locked
Users still enrolling personal devices even though I have blocked personal devices with enrollment restrictions???? RRS feed

  • Question

  • This is the default enrollment restriction I have edited which is applied to "All Users" by default.

    I've set it like below to block all personally owned devices from enrolling into Intune however they are still enrolling.

    I may have already figured out my problem but I do not have a solution for it. 

    The default enrollment restriction is applied to "All Users" which if I make a new enrollment restriction and try to assign it to All Users I can see that is obsolete. I am assuming that is why users are still able to enroll personal devices to intune is because that All Users group that the default policy is assigned to does not work.

    My problem is that we are just starting this and do not have a group in Azure AD that has All Users in it and the default policy is not applied to any user at all. Am I correct in this problem? 


    Tuesday, July 21, 2020 2:13 PM

All replies

  • You don't need an All Users group, the default policy should work fine. 

    Do you have another enrollment restriction created with a higher priority that allows personal enrollment?

    How are the users actually enrolling that seems to bypass your enrollment restrictions?

    Tuesday, July 21, 2020 9:41 PM
  • The default policy was not working fine. I know this because users were still enrolling. I do not know how they were enrolling, it doesn't tell me the method used to enroll. I assume they are signing into an office product and that's putting them in there. Either that or access work or school account.
    I had only 1 enrollment restriction. I've now created a 2nd with the same exact settings as above and assigned it to an all users group we created. See if that stops them.

    Wednesday, July 22, 2020 12:52 AM
  • Hi,

    For Personally owned block, there's some exception, please check if our situation meet one of the exception:

    https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

    Hope it can help.
     
    Best regards.
    Crystal


    "Intune" forum will be migrating to a new home on   Microsoft Q&A!
     We invite you to post new questions in the "Intune" forum's new home on   Microsoft Q&A!
     For more information, please refer to the sticky post. Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, July 22, 2020 1:43 AM
  • I have blocked ALL devices, period. This restriction is priority 1, above default, the only other restriction created.

    I STILL have personal devices being enrolled into Intune. How is that possible? 

    I checked the qualifications that authorize someone to enroll a personal device:

    1. we do not have any device enrollment managers set
    2. we do not use autopilot nor have it in place
    3. there are no devices registered with autopilot, these are peoples personal devices they have at home that have no relation to our district
    4. we have 0 imei numbers listed in corporate device identifers 
    5. we do not have bulk provisioning packages
    6. we have no GPOs setup to enroll devices into intune and co-management is not setup in SCCM.

    Just to make sure I checked the user that enrolled that device and they are in the group that is assigned to the enrollment restriction so I have no clue how they were able to enroll that device.

    Here is the device enrolled

    I tried to enroll the only way I think the users are enrolling their personal devices and it does not allow me.

    I opened word and signed into O365 and checked the box to manage my device and I received the below error. I went to Access work or school accounts and tried to connect my personal device that way and got the same exact error as shown below.

    I do not know how these users are adding their personal devices, just had another one add their device.

    • Edited by SCCMN0ob Thursday, July 23, 2020 4:53 PM
    Thursday, July 23, 2020 3:06 PM
  • Hi,

    From your tests, it seems the device restriction is working well. For the previous device, it seems to be enrolled on 5/15/2020. It can be that the device is enrolled before we configure the device restriction policy. We can remove these devices from Intune and check if any new personal device can be enrolled into Intune now.

    Hope it can help.

    Best regards.

    Crystal


    "Intune" forum will be migrating to a new home on   Microsoft Q&A!
     We invite you to post new questions in the "Intune" forum's new home on   Microsoft Q&A!
     For more information, please refer to the sticky post. Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, July 24, 2020 6:21 AM
  • The management name is the date it enrolled on? You would figure they would have an "Enrolled on date." That device was not there that morning.

    I have 5 new personal devices this morning that were not there yesterday.

    Management name shows 4/13/20, 4/24/20, 4/5/20, 4/21/20, and 5/15/20

    If they were enrolled on those dates why were they not showing up there before?

    Friday, July 24, 2020 12:42 PM
  • You can add the enrollment date to the columns to check the date when they were enrolled. You can also use the Filter option to filter the devices by enrollment date as well.

    Sunday, July 26, 2020 10:56 PM
  • Hi,

    We can follow Nick's suggestion to confirm the enrollment date for these devices. If there's any update, feel free to let us know.

    Best regards.

    Crystal


    "Intune" forum will be migrating to a new home on   Microsoft Q&A!
     We invite you to post new questions in the "Intune" forum's new home on   Microsoft Q&A!
     For more information, please refer to the sticky post. Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, July 27, 2020 1:23 AM
  • Thank you. So all of these enrollment dates are in the past. None are new.

    Why do they keep showing up? I've had another 10 new devices show up that were not there Friday, but were enrolled months ago.

    Monday, July 27, 2020 2:44 PM
  • Hi,

    I guess this can be that there are many devices in our environment which needs to display on more than one page. Maybe they are there but not on the first page. When we remove some devices, the devices in next page will go to the previous page. And we notice them.

    If it is not the reason, maybe there's some issue with the displaying. We can open a case with Microsoft to check the log on the background.

    Hope it can help.

    Best regards.

    Crystal


    "Intune" forum will be migrating to a new home on   Microsoft Q&A!
     We invite you to post new questions in the "Intune" forum's new home on   Microsoft Q&A!
     For more information, please refer to the sticky post. Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, July 28, 2020 2:43 AM
  • No I have deleted all devices and there are only 30 devices that should be there and it keeps spiking to the 40s every few days and I have to delete more that have a enroll date from the past before the enrollment restriction was created. Like today I have 6 new personal devices that were not there yesterday.
    Tuesday, July 28, 2020 1:23 PM
  • Hi,

    From your description it seems there's some sync issue with Intune background. We suggest to open a case to check on this.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 29, 2020 4:08 AM