none
restrict sign in on personal devices RRS feed

  • Question

  • I had blocked personal device for windows at Microsoft intune > device enrollment > enrollment restriction but however when I tried on my personal device I am able to sign in and connect to my corporate account by going to settings app > accounts > access work or school .

    anyone know why and how to restrict that?

    Sunday, October 6, 2019 3:33 AM

Answers

  • azure active directory > mobility (mdm and mam) > microsoft intune >  set none for mam user scope
    • Marked as answer by j8f9 Friday, October 11, 2019 6:56 AM
    Friday, October 11, 2019 6:56 AM

All replies

  • If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.

    The following methods qualify as being authorized as a Windows corporate enrollment, please help check if the device meets one of the following options:

    Reference: https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 7, 2019 6:34 AM
  • it does not meet one of the following options.

    it is not registered under windows autopilot and it is not a device enrollment manager account.

    Monday, October 7, 2019 6:58 AM
  • So your machine is getting Azure AD Registered, please verify what does it say under Azure AD devices?
    And confirm you are blocking device enrollment "personal" under device restrictions so we wont enroll into Intune :)
    Monday, October 7, 2019 8:09 AM
  • Azure AD registered.

    yes, confirm i am blocking device enrollment for personal under device restrictions.

    Monday, October 7, 2019 8:50 AM
  • Forgot to write the following question:
    What about under:
    Azure AD -> Device Settings -> "Users may join devices to Azure AD" - Is it set to All(default)?
    If so, set it to None or Some :)

    And you should now block any users from Register devices to Azure AD



    • Edited by Jonas Bøgvad Monday, October 7, 2019 9:12 AM
    • Marked as answer by j8f9 Monday, October 7, 2019 9:36 AM
    • Unmarked as answer by j8f9 Monday, October 7, 2019 11:21 AM
    Monday, October 7, 2019 9:10 AM
  • If set to none, will it break autopilot which join to azure ad?
    Monday, October 7, 2019 11:22 AM
  • Yes* Autopilot wont work.

    If you want Autopilot to work i would set it back to default all(Azure AD -> Device Settings -> "Users may join devices to Azure AD" - All) again and go ahead with Conditional Access.

    Users and groups > include > Test GRP

    Cloud apps or actions > All Cloud Apps

    Condition > Device platform > Any Device 

    Condition > Location > Any Location -

    Client Apps > Configure Yes > Browser > Mobile + Modern Auth clients + Exchange ActiveSync client > Other clients

    Grant > Require device to be marked as compliant

    Since you blocked personal owned devices in Intune, they will never be marked as compliant since they cant enroll into Intune but they will be able to Azure AD registrer.




    Monday, October 7, 2019 2:08 PM
  • I am just writing to see if this issue has any update. Also, for the problem, is there any other assistance we could provide?

    If anything is unclear, please feel free to let me know.

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 10, 2019 7:47 AM
  • azure active directory > mobility (mdm and mam) > microsoft intune >  set none for mam user scope
    • Marked as answer by j8f9 Friday, October 11, 2019 6:56 AM
    Friday, October 11, 2019 6:56 AM
  • Thank you very much for your sharing. I’m very glad to hear that you have found the solution and have solved this issue by yourself. I believe end users who may visit this forum in the future will benefit from your sharing. Here is a brief summary of this issue:

    Issue Symptom:

    Can’t restrict personal device to sign in and connect to my corporate account. 

    (Possible) Cause:

    Use MAM auto-enrollment to manage enterprise data on your employees' Windows devices. MAM auto-enrollment will be configured for bring your own device scenarios.

    Solution:

    Locate to Dashboard->Device enrollment - Windows enrollment->Automatic Enrollment, set none for MAM user scope.

    Reference Links:

    https://docs.microsoft.com/en-us/intune/enrollment/windows-enroll

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 11, 2019 7:35 AM