Forum Discussion
Block Company Portal Enrollment for BYOD Devices
Hello all,
I’m new to Intune and have a small org that has been using it for phone devices for some time. It looks like they only had 1 policy for all Intune licensed users forcing them to enroll using the company portal regardless if the device was a corporate owned or personal. I’ve been tasked with setting up a separate method for the personal BYOD devices.
I created a new App Protection policy for Office 365 apps and assigned to a specific group adding some security options for the data in the apps. This is working well in testing. Is there a way to prevent the enrollment of BYOD devices using company portal? What method would you recommend to try to acheive this? Appreciate all the feedback.
OCA
Hi Buddy
You can create multiple platform restriction policies and assign, you DON'T have to use the default one.
Also have a look APP filters:
Create filters in Microsoft Intune | Microsoft Learn
Stuart
6 Replies
Hello Stuart,
Yes, I'd like to block BYOD devices from enrolling so they don't install the cert giving us more control then we need on a personal device. The App Protection policy works nice just want to ensure a BYOD couldn't enroll. The restriction seems like a good path. Currently we only have the 1 default all users policy that allows all. Maybe add a new restriction to block enrollment to the security group we created for the users using the app protection policy.
Hi Buddy
You can create multiple platform restriction policies and assign, you DON'T have to use the default one.
Also have a look APP filters:
Create filters in Microsoft Intune | Microsoft Learn
Stuart
Hi Buddy
Have a look at Devices >Enrollment > Device platform restrictions
Also, do you need the BYOD devices to actually enroll? Maybe just use MAM / MAMwE!!!
You can also create filters which can separate enrolled vs unenrolled devices if you need separation.
Stuart
Thanks, there looks to be some options here I can test with. The person who set this up before bascially did one enrollment policy for all users regardless if it was a BYOD or Corporate owned device. Corporate owned devices are pushed via Apple Business Manager into Intune. The policy looks like it basically states All Intune Licensed users can enroll their device using company portal. However, any users in a NOAccess group is blocked from enrollment.
My thought was adding a new group that is also blocked but is in the allow access for the App Protection policy. There was also a policy that required company portal for Outlook access. I put the group used for App Protection in the exclude which allowed them to connect without Company Portal.
One test I did was any user in the NoAccess group is not able to connect even if they are in the app protection policy group. Just trying to be careful so I don't inadvertently block access.
This could help too, especially if your corp owned are all ADE/DEP.
Otherwise can assign a block to all users but allow certain ones like yourself to still be able to enroll personally owned devices.
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/enrollment-restrictions-set#blocking-personal-iosipados-devices
Maybe this can help - https://rahuljindalmyit.blogspot.com/2024/12/why-is-enrolment-through-company-portal.html
