メインコンテンツへスキップ

MDM_03: Enrollment Restrictions for MDM for iOS and Android in Intune

Implementation Effort: Low  IT admins only need to configure policies in the Intune admin center; no user-side deployment or ongoing maintenance is required.

User Impact: Low  Users are not directly affected unless their device is blocked from enrollment due to policy restrictions.


Overview

Enrollment restrictions in Microsoft Intune allow organizations to control which devices can enroll in MDM based on platform, OS version, manufacturer, and ownership type. These restrictions help enforce organizational standards and reduce risk from unsupported or non-compliant devices.

There are two main types of restrictions:

1. Device Platform Restrictions

These policies restrict enrollment based on:

  • Platform: Android (Work Profile, Fully Managed), iOS/iPadOS, macOS, Windows
  • OS Version: Minimum and maximum supported versions
  • Manufacturer: Block or allow specific device brands
  • Ownership Type: Block personally owned (BYOD) devices if needed

Example: Block Android Device Administrator enrollments and allow only Android Enterprise Work Profile for BYOD users 1.

2. Device Limit Restrictions

These policies limit how many devices a user can enroll. The default range is 1 to 15 devices per user 2.

Example: Limit users to 5 enrolled devices to reduce management overhead and potential abuse.

Policy Behavior

  • A default policy applies to all users unless overridden by a higher-priority custom policy.
  • Restrictions are not security features; they are best-effort controls to prevent accidental or unsupported enrollments 1.

Zero Trust Fit

This supports the "Assume breach" principle by reducing the attack surface—only known, supported, and policy-compliant devices can access corporate resources.


Reference