SOLVED
Home

Restrict device enrollment for some users

%3CLINGO-SUB%20id%3D%22lingo-sub-152970%22%20slang%3D%22en-US%22%3ERestrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152970%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20AD%20with%20Azure%20AD%20connect.%3CBR%20%2F%3EWe%20use%20Intune%20MDM%2FMAM%20and%20auto-enroll%20Windows%2010%20devices%2C%20iOS%20and%20Android.%3CBR%20%2F%3EAll%20users%20have%20the%20EMS%20license.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20requesting%20a%20way%20to%20restrict%20the%20Intune%20enrollment%20for%20some%20users%20(not%20all)%20to%20only%20have%20one%20device.%3CBR%20%2F%3EIs%20there%20a%20way%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIm%20trying%20to%20think%20out%20a%20way%20with%20Conditional%20Access%20and%20Dynamic%20groups%20but%20I%20dont%20get%20it%20all%20the%20way.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20can%20go%20the%20other%20way%20around%2C%20restrict%20all%20users%20to%20only%20be%20able%20to%20register%20one%20device%20(this%20is%20easy).%20Then%20allow%20some%20users%20to%20register%20more.%3CBR%20%2F%3E%3CBR%20%2F%3EGrateful%20for%20any%20tip%20or%20a%20nice%20complete%20solution%20%3CBR%20%2F%3E%3CBR%20%2F%3ECheers%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-152970%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-161280%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161280%22%20slang%3D%22en-US%22%3EOk%20I%20got%20it%20now%20in%20my%20tenant%20%3AD%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159525%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159525%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20west%20europe%2C%20tenant%20pprobably%20Amsterdam%20or%20Ireland.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159443%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159443%22%20slang%3D%22en-US%22%3E%3CP%3EOk.%20Still%20nothing%20at%20our%20tenant.%20Im%20placed%20at%20northen%20europe%2C%20Sweden.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159374%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159374%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%3A%20my%20tenant%20got%20updated%20and%20has%20enrollment%20restrictions%20now%20available...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20396px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28630iDEE868053F71CE59%2Fimage-dimensions%2F396x212%3Fv%3D1.0%22%20width%3D%22396%22%20height%3D%22212%22%20alt%3D%22IntuneEnrollmentRestriction.png%22%20title%3D%22IntuneEnrollmentRestriction.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158445%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158445%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20there%20is%20no%20way%2C%20you%20have%20to%20be%20patient.%20You%20need%20to%20wait%20until%20global%20rollout%20is%20finished.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158434%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158434%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20great%20news.%20Altough%20I%20haven't%20seen%20it%20in%20our%20tenant%20yet.%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28534i473510298E196634%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Device%20Restriction.PNG%22%20title%3D%22Device%20Restriction.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20to%20speed-up%20the%20%22upgrade%22%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155062%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155062%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Fredrik%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethis%20is%20possible%20with%20%22group-assigned%20enrollment%20restrictions%22.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20Intune%20announcement%20%22Week%20of%20November%2027%2C%202017%22%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23group-assigned-enrollment-restrictions----747598---%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23group-assigned-enrollment-restrictions----747598---%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ESo%20it's%20announced%20back%20in%20November%20but%20it's%20still%20in%20rollout%20(all%20my%20tenants%20do%20not%20have%20the%20feature%20available%20yet).%20So%20your%20tenant%20might%20not%20see%20the%20feature%20at%20the%20moment.%20Be%20patient%20and%20wait%20for%20it%2C%20it%20will%20exactly%20address%20your%20needs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Fredrik Carenborn
Occasional Contributor
Hi

We have AD with Azure AD connect.
We use Intune MDM/MAM and auto-enroll Windows 10 devices, iOS and Android.
All users have the EMS license.

We are requesting a way to restrict the Intune enrollment for some users (not all) to only have one device.
Is there a way?

Im trying to think out a way with Conditional Access and Dynamic groups but I dont get it all the way.

We can go the other way around, restrict all users to only be able to register one device (this is easy). Then allow some users to register more.

Grateful for any tip or a nice complete solution

Cheers
7 Replies
Solution

Hi Fredrik,

 

this is possible with "group-assigned enrollment restrictions". 

See Intune announcement "Week of November 27, 2017" here:

https://docs.microsoft.com/en-us/intune/whats-new#group-assigned-enrollment-restrictions----747598--...

So it's announced back in November but it's still in rollout (all my tenants do not have the feature available yet). So your tenant might not see the feature at the moment. Be patient and wait for it, it will exactly address your needs.

 

best,

Oliver

That is great news. Altough I haven't seen it in our tenant yet. 
Device Restriction.PNG

 

Is there a way to speed-up the "upgrade" ?

No there is no way, you have to be patient. You need to wait until global rollout is finished.

 

best,

Oliver

FYI: my tenant got updated and has enrollment restrictions now available...

 

IntuneEnrollmentRestriction.png

Ok. Still nothing at our tenant. Im placed at northen europe, Sweden.

We are in west europe, tenant pprobably Amsterdam or Ireland.

Ok I got it now in my tenant :D
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies