Allow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device

Brass Contributor

I am trying to work out the best way of achieving the following restrictions:

 

Allow Staff user accounts to be able to AAD Join and InTune AutoEnroll  company owned devices

Block Staff from AAD Joining and AutoEnrolling personal devices

 

The obvious configuration for this is to set the staff users accounts group in AAD to be allowed to AAD Join and in InTune allow them to Auto Enroll whilst setting an Enrollment Restriction Policy for blocking personal devices. That is all good in theory , but the reality of that is that if a staff user has a personal devices that has Windows Pro, Enterprise or Education installed this configuration means they can still AAD Joined and InTune AutoEnroll.

 

 Is there a way to make certain only company owned devices can be Joined/Enrolled?

 

The fact that most personal users will have Windows Home mitigate some of the risk and we are planning to use AutoPilot registration as an additional way of controlling things so we can design the InTune app and policy assignments groups so that they are populated only by devices with the HWID registered, so if done correctly even if they do enroll a personal device it wont receive any apps or policies anyway. There is the setting to restrict users to only be able to enroll or AAD join 1 device that could be configured but that doesn't stop them enrolling a personal device if they haven't enrolled a device already plus it is a tenant wide setting so removes flexibility for users that we might want to allow to enroll and join multiple devices.

 

I cant help but wonder if  there is a simpler , more robust way of doing this? The ideal scenario for us is to simply be able to say - only devices with registered HWID can be enrolled. Am I missing something that enables this?

 

Thanks

 

6 Replies

@PhilRiceUoS Are you using conditional access policies? The only thing I can think of outside of what you mentioned is to take a crack at setting up some conditional access policies that would incorporate the conditions you are trying to reach. 

Not something I've looked at in relation to this but I will explore that idea further to see if I can get something working. Thanks for the suggestion

@PhilRiceUoS Can you share your enrollment restrictions? 

 

According to the documentation and the experience I have, personal devices will be blocked if you setup correctly. A company owned device is defined:

 

@JanBakkerOrphaned 

 

the planned restrictions will be :

 

-  in AAD set staff user group to be allowed to AAD join devices

- in Intune set staff user group to be allowed to AutoEnroll in InTune (tested having this disabled but this stops Autopilot from working properly)

- Enrollment restriction policy - set to Allow Windows 10 but block personal devices and block all other platform types.

 

We are planning to only enroll devices by either AutoPilot for new builds or with staff enrolling themselves for other devices. So DEM accounts, provisioning packages etc wont apply in this case as we don't want to encounter the limitations they incur.

 

In the above configuration a staff user wont be able to AAD join or InTune Enroll a Windows 10 HOME device , which will be the majority of BYOD devices.

Windows Home cannot AAD join anyway so essentially all blocking personal devices does is stop AAD registered devices from InTune Enrolling.

The problem im trying to resolve is the specific case of when a staff user (therefore allowed to AAD enroll) has their own device that has Windows Pro/Enterprise level OS , which results in them being able to AAD and therefore InTune Enroll because an AAD joined device is seen as Corporate automatically.

I think the issue / confusion lies in the way the label 'Personal' is use and lack of ability to differenciate between a company owned device and a personally owned device by using registration of HWIDs, serial numbers etc.

'Personal' device simply means a device that is AAD registered and not AAD joined , which actually makes sense giving AAD registered is mostly for BYOD. However, if you are trying to let users enroll company devices , as will be a common enough requirement in todays WFH scenarios, it doesnt seem straight forward to be able to stop them from enrolling personal Win Pro/Ent machines.

 

@caseykraus  after looking at CA for this I don't think it is possible to achieve. Conditional access policies I actually find quite limited TBH and hopefully they will increase the features they offer a lot more in the future.

@PhilRiceUoS 

 

You are wrong in assuming that an AAD joined device is seen as corporate.

Nothing about AAD joined defines the ownership for a device.

A device is corporate when: Set enrollment restrictions in Microsoft Intune | Microsoft Docs

 

So this means in your case, just block personal devices and you will be golden. It's what I do for multiple customers