Forum Discussion

Djaswant's avatar
Djaswant
Brass Contributor
May 04, 2022

Intune: Restricting iOS Devices That aren't Enrolled

Hey guys,

 

I could use some help.
Currently busy with a project to enroll company phones to Intune, but we want phones that aren't enrolled to be blocked from using Office apps with their work credentials.
I've tried setting up a Conditional Access policy for this, which works perfectly for Android but not for iOS. I'm testing it myself, the policies and applications are deployed and the phone is compliant, but everytime I open an Office app it states "Enroll your device to gain access" and the Company portal opens.
If I unselect the "Require device to be marked as compliant" under "Access Controls > Grant" in the Conditional Access policy, I get access. 
Thing is, access is also available for iOS phones that aren't enrolled.

Anyone else that has experienced this?

  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor

    Djaswant How do you enroll the iOS devices? ABM of Apple Configurator? From what I read, I can't make out how you enroll, but it looks like a user enrollment where you enroll using the company portal app. This app is also used to check compliance and that is why the company portal app opens. You will have to sign in with your username and password. You did say devices are compliant in MEM. Can you see who the primary user is and who enrolled the device? I'm also interested in ownership.

     

    If you do enroll using ABM or Apple configurator, the ownership should be corporate by default. And in that case you can simply block all personal devices when accessing Office 365 using a conditional access policy combined with filter for devices. Assuming this is want you want to achieve.

     

    Your CA would look like this:

    • Cloud Apps - Office 365
    • Conditions:
      • Device platform =iOS
      • Client Apps = Mobile Apps (or others if needed
    • Filter for devices - EXCLUDE
      • device.deviceOwnership -eq "Company"
    • Grant = Block Access

     

    This CA will block all devices where the device ownership does not equal Company. 

     

    Note: Make sure you test block policies with a select group of users or at least exclude a break-glass account if you do test in your production tenant.

     

    Hope this helps.

     

    • Djaswant's avatar
      Djaswant
      Brass Contributor
      Hi Oktay.

      Thank you for responding! No ABM or Apple Configurator. I am indeed using the Company Portal. It's a Compliant, corporate phone.

      Thanks for the advice! Really appreciated. I'm going to check how it reacts to this CA settings and let you know!
      I am actually testing it on my own company phone with my credentials.

Resources