Block personal owned devices from Microsoft Intune

Every administrator for Microsoft Intune has run in to this problem. For example, users install office on their personal devices (mobile and laptops/workstations), Microsoft asks them to log on. They log on with their company credentials and after that the user gets the question whether he wants to let his company manage his device. This is the default setting, most users just click “next, next, finish” to be done with it. This results in the user registering his personal device in the company MDM solution. The purpose of this blog is to block personel owned devices from Microsoft Intune.

Example personal owned device in Intune

For example:

This results in having personal and not compliant devices in your Microsoft Intune tenant. Furthermore in my deployments this always means that the device which is not compliant is not encrypted. In other words, this means that we unencrypted devices with company data. This is not something to be taken litely.

Lucky for us there is a solution. It is just a couple of mouse clicks away. Please follow the next steps to configure this in your tenant.

Configure device restrictions

Log on to https://devicemanagement.microsoft.com/ and click on devices:

Go to the policy section and click on device restrictions:

Click on “Create restriction” and “Device type restriction”

Choose a name and click on next:

The platform settings page is where you can set all the restrictions. Block any type you want in this section:

Assign this to a test group first to make sure everything works as expected!

Click on create to create your policy.

If you have a question about the deployment just drop it in the comments

Regards,

Niels

References

Information about App Protection Policies:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

Block personal devices all together:
https://www.nielskok.tech/microsoft365/block-personal-owned-devices-from-microsoft-intune/