Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Restrict Enrollment to a Group

Regular Contributor
Hi All

Is there any way to restrict enrollment to a group?
Info appreciated
6 Replies

Hey @Stuart King,


you can restrict the MDM user scope to a AAD group:




This way only users in that AAD groups can enroll into MDM (Intune).




@Stuart King 


You can also restrict by creating new restriction policy under enrollment restrictions: 





Yes, that's the method I'm using.


Do you know what the UX is here? Especially if the device is an iOS DEP / Supervised one?


Client is expecting the device to stay in Single App Mode if a user outwith the enrollment group tries to enroll.


Info appreciated

I would recommend use the policy without single app mode, as I didn’t have great experience with Single App mode.

Haven’t test it but expect this what happens with Single app mode:

You will boot the device to Portal app, you enter user and password, then you get message that you can’t enroll then you get stuck.

Curious to know your experience with single app mode, thanks Stuart!
Hi Buddy
.Single App Mode is client requirement and MUST be used.

What I'm looking for clarification on is the user experience on entering the WRONG credentials or credentials of a user outside of the assigned groups.

I think the user will be stuck on the portal app and can’t navigate to anything else.