Forum Discussion
Separate Personal from Corp Devices
Hi All
Trying to get my head around something:
- Clear separation between personal and corp devices - Corp identifiers, enrollment restrictions etc?
- Restrict unmanaged devices restrict to use email securely - Conditional Access, IAP?
What do you guys use in such scenarios?
Info appreciared
- Thijs LecomteBronze ContributorHi Stuart
First of all: what are you trying to accomplish exactly?
Personal vs corporate devices:
Corporate identifiers and enrollment restrictions are two different things and don't actually work together.
Corporate identifiers change whether an ENROLLED device is seen as personal and corporate. This is a simple field that is being changed in Intune. Using that field you could create dynamic groups to deploy different policies to.
Enrollment restrictions will say if personal devices can be enrolled? What is the difference between personal and corporate devices? Please check out this link: https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment#corporate-owned-device
For example for IOS:
- Devices enrolled through the company portal are personal
- Devices enrolled through DEP are corporate
Even if you have set-up corp identifiers to identify a device as corporate. If you enroll it through the company portal. it will always fail because it is a personal enrollment method. Corp identifiers only work after enrollment.
If you want to secure data from the device on corporate/personal devices, I would recommend looking into app protection policies and conditional access.
Feel free to reach out with more requests!- StuartK73Iron Contributor
Hey many thanks for the excellent and informative response.
Yeah, leaving aside the enrollment for now, that will stay Personal.
However, some devices may enroll, some just wanna access corp email.
There is tremendous help on these 2 guides:
https://docs.microsoft.com/en-us/intune/protect/tutorial-protect-email-on-unmanaged-devices
https://docs.microsoft.com/en-us/intune/protect/tutorial-protect-email-on-enrolled-devices
However BOTH require the creation of a Conditional Access policy.
Managed devices grant with Require device to be compliant / Require approved app
Unmanaged devices Require approved app / additional MFA if required
Surely these 2 Conditional Access policies will conflict and require enrollment?
My question is, what if you have users with multiple devices, one enrolled and one not?
Make sense?