How to block non-enrolled devices

Copper Contributor

We have recently migrated from Basic Security (O365) to Intune and we're trying to setup a policy to block iOS and Android devices if they are not enrolled with the company portal app. I setup a conditional access policy but it's not affected the test group at all.  

8i55i1_0-1649842354153.png8i55i1_1-1649842372101.png

Can someone help with what we are missing here - the test device does not even have the company portal app installed so it's not listed in the devices area of endpoint manager, but email still works.

5 Replies

Hi,

To be sure everything is working as it should, are you also making sure you have enabled the template

 

Rudy_Ooms_MVP_0-1649844159347.png

Because when you are not blocking legacy auth... conditional access does nothing :) 

"conditional access only works for clients that support modern authentication (ADAL)"

 

 

 

@Rudy_Ooms_MVP 

 

Hi Rudy, thanks for replying. We already have a conditional access policy to block legacy authentication - is this what you mean?

 

8i55i1_0-1649850163393.png

 

Mmmm okay so you have configured the compliance policies ....how did you configure the default compliance settings (mark devices without compliance policy as compliant or not compliant)
I think that's it! We are still in the process of migrating to intune so we left that default compliance setting as : mark devices without compliance policy as compliant - we didn't want to risk blocking devices that are still on basic security.
I discovered the test device is still in the database listed as compliant because it used to belong to another user.
I'm not sure what the best course of action to use while we are migrating to intune - leave the default compliance setting in place or set it to "mark devices without compliance policy as not compliant"
When you leave that setting to default... even people who only register their device (and not enrolling into Intune) can come "compliant" because there isn't a compliance policy targetted

https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#compliance-policy-...