Home

Intune setting allow for auto enroll MAM but blocked MDM enrollment

%3CLINGO-SUB%20id%3D%22lingo-sub-213367%22%20slang%3D%22en-US%22%3EIntune%20setting%20allow%20for%20auto%20enroll%20MAM%20but%20blocked%20MDM%20enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213367%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20for%20some%20documentation%20that%20allow%20for%20MAM%20enrollment%20but%20disable%20MDM%20enrollment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20best%20practice%20such%20as%20setting%20I%20would%20need%20to%20follow.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-213367%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-219025%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20setting%20allow%20for%20auto%20enroll%20MAM%20but%20blocked%20MDM%20enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-219025%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Binh%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20disable%20MDM%20enrollment%20of%20personal%20devices%20by%20using%20the%20%3CSTRONG%3EDevice%20Type%20Restrictions%3C%2FSTRONG%3E%20under%3A%3C%2FP%3E%3CP%3EMicrosoft%20Intune%20%26gt%3B%26nbsp%3BDevice%20enrollment%20-%20Enrollment%20restrictions%20%26gt%3B%20All%20Users%20-%20Properties%20%26gt%3B%20Configure%20platforms%20and%20set%20the%20individual%20platforms%20to%20%3CSTRONG%3EBlock%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20877px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38285iCD8441C462D9ED7F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22EnrollmentRestrictions.png%22%20title%3D%22EnrollmentRestrictions.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20ends%20up%20that%20you%20are%20able%20to%20enroll%20into%20MAM%20as%20this%20is%20an%20AAD%20register%20of%20the%20device%20and%20not%20a%20MDM%20enrollment.%20As%20soon%20as%20an%20user%20tries%20to%20enroll%20via%20MDM%20(Company%20Portal)%20the%20action%20is%20blocked%20though%20this%20setting.%20A%20MDM%20enrollment%20would%20still%20be%20possible%20if%20the%20device%20will%20be%20registered%20before%20with%20Serial%20Number%20or%20IMEI%20under%20%3CSTRONG%3ECorporate%20device%20identifiers%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%2C%3C%2FP%3E%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Binh Nguyen
Occasional Visitor

I am looking for some documentation that allow for MAM enrollment but disable MDM enrollment.

 

Is there any best practice such as setting I would need to follow.

 

Thanks.

1 Reply

Hi Binh,

 

You can disable MDM enrollment of personal devices by using the Device Type Restrictions under:

Microsoft Intune > Device enrollment - Enrollment restrictions > All Users - Properties > Configure platforms and set the individual platforms to Block

 

EnrollmentRestrictions.png

 

This ends up that you are able to enroll into MAM as this is an AAD register of the device and not a MDM enrollment. As soon as an user tries to enroll via MDM (Company Portal) the action is blocked though this setting. A MDM enrollment would still be possible if the device will be registered before with Serial Number or IMEI under Corporate device identifiers.

 

best,

Oliver

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies