This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 5%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
In our environment, we use Office 365 Basic Mobility and Security. Enrollment of an Apple iPhone is currently accomplished through the company portal app and requires MFA.
We have a need to tighten this up from a security standpoint. The background of this is that we are wanting to generally implement Conditional Access so that access to any of our cloud based services is secured by credentials + Authenticator App push notification + using a device that is either Entra Hybrid Joined (for Windows) or marked Compliant (for iPhones).
I've got the CA policy for Windows devices working now without much issue. I have it working for iPhones also, with one big caveat. Enrollment in the Company Portal app does not respect device restrictions (being marked Compliant in this case). It's obvious why it's this way...you could easily create a catch 22 where attempting to enroll a device would be rejected because the device is not compliant...but it would never be possible for the device to be compliant since it's not enrolled!
I attempted to set a network location condition in our Conditional Access policy on the idea that it might allow me to block Company Portal enrollment unless the phone is connected to the wifi network in one of our physical locations. This was based on the idea that for an attacker who has stolen credentials and defeated MFA, he would then have to be physically show up at our location and attempt to enroll his device using Company Portal app, however this restriction was not honored.
I need an alternative. I have looked into using DEM, Corporate Identifiers, and device registration limits.
With Corporate Identifiers I'm not sure I can prevent Company Portal user based enrollment with this. My understanding is that user enrollment through the Company Portal app will cause a device to be seen as "Personal" even if the device's IMEI or Serial Number is present in the Corporate Identifiers list, meaning if I set personal device enrollment to blocked, it would block all enrollments. I would like to be told I am wrong on this, but this is my current perception of the situation.
I looked into DEM a bit, but that appears to be specific to Windows and doesn't work with Apple.
Device Registration limits strikes me as a band aid, half solution. The idea is that I would limit the number of devices that could be enrolled by each user to a single device, and my department would supervise enrollment when phones are replaced.
I've also considered just disabling all device enrollment and leaving it turned off, on the idea that would turn it on when someone replaced a device. This happens infrequently enough that it would be a viable, if clunky solution to the problem.
With any of these, I'm not sure how that affects getting the MFA app installed on a new device.
To recap, what I'm trying to do is making authentication require a registered or compliant device, valid username and password, and MFA challenge, while not having a situation where a device can be enrolled with only username and password plus MFA challenge...because that would defeat the purpose of having Cloud Apps only accessible to compliant / Hybrid Joined devices. Do I have any options on this?
Have you tried the following for the CA policy -
The above should achieve your objective of blocking access & enrolments of personal mobile devices outside of trusted networks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Brandon Poindexter, Thanks for posting in Q&A.
Based on my understanding, if you have deployed a CA policy requiring secured by credentials + Authenticator App push notification + using a device that is either Entra Hybrid Joined (for Windows) or marked Compliant (for iPhones), and configured device platform restriction, then your device will never be able to be enrolled to Intune because when a device that is not enrolled to Intune accesses a resource protected by a CA policy, it will prompt that the device needs to be enrolled to Intune in order to make the device compliant, and the enrollment method is to enroll the device in a personal way using the Company Portal to enroll as an individual, but there is a device platform restriction, so you get stuck in a loop and can't enroll to Intune.
To achieve your goal, you can either try what @Rahul Jindal [MVP] mentioned or you yourself mentioned a workable but clumsy solution or .
https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access
Hope above information can be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Brandon Poindexter, Hope things going well.
I am writing as a courtesy to follow up on this ticket. May I know the status from your side please? Please feel free to let me know if you have any concerns.