cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

InTune allowing any user with license to enroll device in personally owned

luvsql
Steel Contributor

‎Jul 21 2022 06:03 AM

‎Jul 21 2022 06:03 AM

InTune allowing any user with license to enroll device in personally owned

Within InTune, you can only enroll a corporately owned work profile or corporately owned full managed from a reset and a QR Code token.  However, with a personally owned Android, it doesn't seem to follow the compliance and configuration profiles I have setup.

 

I have a user that is not assigned to any of the groups I have in any of the compliance and configuration profiles in InTune (I have one each per enrollment type) so one user can only enroll 1 type depending on what group they are in.

 

So not only did it let this user log into the company portal, it installed the work and personal spaces on the device, it installed all of the work apps and I can use all of the work apps like Outlook without issue.

 

The device shows a red exclamation mark in the company portal and it shows in InTune as non compliant but everything works fine.

 

These bunch of users are NOT a member of the conditional access policy I have setup to block all of these apps because we have some users that will NEVER enroll their devices in InTune because of their role (they own the company) so they do not want restrictions.


We will also have users that we will  not license with a P1 so can't assign them to that CA policy anyway.

 

Is there really no way to prevent anyone that has a Business Premium license from adding their phone into InTune?

 

Labels:
1,493 Views
0 Likes
2 Replies
Reply
2 Replies
luvsql

‎Jul 21 2022 07:00 AM

‎Jul 21 2022 07:00 AM

Re: InTune allowing any user with license to enroll device in personally owned

What's even worse is that the device I enrolled does not have a PIN on it and the configuration policy requires it (but since it's not compliant it didn't apply those policies but still installed all of the apps to the device). So I have a fully working apps in work profile that's not compliant but can access all resources and can't manage it from InTune.
0 Likes
Reply
NielsScheffers

‎Jul 22 2022 05:04 AM

‎Jul 22 2022 05:04 AM

Re: InTune allowing any user with license to enroll device in personally owned

Hio @luvsql! It sounds like you have not configured any device platform restrictions. This is where you would configure policies that dictate which users can and cannot enroll personally owned devices.

 

Take a look at your policies under Devices > Enroll devices > Enrollment device platform restrictions. You'll find four tabs in the top, allowing you to create restrictions per device platform (Android, Windows, macOS, iOS). 

NielsScheffers_0-1658490990174.png

 

There will already be a restriction with "Default" priority, assigned to "All users" . This one is always active and will be applied unless a restriction with a higher priority overrules it. Kind of like a final "deny all" firewall rule, except that this one says "allow all".

 

You can create additional restrictions, with higher priorities for specific user groups. Inside such a restriction, you can also define if you want to allow enrollment of personally-owned devices.

NielsScheffers_1-1658491239394.png

In your specific case, you'll want to block this in the "Default" restriction and then allow it again, for specific users, in an additional restriction. Remember: this works per device platform, so make sure you create restrictions for all of them.

 

That should do the trick.

1 Like
Reply