Forum Discussion
Preventing Connections to External Intune Organizations
Is it possible to prevent our company devices from connecting to external Intune organizations? Our apprentices use these devices to sign in to their schools, resulting in the registration of our devices with their respective institutions.
Our devices are added through hybrid AD join.
I would like to know if it is feasible to stop this process using Group Policy Objects or Intune. Any insights or guidance on this matter would be greatly appreciated.
Yes, it is possible to prevent company devices from connecting to external Intune organizations. There are several approaches you can take to achieve this.
Group Policy Objects (GPOs): You can use Group Policy Objects to control the device registration process. By configuring the appropriate GPO settings, you can prevent devices from automatically registering with external Intune organizations. Here's what you can do:
a. On your domain controller, open the Group Policy Management console. b. Create a new GPO or modify an existing one that applies to the devices in question. c. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Device Registration. d. Enable the policy "Prevent automatic MDM enrollment outside of the Azure AD join" and set it to "Enabled". e. Apply the GPO to the appropriate organizational units (OUs) or groups containing the devices you want to restrict.
With this GPO in place, devices will not automatically enroll in external Intune organizations, and you can ensure they only connect to your organization's Intune.
Intune device configuration policies: If you're using Intune for device management, you can create device configuration policies to control the enrollment behavior. Here's what you can do:
a. Sign in to the Azure portal and open the Intune blade. b. Go to "Device configuration" -> "Profiles" and create a new profile or modify an existing one. c. In the profile settings, navigate to "Device enrollment" -> "Windows enrollment" -> "Enrollment restrictions". d. Enable the option "Block device enrollment with other MDMs" to prevent enrollment with external Intune organizations. e. Assign the profile to the appropriate groups containing the devices you want to restrict.
By configuring this device configuration policy, you can ensure that devices are prevented from enrolling in external Intune organizations.
It's important to thoroughly test these configurations in a controlled environment before applying them to production devices to ensure they meet your requirements and don't cause unintended consequences. Additionally, consult your organization's IT policies and seek assistance from your IT department to ensure proper implementation and management of device enrollment restrictions.
kirensan89 I don't see either of these options. GPO - Prevent automatic MDM enrollment outside of the Azure AD join - not available, same with Azure.
