enrollment restriction depending on device category

Not applicable

Hi everyone,


i want to achieve the follwing:


An Android user starts to register his device in the companyportal app.

I provided two device categories (e.g. BYOD and COPE).

When the user chooses BYOD the Android Enterprise / Work profile enrollment should start.

When the user chooses COPE the Android "Default" enrollment should start. (No matter if the device supports work profile or not)


At this moment, no matter what is selected, the android enterprise enrollment will start, if the device supports it, otherwise the "default" enrollment is used.


Thank you,

Patrick :)


9 Replies



Please check your Enrollment restriction and Set up Android work profile enrollments



Android Work profile enrollment is already enabled and is working pretty well.
My problem is, that i don't want corporate devices to be enrolled as a work profile device, but as a conventional Android device.
The enrollment restrictions are configured as default. (Android, Android work profile, ios and windows is allowed.)



You need to identify devices as corporate-owned. https://docs.microsoft.com/en-us/intune/corporate-identifiers-add


Hi and thank you again for your reply.
I already know how to use corporate identifiers.
But what to do next, when set up the corporate identifier?
The next Android, which is known in identifiers already, will set up with work profile, too. (And not as default android enrollment)

The best option for your environment will be to use enrollment for "corporate-owned, fully managed user devices", once it is out of preview. It has limited features at the moment, but will be the proper way to manage corporate Android devices going forward. Here's a blog post about it: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Intune-announces-preview-of...


As a workaround, you can try creating dynamic group memberships based-on the categories you created, and target those device groups with the appropriate config profile (Platform: Android or Android enterprise). I'm not sure if this would be an effective option though.


by default we don't want to use the fully managed devices, because even the company owned devices are used as COPE devices (Corporate owned personally enabled).
This will provide a better acceptance for the user.
The "default" Android Enrollment would be an option, because this isn't as restricted as the fully managed option.
The perfect solution would be, that the user could choose the device category during the enrollment with the company portal app (private device or corporate device) and depending on this choice the device will run into Work Profile enrollment or native android enrollment.

Just a short response, because of a new Techcommunity Account. :) [Ignore me]



Even though the device is under full management, you can still allow the user to add a personal Google account and switch between work and personal in Google Play.

If you have no reason for full management eg. if you do not want to do a full device wipe, just use work profiles instead.


You really should start to move away from Device Admin as it will be deprecated this summer.


Thank you for your response.

At this moment we're not using fully managed devices, so we work with the work profile option only.

This seems to be a good way for us. Thank you anyway.