How do I keep company data off of personally owned devices?

Highlighted
Contributor

I want to only allow company data on two types of devices: company-owned and white-listed personal devices.

 

I feel like I should be able to do this at a tenant level but my light research is showing me that this must be done on a per-service basis and is maybe not possible at all.

 

Thanks for any and all guidance!

 

2 Replies
Highlighted

Hi Chris, not something I have tried but you are looking at Device-based conditional access with Intune to achieve something like this, along with the extra licences that would be needed for this. There may be other ways of doing this but this is what I came across:

 

Identify devices as corporate-owned

 

"As an Intune admin, you can identify devices as corporate-owned to refine management and identification. Intune can perform additional management tasks and collect additional information such as the full phone number and an inventory of apps from corporate-owned devices. You can also set device restrictions to block enrollment by devices that aren't corporate-owned."

 

A few more links that explain what this is all about

 

What's conditional access?

 

Common ways to use conditional access with Intune

 

Get started with Microsoft Intune device compliance policies

 

Lots of different permutations for controlling access which the links go into.

Highlighted

Thanks for the info!

Is Intune really the only way to achieve this? It looks like each device must be enrolled in Intune to be identified as corporate or personal. Is that right? If so, it's a non-starter. To identify a device as personal and, block installations, you have to enroll first. OK so I just won't enroll my personal device and then I can connect to all the services I want! :)

 

Am I wrong for thinking is this is a big oversight/blunder from MS?