cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MACOS - Enrollment using Company Portal - Enrollment/Identifying as Company Owned

TS001
Copper Contributor

‎Aug 11 2020 08:33 AM

‎Aug 11 2020 08:33 AM

MACOS - Enrollment using Company Portal - Enrollment/Identifying as Company Owned

Hi MEM Team! Thank you for making this sessions available!

In our environment, our MACOS laptops (company owned - purchased) can be enrolled through the Company Portal only when on-prem or connected via VPN.  We can see under "Enrollment restrictions" that enrollment is allowed for even "personal owned" devices so long as the user is a member of a targeted assignment group.  If we attempt to do this while not on-prem or connected via VPN, we are met with "You cannot access this right now.  Your sign-in was successful but does not meet the criteria to access this resource".

 

Understanding that there may be other conditional access rules that may be affecting this:

1) Would we be able to adjust those conditional access rules to accept the enrollment via Internet only connection if we define the MACOS laptops serial numbers within the "Enroll Devices | Corporate Device Identifiers"?

2) If yes, would those identified devices be automatically seen as "Corporate/Company owned"?

Thanks

Terrence

585 Views
0 Likes
1 Reply
Reply
1 Reply
Dan O'Connor

‎Aug 11 2020 09:30 AM

‎Aug 11 2020 09:30 AM

Re: MACOS - Enrollment using Company Portal - Enrollment/Identifying as Company Owned

Hi @TS001! If I'm understanding your situation correctly, I don't think there is a way to relax CA rules for only corporate owned devices prior to enrollment. Intune has limited information about the device before it is enrolled, so we can only do CA/enrollment restrictions based on a few device criteria (OS version, platform, etc.).

 

I think the proper way to accomplish this would be to enroll your corporate owned Macs via DEP/ADE enrollment, then assign Macs enrolled via the DEP profile to a dynamic device group and target different CA policies that way. Intune's docs on DEP/ADE are here. Although it does require purchasing Macs via Apple's ADE program so unfortunately that may not help your current situation too much.

 

For #2, you are correct that when a device that is listed in Corporate Device Identifiers is enrolled, it is automatically marked as Corporate owned.

0 Likes
Reply