Separate Personal from Corp Devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1041343%22%20slang%3D%22en-US%22%3ESeparate%20Personal%20from%20Corp%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041343%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20get%20my%20head%20around%20something%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EClear%20separation%20between%20personal%20and%20corp%20devices%20-%20Corp%20identifiers%2C%20enrollment%20restrictions%20etc%3F%3C%2FLI%3E%3CLI%3ERestrict%20unmanaged%20devices%20restrict%20to%20use%20email%20securely%20-%20Conditional%20Access%2C%20IAP%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhat%20do%20you%20guys%20use%20in%20such%20scenarios%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInfo%20appreciared%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1041343%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041655%22%20slang%3D%22en-US%22%3ERe%3A%20Separate%20Personal%20from%20Corp%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041655%22%20slang%3D%22en-US%22%3EHi%20Stuart%3CBR%20%2F%3E%3CBR%20%2F%3EFirst%20of%20all%3A%20what%20are%20you%20trying%20to%20accomplish%20exactly%3F%3CBR%20%2F%3E%3CBR%20%2F%3EPersonal%20vs%20corporate%20devices%3A%3CBR%20%2F%3ECorporate%20identifiers%20and%20enrollment%20restrictions%20are%20two%20different%20things%20and%20don't%20actually%20work%20together.%3CBR%20%2F%3E%3CBR%20%2F%3ECorporate%20identifiers%20change%20whether%20an%20ENROLLED%20device%20is%20seen%20as%20personal%20and%20corporate.%20This%20is%20a%20simple%20field%20that%20is%20being%20changed%20in%20Intune.%20Using%20that%20field%20you%20could%20create%20dynamic%20groups%20to%20deploy%20different%20policies%20to.%3CBR%20%2F%3E%3CBR%20%2F%3EEnrollment%20restrictions%20will%20say%20if%20personal%20devices%20can%20be%20enrolled%3F%20What%20is%20the%20difference%20between%20personal%20and%20corporate%20devices%3F%20Please%20check%20out%20this%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment%2Fdevice-enrollment%23corporate-owned-device%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fenrollment%2Fdevice-enrollment%23corporate-owned-device%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20example%20for%20IOS%3A%3CBR%20%2F%3E-%20Devices%20enrolled%20through%20the%20company%20portal%20are%20personal%3CBR%20%2F%3E-%20Devices%20enrolled%20through%20DEP%20are%20corporate%3CBR%20%2F%3E%3CBR%20%2F%3EEven%20if%20you%20have%20set-up%20corp%20identifiers%20to%20identify%20a%20device%20as%20corporate.%20If%20you%20enroll%20it%20through%20the%20company%20portal.%20it%20will%20always%20fail%20because%20it%20is%20a%20personal%20enrollment%20method.%20Corp%20identifiers%20only%20work%20after%20enrollment.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20want%20to%20secure%20data%20from%20the%20device%20on%20corporate%2Fpersonal%20devices%2C%20I%20would%20recommend%20looking%20into%20app%20protection%20policies%20and%20conditional%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EFeel%20free%20to%20reach%20out%20with%20more%20requests!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1045403%22%20slang%3D%22en-US%22%3ERe%3A%20Separate%20Personal%20from%20Corp%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1045403%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20many%20thanks%20for%20the%20excellent%20and%20informative%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYeah%2C%20leaving%20aside%20the%20enrollment%20for%20now%2C%20that%20will%20stay%20Personal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20some%20devices%20may%20enroll%2C%20some%20just%20wanna%20access%20corp%20email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20tremendous%20help%20on%20these%202%20guides%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Ftutorial-protect-email-on-unmanaged-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Ftutorial-protect-email-on-unmanaged-devices%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Ftutorial-protect-email-on-enrolled-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fprotect%2Ftutorial-protect-email-on-enrolled-devices%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20BOTH%20require%20the%20creation%20of%20a%20Conditional%20Access%20policy.%3C%2FP%3E%3CP%3EManaged%20devices%20grant%20with%20Require%20device%20to%20be%20compliant%20%2F%20Require%20approved%20app%3C%2FP%3E%3CP%3EUnmanaged%20devices%26nbsp%3BRequire%20approved%20app%20%2F%20additional%20MFA%20if%20required%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESurely%20these%202%26nbsp%3BConditional%20Access%20policies%20will%20conflict%20and%20require%20enrollment%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20what%20if%20you%20have%20users%20with%20multiple%20devices%2C%20one%20enrolled%20and%20one%20not%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMake%20sense%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi All

 

Trying to get my head around something:

 

  • Clear separation between personal and corp devices - Corp identifiers, enrollment restrictions etc?
  • Restrict unmanaged devices restrict to use email securely - Conditional Access, IAP?

What do you guys use in such scenarios?

 

Info appreciared

 

2 Replies
Hi Stuart

First of all: what are you trying to accomplish exactly?

Personal vs corporate devices:
Corporate identifiers and enrollment restrictions are two different things and don't actually work together.

Corporate identifiers change whether an ENROLLED device is seen as personal and corporate. This is a simple field that is being changed in Intune. Using that field you could create dynamic groups to deploy different policies to.

Enrollment restrictions will say if personal devices can be enrolled? What is the difference between personal and corporate devices? Please check out this link: https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment#corporate-owned-device

For example for IOS:
- Devices enrolled through the company portal are personal
- Devices enrolled through DEP are corporate

Even if you have set-up corp identifiers to identify a device as corporate. If you enroll it through the company portal. it will always fail because it is a personal enrollment method. Corp identifiers only work after enrollment.

If you want to secure data from the device on corporate/personal devices, I would recommend looking into app protection policies and conditional access.

Feel free to reach out with more requests!

@Thijs Lecomte 

 

Hey many thanks for the excellent and informative response.

 

Yeah, leaving aside the enrollment for now, that will stay Personal.

 

However, some devices may enroll, some just wanna access corp email.

 

There is tremendous help on these 2 guides:

 

https://docs.microsoft.com/en-us/intune/protect/tutorial-protect-email-on-unmanaged-devices

https://docs.microsoft.com/en-us/intune/protect/tutorial-protect-email-on-enrolled-devices

 

However BOTH require the creation of a Conditional Access policy.

Managed devices grant with Require device to be compliant / Require approved app

Unmanaged devices Require approved app / additional MFA if required

 

Surely these 2 Conditional Access policies will conflict and require enrollment?

 

My question is, what if you have users with multiple devices, one enrolled and one not?

 

Make sense?