a Name and optional Description.
Choose Next to go to the Platform settings page.
Under Platform, choose Allow for the platforms that you want this restriction to allow.
Under Versions, choose the minimum and maximum versions that you want the allowable platforms to support. For iOS and Android, version restrictions only apply to devices enrolled with the Company Portal. Supported version formats include:
- Android device administrator and Android Enterprise work profile support major.minor.rev.build.
- iOS/iPadOS supports major.minor.rev. Operating system versions don't apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.
- Windows supports major.minor.build.rev for Windows 10 only.
Android Enterprise work profile and Android device administrator platforms have the following behavior:
- If both platforms are allowed for the same group, then users will be enrolled with a work profile if their device supports it, otherwise they will enroll as device administrator.
- If both platforms are allowed for the group and refined for specific and non-overlapping versions, then users will receive the enrollment flow defined for their OS version.
- If both platforms are allowed, but blocked for the same versions, then users on devices with the blocked versions will be taken down the Android device administrator enrollment flow and then get blocked from enrollment and prompted to sign out.
Worth noting that neither work profile or device administrator enrollment will work unless the appropriate prequisites have been completed in Android Enrollment.
Windows 10 does not provide the rev number during enrollment so for instance if you enter in 10.0.17134.100 and the device is 10.0.17134.174 it will be blocked during enrollment.
Under Personally owned, choose Allow for the platforms that you want to permit as personally owned devices.
Under Device manufacturer, enter a comma-separated list of the manufacturers that you want to block.
Choose Next to go to the Scope tags page.
On the Scope tags page, optionally add the scope tags you want to apply to this restriction. For more information about scope tags, see Use role-based access control and scope tags for distributed IT. When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. Also, they can only reorder for the policy positions for which they have scope. Users see the true policy priority number on each policy. A scoped user can tell the relative priority of their policies even if they can't see all the other policies.
Choose Next to go to the Assignments page.
Choose Select groups to include and then use the search box to find groups that you want to include in this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction to at least one group, it won't have any effect. Then choose Select.
Select Next to go to the Review + create page.
Select Create to create the restriction.
The new restriction is created with a priority just above the default. You can change the priority.
Create a device limit restriction
- Sign in to the Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > Create restriction > Device limit restriction.
- On the Basics page, give the restriction a Name and optional Description.
- Choose Next to go to the Device limit page.
- For Device limit, select the maximum number of devices that a user can enroll.
- Choose Next to go to the Scope tags page.
- On the Scope tags page, optionally add the scope tags you want to apply to this restriction. For more information about scope tags, see Use role-based access control and scope tags for distributed IT. When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. Also, they can only reorder for the policy positions for which they have scope. Users see the true policy priority number on each policy. A scoped user can tell the relative priority of their policies even if they can't see all the other policies.
- Choose Next to go to the Assignments page.
- Choose Select groups to include and then use the search box to find groups that you want to include in this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction to at least one group, it won't have any effect. Then choose Select.
- Select Next to go to the Review + create page.
- Select Create to create the restriction.
- The new restriction is created with a priority just above the default. You can change the priority.
During BYOD enrollments, users see a notification that tells them when they've met their limit of enrolled devices. For example, on iOS:
Device limit restrictions don't apply for the following Windows enrollment types:
- Co-managed enrollments
- GPO enrollments
- Azure Active Directory joined enrollments
- Bulk Azure Active Directory joined enrollments
- Autopilot enrollments
- Device Enrollment Manager enrollments
Device limit restrictions are not enforced for these enrollment types because they're considered shared device scenarios. You can set hard limits for these enrollment types in Azure Active Directory.
Change enrollment restrictions
You can change the settings for an enrollment restriction by following the steps below. These restrictions don't effect devices that have already been enrolled.
- Sign in to the Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > choose the restriction that you want to change > Properties.
- Choose Edit next to the settings that you want to change.
- On the Edit page, make the changes that you want and proceed to the Review + save page, then choose Save.
Blocking personal Android devices
- If you block personally owned Android device administrator devices from enrollment, personally-owned Android Enterprise work profile devices can still enroll.
- By default, your Android Enterprise work profile devices settings are the same as your settings for your Android device administrator devices. After you change your Android Enterprise personally-owned work profile or your Android device administrator settings, that's no longer the case.
- If you block Android Enterprise personal work profile enrollment, only corporate-owned Android devices can enroll with Android Enterprise personally-owned work profiles.
Blocking personal Windows devices
If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.
The following methods qualify as being authorized as a Windows corporate enrollment:
- The enrolling user is using a device enrollment manager account.
- The device enrolls through Windows Autopilot.
- The device is registered with Windows Autopilot but isn't an MDM enrollment only option from Windows Settings.
- The device enrolls through a bulk provisioning package.
- The device enrolls through GPO, or automatic enrollment from Configuration Manager for co-management.
The following enrollments are marked as corporate by Intune. But since they don't offer the Intune administrator per-device control, they'll be blocked:
- Automatic MDM enrollment with Azure Active Directory join during Windows setup*.
- Automatic MDM enrollment with Azure Active Directory join from Windows Settings*.
The following personal enrollment methods will also be blocked:
- Automatic MDM enrollment with Add Work Account from Windows Settings*.
- MDM enrollment only option from Windows Settings.
* These won't be blocked if registered with Autopilot.
Blocking personal iOS/iPadOS devices
By default, Intune classifies iOS/iPadOS devices as personally-owned. To be classified as corporate-owned, an iOS/iPadOS device must fulfill one of the following conditions:
- Registered with a serial number.
- Enrolled by using Automated Device Enrollment (formerly Device Enrollment Program)
An iOS User Enrollment profile overrides an enrollment restriction policy. For more information, see Set up iOS/iPadOS and iPadOS User Enrollment (preview).
Change enrollment restriction priority
Priority is used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group that they are in. For example, Joe is in group A assigned to priority 5 restrictions and also in group B assigned to priority 2 restrictions. Joe is subject only to the priority 2 restrictions.
When you create a restriction, it's added to the list just above the default.
Device enrollment includes default restrictions for both device type and device limit restrictions. These two restrictions apply to all users unless they're overridden by higher-priority restrictions.
Enrollment restrictions are applied to users. In enrollment scenarios that are not user-driven (e.g. Windows Autopilot self-deploying mode or white glove provisioning), only the Default priority restrictions (targeted to "All Users") will be enforced.
You can change the priority of any non-default restriction.
- Sign in to the Azure portal.
- Select More Services, search for Intune, and then choose Intune.
- Select Device enrollment > Enrollment restrictions.
- Hover over the restriction in the priority list.
- Using the three vertical dots, drag the priority to the desired position in the list.