By Matt Shadbolt | Sr. Program Manager - Microsoft Endpoint Manager - Intune
Updated 9/28/21 - You can now block Android devices from enrolling based on device manufacturer. See: Set enrollment restrictions in Microsoft Intune to learn more.
Recently, several customers have asked for options to restrict the use of certain hardware vendors in their organization. Intune plans to provide additional options to restrict enrollment based on hardware manufacturer. We also plan to extend our CA compliance policies to block access based on hardware manufacturer.
Until this functionality is developed and deployed, however, I wanted to share a short-term workaround to restrict any of these devices. We’ll use a two-step combination of Azure AD dynamic group membership and “impossible” compliance policies to achieve this outcome.
Step 1
First, we need to create an Azure AD dynamic group with all our target devices.
Use the following dynamic device group rule, replacing SomeHardwareVendor with the specific device manufacturer name:
(device.deviceOSType -contains "Android") -and (device.deviceManufacturer -eq "SomeHardwareVendor")
Step 2
We now want to create an “impossible” compliance policy and target it at the newly created Azure AD group.
In Intune, create a new Device compliance policy for Android (you’ll need to do this for Android Enterprise too). In the Device Properties of the policy, configure the Minimum OS version to something impossible, like 100.
Now assign this compliance policy to the SomeHardwareVendor Android Devices group, and next time the group members check-in to Intune, they’ll be marked non-compliant.
With these two short steps, we can effectively block any hardware manufacturer from accessing corporate resources.
If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Post updates:
9/28/21 - Update post that with the 2001 service release, you can now block Android enrollment from certain device manufacturers.