Intune: Restricting iOS Devices That aren't Enrolled

Brass Contributor

Hey guys,


I could use some help.
Currently busy with a project to enroll company phones to Intune, but we want phones that aren't enrolled to be blocked from using Office apps with their work credentials.
I've tried setting up a Conditional Access policy for this, which works perfectly for Android but not for iOS. I'm testing it myself, the policies and applications are deployed and the phone is compliant, but everytime I open an Office app it states "Enroll your device to gain access" and the Company portal opens.
If I unselect the "Require device to be marked as compliant" under "Access Controls > Grant" in the Conditional Access policy, I get access. 
Thing is, access is also available for iOS phones that aren't enrolled.

Anyone else that has experienced this?

3 Replies

@Djaswant How do you enroll the iOS devices? ABM of Apple Configurator? From what I read, I can't make out how you enroll, but it looks like a user enrollment where you enroll using the company portal app. This app is also used to check compliance and that is why the company portal app opens. You will have to sign in with your username and password. You did say devices are compliant in MEM. Can you see who the primary user is and who enrolled the device? I'm also interested in ownership.


If you do enroll using ABM or Apple configurator, the ownership should be corporate by default. And in that case you can simply block all personal devices when accessing Office 365 using a conditional access policy combined with filter for devices. Assuming this is want you want to achieve.


Your CA would look like this:

  • Cloud Apps - Office 365
  • Conditions:
    • Device platform =iOS
    • Client Apps = Mobile Apps (or others if needed
  • Filter for devices - EXCLUDE
    • device.deviceOwnership -eq "Company"
  • Grant = Block Access


This CA will block all devices where the device ownership does not equal Company. 


Note: Make sure you test block policies with a select group of users or at least exclude a break-glass account if you do test in your production tenant.


Hope this helps.


Hi Oktay.

Thank you for responding! No ABM or Apple Configurator. I am indeed using the Company Portal. It's a Compliant, corporate phone.

Thanks for the advice! Really appreciated. I'm going to check how it reacts to this CA settings and let you know!
I am actually testing it on my own company phone with my credentials.

@Djaswant Your welcome,


Your are actually enrolling the devices as personal owned. Have a look at this doc and the User-owned iOS/iPadOS and iPadOS devices (BYOD) scenario. Think this will help. Let me know if it works as expected after you sign-in en enroll using the Company portal app.