How to block non-enrolled devices

Copper Contributor

We have recently migrated from Basic Security (O365) to Intune and we're trying to setup a policy to block iOS and Android devices if they are not enrolled with the company portal app. I setup a conditional access policy but it's not affected the test group at all.  


Can someone help with what we are missing here - the test device does not even have the company portal app installed so it's not listed in the devices area of endpoint manager, but email still works.

5 Replies


To be sure everything is working as it should, are you also making sure you have enabled the template



Because when you are not blocking legacy auth... conditional access does nothing :) 

"conditional access only works for clients that support modern authentication (ADAL)"






Hi Rudy, thanks for replying. We already have a conditional access policy to block legacy authentication - is this what you mean?




Mmmm okay so you have configured the compliance policies did you configure the default compliance settings (mark devices without compliance policy as compliant or not compliant)
I think that's it! We are still in the process of migrating to intune so we left that default compliance setting as : mark devices without compliance policy as compliant - we didn't want to risk blocking devices that are still on basic security.
I discovered the test device is still in the database listed as compliant because it used to belong to another user.
I'm not sure what the best course of action to use while we are migrating to intune - leave the default compliance setting in place or set it to "mark devices without compliance policy as not compliant"
When you leave that setting to default... even people who only register their device (and not enrolling into Intune) can come "compliant" because there isn't a compliance policy targetted