How To Configure Intune Device Enrollment Restrictions
In this post, I will show you how to create and configure Intune device enrollment restrictions. Device Enrollment restrictions in Intune define what devices can enroll into management with Endpoint Manager.
With Intune, you can manage different types of devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android, macOS, and Windows 11).
As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune which includes:
- Number of devices.
- Operating systems and versions.
When you create a new restriction, it takes priority over the default policy. The priority level determines which policy gets applied when a group is targeted with multiple restrictions. You can also edit the enrollment restrictions after you create them.
In the next section, we will understand what are enrollment restrictions in Intune, the types of enrollment restrictions. We will see how to configure the device limit and device platform restrictions in Intune.
What are Device Enrollment Restrictions in Intune?
Enrollment restrictions block Intune enrollment on devices that fall short of your device requirements. With Enrollment restrictions, you can define what devices can enroll into Intune for management. You can also prevent people from enrolling personal devices in Intune.
With enrollment restrictions, you can define who can enroll personal devices and restrict other users in Intune. For example, you may allow your IT team the permission to enroll personal devices while everyone else cannot.
Types of Intune Device Enrollment Restrictions
There are two types of device enrollment restrictions available in Intune:
- Device Platform Enrollment Restriction
- Device Limit Enrollment Restriction
Both the device enrollment restrictions are available in Microsoft Endpoint manager Admin Center > Devices. You can configure the Intune enrollment restrictions to override the default ones.
In the Intune portal, the default restrictions are automatically provided for both device type and device limit enrollment restrictions.
You can change the options for the defaults. Default restrictions apply to all user and userless enrollments. You can override these defaults by creating new restrictions with higher priorities.
Difference between Device Platform Restrictions vs. Device Limit Restrictions
There is a major difference between device platform restrictions and device limit restrictions. The Device limit restrictions will let you restrict the number of devices allowed to enroll whereas Device platform restrictions lets you restrict device platforms, OS versions, and personally owned devices.
Device type restrictions allow you to control enrollment rights based on device itself type such as Android, iOS, macOS, Windows, ownership, operating system and version, and manufacturer.
Note that some of these values are only supported on certain types of device. For example, macOS does not support restricting based on OS version, and only Android enrollment can be controlled by the manufacturer.
The Intune device limit restrictions set the maximum number of devices that a user can control (maximum setting is 15).
Create Device Platform Restriction in Intune
In Intune, you can configure device platform restrictions for following device types:
- Android restrictions
- Windows restrictions
- macOS restrictions
- iOS restrictions
These restrictions don’t affect devices that have already been enrolled. Only
Let’s create a new enrollment device platform restriction in Intune:
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Devices > Enrollment device platform restrictions.
- Select a restriction type that corresponds with the platform you’re configuring and click Create Restriction.
On the Basics page, specify the restriction a name and optional description. Click Next.
On the Platform settings page, configure the restrictions for your selected platform. For example, if you had selected Windows Restrictions in the initial step, you get to Allow or Block MDM, Block personally owned devices. Configure the settings based on your requirements and click Next.
You may add scope tags to the restriction. Click Next.
On the Assignments page, select Add groups and then use the search box to find and select groups. To assign the restriction to all device users, select Add all users.
Click Next.
On the Review+Create page, review all the settings for device platform enrollment restriction and click Create.
This completes the steps to create a enrollment device platform restrictions in Intune. You should see a notification about the creation of platform restrictions in top-right corner of Endpoint admin center console.
You can view the new restriction and access its properties from the Device type restrictions table. Select and drag the restriction to reposition it in the table and change its priority.
When you create a restriction, it’s added to the list just above the default. The newly created device restriction has Priority 1 which means it has the highest priority over other restrictions.
Configure Intune Enrollment Device Limit Restrictions
The Intune device limit restrictions set the maximum number of devices that a user can control with maximum limit set to 15. You can override this default restrictions and create a new limit to suit your requirement.
You can create a device limit restriction in Intune with following steps:
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Devices > Enrollment device limit restrictions.
- Click Create Restriction.
On the Basics page, specify a Name and optional Description for device limit restriction. Click Next.
For Device limit, select the maximum number of devices that a user can enroll. Click Next.
You may add scope tags to the device limit restrictions. Click Next.
On the Assignments page, select Add groups and then use the search box to find and select groups. To assign the restriction to all device users, select Add all users. Click Next.
On the Review+Create page, review all the settings for device limit enrollment restrictions and click Create.
This completes the steps to create a enrollment device limit restrictions in Intune. You should see a notification about the creation of device limit restrictions in top-right corner of Endpoint admin center console.
You can view the new restriction and access its properties from the Device Limit restrictions table. When you create a restriction, it’s added to the list just above the default. The newly created device restriction has Priority 1 which means it has the highest priority over other restrictions.