Configure Device Enrollment in Microsoft Intune

Configure Device Enrollment in Microsoft Intune

Configure Device Enrollment in Microsoft Intune

François Péroux
François Péroux
François Péroux
Sep 27, 2022
Sep 27, 2022
Sep 27, 2022

In this first part of Intune setup, we'll cover the device enrollment component.

It is here that the following parameters will be configured, among others:

  • Which mobile can register, according to its affiliation (personal/company).

  • The type of Operating System that can register.

  • The minimum accepted version.

  • The number of devices that can be registered by a user


1. Setting registration restrictions according to the platform (Android, iOS ...)


1.1 - General concept

In this section of Intune, which is like the gateway to your mobile environment, you can configure the platforms that can register with Intune.

This is also where you decide whether or not to authorize mobiles or computers, the minimum/maximum version authorized and of course, the operating system (or platform) authorized: iOS, iPadOS, MacOS, Windows, Android.

The enrollment restrictions section in Intune can be accessed directly through this link.

Image - Device type enrollment restrictions per platform

NoteBy default, a first rule already exists and applies to all users and all platforms.


The scope of this rule cannot be changed (all users) and it cannot be deleted.


By creating a new restriction rule, the priority order of the new rule changes to "1" and it will therefore take priority over the default rule (which applies to all users in the company).


The priority of manually created rules can be changed but not that of the default rule.


Device enrollment policy prioritiesIt is possible to create different restriction rules and assign it to groups of people in the organization to address multiple use cases.
Example:A rule for internal employees who can register personal and corporate phonesAnother rule for external consultants who can only register corporate phones.


1.2 - Default Restriction

The default restriction rule offers a number of standard options for all device types.

It is advisable to use the restrictions per platform (see below) in order to have more precise control.

The default restriction rule allows to control:

  • Blocking the platform.

  • The minimum and/or maximum version of the Operating System.

  • Blocking the use of a specific device manufacturer.

  • Blocking the use of a personal device.

1.3 - Restriction by Platform (Android, Windows, Apple)

Microsoft also allows you to create restriction rules by platform (Android, Windows, MacOS, iOS/iPadOS).

Android

For Android it is possible to:

  • Block Android Administrator type devices

  • Block personal devices

  • Block Huawei, ZTE and OPPO branded devices

  • Allow only Android Enterprise type devices

  • Authorize Android devices with OS version


Windows

For Windows it is possible to:

  • Block device registration through the MDM (Mobile Device Management or MDM) service.

  • Authorize a minimum and/or Maximum version of Windows.

  • Block Personal Devices.


MacOS

For MacOS it is possible to:

  • Block device registration through the MDM (Mobile Device Management or MDM) service.

  • Block Personal Devices.


iOS/iPadOS

For iOS/iPadOS, it is possible to:

  • Block device registration through the MDM (Mobile Device Management or MDM) service.

  • Authorize a minimum and/or Maximum version of iOS/iPadOS.

  • Block Personal Devices.


2. Device limit restriction during registration

To prevent too many devices from being registered by employees, it is possible to limit this number via the Device limit restriction during registration.

A default rule exists and allows the registration of 5 devices in the environment, for all users.

  • The default rule applies to all users in the enterprise.

  • The maximum limit that can be set is 15 devices.​



Conclusion

This first block of parameters is to be defined as one of the pillars of your governance in the management of your company's mobile devices.

It makes it possible to clearly establish which types of devices, the version of the Operating System, the membership of the device (personal or company) but also the limits of the number of devices that each user can register in the 'environment.

In a future article, we'll cover device compliance settings.


Comments

Comments

Comments