Custom enrollment restriction policy not working for iOS user enrollment

asked 2020-11-08T11:42:56.227+00:00
Julian Pawlowski 96 Reputation points

I have disabled personally owned devices for all users in Intune's default enrollment restriction policy.

Now I would like to re-enable it for a subset of users. To achieve this, I have created a custom enrollment restriction policy with personally owned set to "Allow" for iOS/iPadOS devices. I created a security group and assigned this to the "Included groups" section. Obviously, I also added my test user account to that group as well.

Looking to the troubleshooting section in the Endpoint Manager web console, the custom enrollment restriction policy is active for that user. However, I can only use device enrollment with that user, it is not possible to use user enrollment only (error message "Platform not allowed for personal"). It will work however if I re-enable personally owned devices for the default restriction policy. Even though that policy is not active for that user because the custom policy has higher priority, the default policy is still applied here. Strangely enough the debug console does not show any OS information. Doesn't matter it seems because like I said, it does work as expected when the default enrollment restriction policy allows "personally owned" for everyone.

38212-ios-user-enrollment-policy-issue.png

This really looks like a bug to me.

Anyone has a solution for this or knows how to file a bug report to MSFT to ensure this will be fixed soon?

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
838 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-11-27T11:39:58.757+00:00
    Julian Pawlowski 96 Reputation points

    Thanks for your feedback! Meanwhile I got several other tenants facing the same issue. Like I was saying device enrollment is working as expected but enrollment restrictions do not apply to user enrollment as expected.

    Can't find any existing known issue on user voice, otherwise I had upvoted it already. Also, I don't agree this is a missing feature, it is rather a bug that is discovered as part as public preview of the user enrollment feature. I find this to be really annoying how to give feedback for bugs (not only for this MSFT product). A bug is different from a missing feature where you would up/downvote. A bug shall be fixed to provide the already defined feature set.

    I have also opened a regular ticket for this, but it is also quite painful and extremely time consuming as this always feels like I as a customer (and on behalf of our joint customers) must proof that the bug is real rather than that MSFT is trying to proof that there is no bug. I mean, we're not in cort here but it always feels like we are and we are working against each other, not together. In the end, I am taking time, effort and money to help make Microsofts products better and don't feel this is really welcome by 1st and 2nd level support lines in Microsoft... they seem to be hired to block feedback away from the product groups. If I had no other ways to get in direct touch with the product groups, which definately not every customer has, I would be totally lost.


3 additional answers

Sort by: Most helpful
  1. answered 2020-11-09T04:09:52.897+00:00
    Crystal-MSFT 19,331 Reputation points Microsoft Employee

    @Julian Pawlowski , For our issue, I have tested with device enrollment. it is also working. For user enrollment, I have some limitation on it. To check our issue, we can test some more devices to see if the result is the same. If yes, it seems to be a known issue. We can feedback to Intune uservoice.
    https://microsoftintune.uservoice.com/forums/291681-ideas

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  2. answered 2021-02-24T12:16:16.06+00:00
    Daniel Neto 1 Reputation point

    I have the same scenario here. Exactly how @Julian Pawlowski describes. I also open a ticket.

    No comments

  3. answered 2021-02-24T12:30:39.313+00:00
    Julian Pawlowski 96 Reputation points

    Support investigation results here where that the PG confirmed this to be an "expected behavior", however not willing to confirm this to be a bug.
    "Feature improvements" are on the roadmap I was told, obviously it does not seem to have high priority at the moment.

    No comments