cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Separate Personal from Corp Devices

Stuart King
Iron Contributor

‎Dec 01 2019 01:51 PM

‎Dec 01 2019 01:51 PM

Separate Personal from Corp Devices

Hi All

 

Trying to get my head around something:

 

  • Clear separation between personal and corp devices - Corp identifiers, enrollment restrictions etc?
  • Restrict unmanaged devices restrict to use email securely - Conditional Access, IAP?

What do you guys use in such scenarios?

 

Info appreciared

 

4,679 Views
0 Likes
2 Replies
Reply
2 Replies
Thijs Lecomte

‎Dec 02 2019 12:17 AM

‎Dec 02 2019 12:17 AM

Re: Separate Personal from Corp Devices

Hi Stuart

First of all: what are you trying to accomplish exactly?

Personal vs corporate devices:
Corporate identifiers and enrollment restrictions are two different things and don't actually work together.

Corporate identifiers change whether an ENROLLED device is seen as personal and corporate. This is a simple field that is being changed in Intune. Using that field you could create dynamic groups to deploy different policies to.

Enrollment restrictions will say if personal devices can be enrolled? What is the difference between personal and corporate devices? Please check out this link: https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment#corporate-owned-device

For example for IOS:
- Devices enrolled through the company portal are personal
- Devices enrolled through DEP are corporate

Even if you have set-up corp identifiers to identify a device as corporate. If you enroll it through the company portal. it will always fail because it is a personal enrollment method. Corp identifiers only work after enrollment.

If you want to secure data from the device on corporate/personal devices, I would recommend looking into app protection policies and conditional access.

Feel free to reach out with more requests!
0 Likes
Reply
Stuart King

‎Dec 03 2019 02:52 PM - edited ‎Dec 03 2019 02:53 PM

‎Dec 03 2019 02:52 PM - edited ‎Dec 03 2019 02:53 PM

Re: Separate Personal from Corp Devices

@Thijs Lecomte 

 

Hey many thanks for the excellent and informative response.

 

Yeah, leaving aside the enrollment for now, that will stay Personal.

 

However, some devices may enroll, some just wanna access corp email.

 

There is tremendous help on these 2 guides:

 

https://docs.microsoft.com/en-us/intune/protect/tutorial-protect-email-on-unmanaged-devices

https://docs.microsoft.com/en-us/intune/protect/tutorial-protect-email-on-enrolled-devices

 

However BOTH require the creation of a Conditional Access policy.

Managed devices grant with Require device to be compliant / Require approved app

Unmanaged devices Require approved app / additional MFA if required

 

Surely these 2 Conditional Access policies will conflict and require enrollment?

 

My question is, what if you have users with multiple devices, one enrolled and one not?

 

Make sense?

0 Likes
Reply