Blog Post

Intune Customer Success
2 MIN READ

Blocking certain hardware manufacturers via Intune compliance policies

Intune_Support_Team's avatar
Jul 13, 2019

By Matt Shadbolt | Sr. Program Manager - Microsoft Endpoint Manager - Intune

 

Updated 9/28/21 - You can now block Android devices from enrolling based on device manufacturer. See: Set enrollment restrictions in Microsoft Intune to learn more.

 

Recently, several customers have asked for options to restrict the use of certain hardware vendors in their organization.  Intune plans to provide additional options to restrict enrollment based on hardware manufacturer. We also plan to extend our CA compliance policies to block access based on hardware manufacturer.

 

Until this functionality is developed and deployed, however, I wanted to share a short-term workaround to restrict any of these devices. We’ll use a two-step combination of Azure AD dynamic group membership and “impossible” compliance policies to achieve this outcome.

 

Step 1

First, we need to create an Azure AD dynamic group with all our target devices.

Use the following dynamic device group rule, replacing SomeHardwareVendor with the specific device manufacturer name:

(device.deviceOSType -contains "Android") -and (device.deviceManufacturer -eq "SomeHardwareVendor")

 

 

 

Step 2

We now want to create an “impossible” compliance policy and target it at the newly created Azure AD group. 

 

In Intune, create a new Device compliance policy for Android (you’ll need to do this for Android Enterprise too). In the Device Properties of the policy, configure the Minimum OS version to something impossible, like 100.

 

 

Now assign this compliance policy to the SomeHardwareVendor Android Devices group, and next time the group members check-in to Intune, they’ll be marked non-compliant.

 

With these two short steps, we can effectively block any hardware manufacturer from accessing corporate resources.

 

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

9/28/21 - Update post that with the 2001 service release, you can now block Android enrollment from certain device manufacturers.

Updated Dec 01, 2023
Version 5.0
  • Ketzpatel's avatar
    Ketzpatel
    Brass Contributor

    Yes we are able to block each individual manufacturer by adding them to block list but as you may know it's not easy to list every Android devices manufacturer as they are tons of them. Instead of blocking each of them, There should be a way to allow only specific and everyone else will be blocked. Almost all other MDM provides have this feature in their system to only allow specific manufacturer.

  • Ketzpatel's avatar
    Ketzpatel
    Brass Contributor

    Is there an option or feature available in Intune now to allow only specific device manufacturer instead of blocking whole list of manufacturer? I still do not see any otipn to only allow specific manufacturer by simply adding the name.

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor

    Thank you for sharing while these steps are helpful but it would be nice to improve the user experience in the future like we could fill up a form and add the name of the vendor or if the vendor contain specific name. Another good experience would be like have a look at already enrolled devices and select and blacklist them.