Create device platform restrictions - Microsoft Intune (2024)

Table of Contents
In this article Default policy Best practice - Android platform restrictions Create a device platform restriction Apply assignment filters Supported filter properties Edit enrollment restrictions FAQs
  • Article

Applies to: Android, iOS/iPadOS, macOS, Windows 10, Windows 11

Create a device platform enrollment restriction policy to restrict devices from enrolling in Intune. Available restrictions include:

  • Device platform
  • OS version
  • Manufacturer
  • Ownership (personally owned)

You can create a new device platform restriction policy in the Microsoft Intune admin center or use the default policy that's already available. You can have up to 25 device platform restriction policies.

This article describes the device platform restrictions supported in Microsoft Intune and how to configure them in the admin center.

Default policy

Microsoft Intune provides one default policy for device platform restrictions that you can edit and customize as needed. Intune applies the default policy to all user and userless enrollments until you assign a higher-priority policy.

Best practice - Android platform restrictions

Since Intune supports two Android platforms, it's important to understand how OS version restrictions work when you use them with device platform restrictions:

  • If you allow both platforms for the same group, and then refine it for specific and non-overlapping versions, devices are sent through the Android enrollment flow that's picked for their version.
  • If you allow both platforms, but block the same versions, devices running blocked versions can't enroll. Users on these devices are sent through the Android device administrator enrollment flow before they're blocked and prompted to sign out.

Important

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, read Ending support for Android device administrator on GMS devices.

See Also
Android Device Admin and Device Owner ExplainedHow do I enable Device Owner mode? - Hexnode BlogsAndroid device enrollment guide for Microsoft IntuneBring Your Own Device (BYOD) VS. Corporate-Owned: Which Policy Is Better for Your Needs? - ModeOne

Create a device platform restriction

  1. Sign in to the Microsoft Intune admin center.

  2. Go to Devices > Enrollment.

  3. Select Device platform restriction.

  4. Select the tab along the top of the page that corresponds with the platform you're configuring. Your options:

    • Android restrictions
    • Windows restrictions
    • macOS restrictions
    • iOS restrictions

  5. Select Create restriction.

  6. On the Basics page, give the restriction a name and optional description.

  7. Select Next.

  8. On the Platform settings page, configure the restrictions for your selected platform. Your options:

    • Platform (Android): Select Allow to permit a platform to enroll, and Block to restrict it.
    • MDM (Windows, macOS, and iOS/iPadOS): Select Allow to permit a platform to enroll, and Block to restrict it.
    • Personally-owned: Select Allow to permit devices to enroll and operate as personal devices.
    • Device manufacturer (Android): Enter a comma-separated list of the manufacturers that you want to block.
    • Allow min/max range (Android, Windows, iOS/iPadOS): Enter the minimum and maximum OS versions allowed to enroll. Supported version formats include:

      • Windows supports major.minor.build.rev for Windows 10 and Windows 11. Intune doesn't receive the revision number during enrollment so enter 0 for revision number.

      • Android device administrator and Android Enterprise work profile support major.minor.rev.build.

      • iOS/iPadOS supports major.minor.rev.

        See Also
        Set up Android Enterprise work profile for corporate owned devices - Microsoft Intune

        Tip

        The min/max range isn't applicable to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app. Although Intune doesn't block ADE enrollments that use Company Portal to authenticate, not meeting OS requirements impacts registration because devices can't create the Microsoft Entra device record used to evaluate Conditional Access policies. You can tell that this is the case if a device user receives an error message that says "Couldn't map device record with a user" after they sign in to Company Portal.

  9. Select Next.

  10. Optionally, add scope tags to the restriction. For more information about scope tags, see Use role-based access control and scope tags for distributed IT.

    Note

    If you apply scope tags to a restriction, only Intune users within scope can view and manage the policy. Only people in scope can view and reorder a restriction, or change its priority level. They can also see the relative priority of the restriction, even if they can't see all restrictions.

  11. Select Next.

  12. On the Assignments page, select Add groups and then use the search box to find and select groups. To assign the restriction to all device users, select Add all users. If you don't assign a restriction to at least one group, the restriction won't take effect.

  13. Optionally, after you assign groups, select Edit filter to restrict the policy assignment further with filters. Filters are available for macOS, iOS, and Windows policies. For more information, see Apply assignment filters (in this article).

  14. Select Next.

  15. Review your policy, and then select Create to create it.

You can view the new restriction policy and access its properties in the Enrollment device platform restrictions > Device type restrictions table. Select and drag the restriction to reposition it in the table and change its priority.

Apply assignment filters

You can use assignment filters to include and exclude additional devices from certain group-targeted policies. Enrollment restrictions and ESP policies both support the use of assignment filters.

For example, you can use a filter to allow personal Windows devices to enroll while blocking devices that run a specific operating system SKU. To achieve this outcome, apply a preconfigured filter to your enrollment restriction assignments. The filter needs to have the operatingSystemSKU property in its rules. Example steps:

  1. Create a platform enrollment restriction policy for Windows.
  2. In the platform settings, select the option that allows personal devices to enroll.
  3. In the assignments settings, select the groups you want to assign.
  4. Select Edit filter and then apply your preconfigured filter that contains the operatingSystemSKU property. The applied property blocks devices running Windows 10 Home edition.

For more information about creating filters, see Create a filter.

Supported filter properties

Enrollment restrictions support fewer filter properties than other group-targeted policies. This is because devices aren't yet enrolled, so Intune doesn't have the device info to support all properties. You'll see the limited selection of properties when you:

  • Configure a device platform restriction policy for Apple and Windows devices.
  • Configure an enrollment status page (ESP) policy for Windows.
  • Edit a filter that's in-use in an enrollment restriction or ESP profile.

The following filter properties are always available to use with enrollment policies:

Windows

  • OS version
  • Operating System SKU
  • Ownership
  • Enrollment profile name

iOS/iPadOS and macOS

  • Manufacturer
  • Model
  • OS version
  • Ownership
  • Enrollment profile name

For more information about these properties, see device properties. Filters can't be used with Android enrollment restrictions.

Edit enrollment restrictions

Edits are applied to new enrollments and don't affect devices that are already enrolled.

  1. Return to Devices > Enrollment.
  2. Select Device platform restrictions.
  3. In the Device type restrictions table, select the name of the policy you want to change.
  4. Select Properties.
  5. Select Edit.
  6. Make your changes and select Review + save.
  7. Review your changes and select Save.
Create device platform restrictions - Microsoft Intune (2024)

FAQs

How do I Create a device restriction in Intune? ›

Create a device platform restriction
  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Enrollment.
  3. Select Device platform restriction.
  4. Select the tab along the top of the page that corresponds with the platform you're configuring. ...
  5. Select Create restriction.
Jan 23, 2024

View Details
What is enrollment device platform restrictions? ›

Device platform restrictions are policies that allow or block enrollment based on specific device attributes, such as platform, OS version, manufacturer, or ownership type. These restrictions can be configured for various platforms, including Android, iOS/iPadOS, macOS, and Windows devices.

See Details
How do I restrict apps on Intune? ›

IN INTUNE
  1. Access the Apps Panel in Intune.
  2. Select Intune App protection.
  3. Verify that an app protection policy exists that includes that apps that you WOULD NOT like to be blocked. Once complete, move over to Azure AD/ Conditional Access and follow the remaining steps.
Mar 9, 2022

Discover More Details
How do I prevent personal devices from joining Intune? ›

For example, if you want to block personal devices running on Windows 10/11, you need to create a policy with the following settings:
  1. Open Intune Postal.
  2. Open Devices / Enroll Devices.
  3. Select Enrollment Device Platform Restrictions.
  4. Click + Create restriction.
Jan 24, 2024

Find Out More
What is device restrictions in Intune? ›

Intune includes device restriction policies that help administrators control Android, iOS/iPadOS, macOS, and Windows devices. These restrictions let you control a wide range of settings and features to protect your organization's resources. For example, administrators can: Allow or block the device camera.

Discover More Details
What is a device restriction? ›

Device Restriction limits access to approved devices in a secure network, ensuring compliance and data integrity. This helps you comply with international regulations like GDPR, HIPAA, PCI DSS, SOX, and many more.

Find Out More
How do I enable device restrictions? ›

Allow restricted settings
  1. On your Android device, open the Settings app.
  2. Tap Apps.
  3. Tap the app that you want to turn on a restricted setting for. Tip: If you can't find it, first tap See all apps or App info.
  4. Tap More. Allow restricted settings.
  5. Follow the on-screen instructions.

Find Out More
How do I change my device limit on Intune? ›

Sign in to the Microsoft Intune admin center. Go to Devices > Enrollment. Select the Windows, Apple, or Android tab. Select Device limit restriction.

Get More Info
What is the difference between user and device enrollment in Intune? ›

User Enrollment with the company portal is more of a streamlined enrollment process that provides a subset of device management options for admin, with user enrollment a user identity is created on the device using a managed Apple ID (federated), and the managed Apple ID can be used alongside the personal apple ID that ...

Find Out More
Can you lock a device in Intune? ›

Go to Devices. Select the device that you want to lock. Choose Actions, and then select Remote lock. Select Lock to confirm that you want to lock the device.

Tell Me More

How do I lock apps on Intune iOS? ›

Go to the Intune admin center and create a new compliance policy for iOS. Drill down to System Security and then to Restricted apps. Enter the previously noted details as below. Carry on through the rest of the wizard and select the assignment to All Users, or a pilot group to test, and then complete the policy.

Continue Reading
Which types of apps can be managed by Intune? ›

Wide range of app support: Intune supports various app types, such as store apps, web apps, and line-of-business (LOB) apps. In addition, Intune support several platforms, such as iOS/iPadOS and Android. This app support allows organizations to manage a diverse set of applications using Intune.

Learn More
Can Intune wipe a personal device? ›

Supported platforms for Wipe device action

Wipe is supported on the following platforms: Android Enterprise Dedicated, Fully Managed, and Corporate-Owned Work Profile devices. Android Open Source Project (AOSP) devices. iOS/iPadOS.

See More
What happens when a device is enrolled in Intune? ›

Your device enrolls in Microsoft Intune, a mobile device management provider, and registers with your organization. This step ensures that you're authorized to access your organization's email, apps, and Wi-Fi.

View More
How does Intune know if a device is personal or corporate? ›

Identify corporate-owned devices with IMEI or serial number

Intune uses these identifiers to specify device ownership as corporate during device enrollment. Each IMEI or serial number can have details specified in the list for administrative purposes.

Keep Reading
Where is device restriction settings? ›

Allow restricted settings
  • On your Android device, open the Settings app.
  • Tap Apps.
  • Tap the app that you want to turn on a restricted setting for. Tip: If you can't find it, first tap See all apps or App info.
  • Tap More. Allow restricted settings.
  • Follow the on-screen instructions.

Read On
How do I Create a device category in Intune? ›

Go to Devices > Device categories. Choose Create device category to add a new category. Enter the name of the new category, such as HR and an optional description. Select Next.

Get More Info Here
How do I assign permissions to Intune? ›

Sign in to the Microsoft Intune admin center with a global administrator account > Users > then choose the user you want to give admin permissions. Select Assigned roles > Add assignments. In the Directory roles pane, select the roles you want to assign to the user > Add.

Get More Info
Top Articles
How to Get the Dose Right
Why Immigration Visa Wait Times Are So Long
Why do people invest in VTI?
Is $1 enough to invest in stocks?
Latest Posts
Top 35 SQL Server Interview Questions And Answers for 2023
15 Companies That Use Node.js in 2021 Successfully | Trio Developers
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 5911

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.