SOLVED

Intune device enrollment only after approval from Admin.

%3CLINGO-SUB%20id%3D%22lingo-sub-296657%22%20slang%3D%22en-US%22%3EIntune%20device%20enrollment%20only%20after%20approval%20from%20Admin.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296657%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20client%20wants%20to%20implement%20below%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvery%20time%20a%20user%20tries%20to%20enroll%26nbsp%3B%20device%20in%20intune%20%2C%26nbsp%3B%20intune%20admin%20will%20get%20a%20notification%20email%20with%20approval%20request.%20The%20admin%20should%20be%20able%20to%20approve%20or%20reject%20this%20request%20and%20the%20user%20should%20be%20able%20to%20enroll%20only%20after%20the%20admin%20approves%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20its%20possible%20if%20yes%20how%20to%20achieve%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-296657%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-296766%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20device%20enrollment%20only%20after%20approval%20from%20Admin.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296766%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20my%20knowledge%20this%20is%20not%20a%20feature%20of%20Intune%20and%20would%20be%20impossible%20to%20code%20without%20support%20from%20the%20Intune%20Product%20Engineering%20team%20because%20you%20would%20have%20to%20change%20the%20Company%20Portal%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20trying%20to%20stop%20un-authorised%20mobile%20devices%20from%20registering%20then%20I%20suggest%20that%20you%20do%20the%20following.%3C%2FP%3E%3CUL%3E%3CLI%3Eblock%20personal%20device%20enrollment%20using%20an%20enrollment%20restriction%3C%2FLI%3E%3CLI%3EWhen%20devices%20need%20to%20be%20enrolled%20then%20add%20the%20IMEI%20numbers%20of%20the%20devices%20to%20Intune%20as%20a%20corporate%20device%20identifier%3C%2FLI%3E%3CLI%3EBuild%20an%20automation%20workflow%20in%20your%20service%20management%20tool%20that%20allows%20new%20devices%20to%20be%20authorised%20by%20a%20human%20before%20the%20devices%20can%20be%20enrolled%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThis%20gives%20you%20the%20same%20outcome%20but%20does%20not%20involve%20wholesale%20re-engineering%20of%20the%20Company%20Portal%20app%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFYI%20these%20are%20links%20to%20the%20relevant%20documentation%20pages%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment-restrictions-set%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment-restrictions-set%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcorporate-identifiers-add%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcorporate-identifiers-add%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi Team,

 

My client wants to implement below scenario.

 

Every time a user tries to enroll  device in intune ,  intune admin will get a notification email with approval request. The admin should be able to approve or reject this request and the user should be able to enroll only after the admin approves it.

 

Let me know if its possible if yes how to achieve it.

1 Reply
Best Response confirmed by Oliver Kieselbach (MVP)
Solution

To my knowledge this is not a feature of Intune and would be impossible to code without support from the Intune Product Engineering team because you would have to change the Company Portal app.

 

If you are trying to stop un-authorised mobile devices from registering then I suggest that you do the following.

  • block personal device enrollment using an enrollment restriction
  • When devices need to be enrolled then add the IMEI numbers of the devices to Intune as a corporate device identifier
  • Build an automation workflow in your service management tool that allows new devices to be authorised by a human before the devices can be enrolled

This gives you the same outcome but does not involve wholesale re-engineering of the Company Portal app

 

FYI these are links to the relevant documentation pages

 

https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

https://docs.microsoft.com/en-us/intune/corporate-identifiers-add