Enrollment Restrictions

This step by step tutorial will take you through how to configure Enrollment Restrictions for Intune / Endpoint Manager.

This is Part 9 of a 13 part series.

=====================================================================

Welcome to part 9 of my thirteen part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune, from initial DNS config up to Autopilot and application deployment. This series gives you all the knowledge you need for you to successfully deploy a basic Intune / Endpoint Manager environment.

Initial Tenant and Intune Configuration
1. Configure DNS and CNAME - Link 
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming - Link
3. Enable Conditional Access and MFA (Multi factor authentication) - Link - This Article
4. Configure Conditional Access Terms of Use - Link 
5. Company Terms and Conditions - Link 
6. User and Device Groups, and Device Categories - Link
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment - Link
7a. More information regarding options for configuring the MDM and MAM user scopes - Link 
8. Enrollment Status Page - Link
9. Enrollment Restrictions - Link - This Tutorial
10. Deploying Microsoft 365 apps (Office apps) - Link
11. Enable Microsoft Store for Business and publish the Company Portal app - Link
12. Assign Company Portal app - Link 
13. Test autopilot via register online - Link

If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on 
How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link

=====================================================================

By default, Intune / Endpoint Manager should be configured to allow all users the ability to enroll their device. This is needed if you are deploying via Autopilot and users will be logging in to an Autopilot registered device with their company credentials.

To check this, follow the steps below.

Devices - Enroll Devices


Enrollment restrictions -


Next to Default - Select - All Users


Next to Platform settings - Select - Edit


By default, all device Operating Systems are allowed.
Also, importantly, personally owned devices are also allowed


In a production environment, you will need to carefully consider if you want to block personally owned devices enrolling in Intune / Endpoint Manager. 
Note that you can also set minimum OS version range, as well as device manufacturers.

In this test environment, I will leave the defaults.

Review and Save 
Save



Go back to Enroll devices - Enrollment Restrictions.

Under the section - Device limit restrictions - 
Select - All Users


Note that by default, the device limit is set to 5


If you would like to increase this limit.
Select - Properties
Select - Edit


Use the drop down arrow to increase the limit.
Note - the highest setting is 15


Review + Save

Save

The limit will now show as updated


=====================================================================

Resources / More info
Set enrollment restrictions - Link 
Intune enrollment methods for Windows devices - Link

===============================================================

Check out all my tutorials - Link 

Highlights include - 
13 part series on how to perform the initial Tenant and Intune Configuration - Link 

1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online

===============================================================

 

About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry