Home
%3CLINGO-SUB%20id%3D%22lingo-sub-752705%22%20slang%3D%22en-US%22%3EBlocking%20certain%20hardware%20manufacturers%20via%20Intune%20compliance%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752705%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%20Matt%20Shadbolt%20%7C%20Sr.%20PM%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERecently%2C%20several%20customers%20have%20asked%20for%20options%20to%20restrict%20the%20use%20of%20certain%20hardware%20vendors%20in%20their%20organization.%20%26nbsp%3BIntune%20plans%20to%20provide%20additional%20options%20to%20restrict%20enrollment%20based%20on%20hardware%20manufacturer.%20We%20also%20plan%20to%20extend%20our%20CA%20compliance%20policies%20to%20block%20access%20based%20on%20hardware%20manufacturer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUntil%20this%20functionality%20is%20developed%20and%20deployed%2C%20however%2C%20I%20wanted%20to%20share%20a%20short-term%20workaround%20to%20restrict%20any%20of%20these%20devices.%20We%E2%80%99ll%20use%20a%20two-step%20combination%20of%20Azure%20AD%20dynamic%20group%20membership%20and%20%E2%80%9Cimpossible%E2%80%9D%20compliance%20policies%20to%20achieve%20this%20outcome.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CSTRONG%3EStep%201%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EFirst%2C%20we%20need%20to%20create%20an%20Azure%20AD%20dynamic%20group%20with%20all%20our%20target%20devices.%3C%2FP%3E%0A%3CP%3EUse%20the%20following%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edynamic%20device%20group%20rule%3C%2FA%3E%2C%20replacing%20SomeHardwareVendor%20with%20the%20specific%20device%20manufacturer%20name%3A%3C%2FP%3E%0A%3CP%3E(device.deviceOSType%20-contains%20%22Android%22)%20-and%20(device.deviceManufacturer%20-eq%20%22SomeHardwareVendor%22)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123174iB287C06294CAE57B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Matt%20Huawei%201.png%22%20title%3D%22Matt%20Huawei%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CSTRONG%3EStep%202%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EWe%20now%20want%20to%20create%20an%20%E2%80%9Cimpossible%E2%80%9D%20compliance%20policy%20and%20target%20it%20at%20the%20newly%20created%20Azure%20AD%20group.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Intune%2C%20create%20a%20new%20Device%20compliance%20policy%20for%20Android%20(you%E2%80%99ll%20need%20to%20do%20this%20for%20Android%20Enterprise%20too).%26nbsp%3BIn%20the%20Device%20Properties%20of%20the%20policy%2C%20configure%20the%20Minimum%20OS%20version%20to%20something%20impossible%2C%20like%20100.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20899px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123175iA55CF95716915DE8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Matt%20Huawei%202.png%22%20title%3D%22Matt%20Huawei%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20assign%20this%20compliance%20policy%20to%20the%20SomeHardwareVendor%20Android%20Devices%20group%2C%20and%20next%20time%20the%20group%20members%20check-in%20to%20Intune%2C%20they%E2%80%99ll%20be%20marked%20non-compliant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20these%20two%20short%20steps%2C%20we%20can%20effectively%20block%20any%20hardware%20manufacturer%20from%20accessing%20corporate%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20questions!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-752705%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%20Customer%20Success%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

By Matt Shadbolt | Sr. PM

 

Recently, several customers have asked for options to restrict the use of certain hardware vendors in their organization.  Intune plans to provide additional options to restrict enrollment based on hardware manufacturer. We also plan to extend our CA compliance policies to block access based on hardware manufacturer.

 

Until this functionality is developed and deployed, however, I wanted to share a short-term workaround to restrict any of these devices. We’ll use a two-step combination of Azure AD dynamic group membership and “impossible” compliance policies to achieve this outcome.

 

Step 1

First, we need to create an Azure AD dynamic group with all our target devices.

Use the following dynamic device group rule, replacing SomeHardwareVendor with the specific device manufacturer name:

(device.deviceOSType -contains "Android") -and (device.deviceManufacturer -eq "SomeHardwareVendor")

 

Matt Huawei 1.png

 

 

Step 2

We now want to create an “impossible” compliance policy and target it at the newly created Azure AD group. 

 

In Intune, create a new Device compliance policy for Android (you’ll need to do this for Android Enterprise too). In the Device Properties of the policy, configure the Minimum OS version to something impossible, like 100.

 

Matt Huawei 2.png

 

Now assign this compliance policy to the SomeHardwareVendor Android Devices group, and next time the group members check-in to Intune, they’ll be marked non-compliant.

 

With these two short steps, we can effectively block any hardware manufacturer from accessing corporate resources.

 

Let us know if you have any questions!