SOLVED

Restrict device enrollment for some users

%3CLINGO-SUB%20id%3D%22lingo-sub-152970%22%20slang%3D%22en-US%22%3ERestrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152970%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20AD%20with%20Azure%20AD%20connect.%3CBR%20%2F%3EWe%20use%20Intune%20MDM%2FMAM%20and%20auto-enroll%20Windows%2010%20devices%2C%20iOS%20and%20Android.%3CBR%20%2F%3EAll%20users%20have%20the%20EMS%20license.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20requesting%20a%20way%20to%20restrict%20the%20Intune%20enrollment%20for%20some%20users%20(not%20all)%20to%20only%20have%20one%20device.%3CBR%20%2F%3EIs%20there%20a%20way%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIm%20trying%20to%20think%20out%20a%20way%20with%20Conditional%20Access%20and%20Dynamic%20groups%20but%20I%20dont%20get%20it%20all%20the%20way.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20can%20go%20the%20other%20way%20around%2C%20restrict%20all%20users%20to%20only%20be%20able%20to%20register%20one%20device%20(this%20is%20easy).%20Then%20allow%20some%20users%20to%20register%20more.%3CBR%20%2F%3E%3CBR%20%2F%3EGrateful%20for%20any%20tip%20or%20a%20nice%20complete%20solution%20%3CBR%20%2F%3E%3CBR%20%2F%3ECheers%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-152970%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-161280%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161280%22%20slang%3D%22en-US%22%3EOk%20I%20got%20it%20now%20in%20my%20tenant%20%3AD%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159525%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159525%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20west%20europe%2C%20tenant%20pprobably%20Amsterdam%20or%20Ireland.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159443%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159443%22%20slang%3D%22en-US%22%3E%3CP%3EOk.%20Still%20nothing%20at%20our%20tenant.%20Im%20placed%20at%20northen%20europe%2C%20Sweden.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-159374%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-159374%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%3A%20my%20tenant%20got%20updated%20and%20has%20enrollment%20restrictions%20now%20available...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20396px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28630iDEE868053F71CE59%2Fimage-dimensions%2F396x212%3Fv%3D1.0%22%20width%3D%22396%22%20height%3D%22212%22%20alt%3D%22IntuneEnrollmentRestriction.png%22%20title%3D%22IntuneEnrollmentRestriction.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158445%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158445%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20there%20is%20no%20way%2C%20you%20have%20to%20be%20patient.%20You%20need%20to%20wait%20until%20global%20rollout%20is%20finished.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158434%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158434%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20great%20news.%20Altough%20I%20haven't%20seen%20it%20in%20our%20tenant%20yet.%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28534i473510298E196634%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Device%20Restriction.PNG%22%20title%3D%22Device%20Restriction.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20to%20speed-up%20the%20%22upgrade%22%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-155062%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20device%20enrollment%20for%20some%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-155062%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Fredrik%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethis%20is%20possible%20with%20%22group-assigned%20enrollment%20restrictions%22.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20Intune%20announcement%20%22Week%20of%20November%2027%2C%202017%22%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23group-assigned-enrollment-restrictions----747598---%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23group-assigned-enrollment-restrictions----747598---%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ESo%20it's%20announced%20back%20in%20November%20but%20it's%20still%20in%20rollout%20(all%20my%20tenants%20do%20not%20have%20the%20feature%20available%20yet).%20So%20your%20tenant%20might%20not%20see%20the%20feature%20at%20the%20moment.%20Be%20patient%20and%20wait%20for%20it%2C%20it%20will%20exactly%20address%20your%20needs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi

We have AD with Azure AD connect.
We use Intune MDM/MAM and auto-enroll Windows 10 devices, iOS and Android.
All users have the EMS license.

We are requesting a way to restrict the Intune enrollment for some users (not all) to only have one device.
Is there a way?

Im trying to think out a way with Conditional Access and Dynamic groups but I dont get it all the way.

We can go the other way around, restrict all users to only be able to register one device (this is easy). Then allow some users to register more.

Grateful for any tip or a nice complete solution

Cheers
7 Replies
Highlighted
Solution

Hi Fredrik,

 

this is possible with "group-assigned enrollment restrictions". 

See Intune announcement "Week of November 27, 2017" here:

https://docs.microsoft.com/en-us/intune/whats-new#group-assigned-enrollment-restrictions----747598--...

So it's announced back in November but it's still in rollout (all my tenants do not have the feature available yet). So your tenant might not see the feature at the moment. Be patient and wait for it, it will exactly address your needs.

 

best,

Oliver

Highlighted

That is great news. Altough I haven't seen it in our tenant yet. 
Device Restriction.PNG

 

Is there a way to speed-up the "upgrade" ?

Highlighted

No there is no way, you have to be patient. You need to wait until global rollout is finished.

 

best,

Oliver

Highlighted

FYI: my tenant got updated and has enrollment restrictions now available...

 

IntuneEnrollmentRestriction.png

Highlighted

Ok. Still nothing at our tenant. Im placed at northen europe, Sweden.

Highlighted

We are in west europe, tenant pprobably Amsterdam or Ireland.

Highlighted
Ok I got it now in my tenant :D