Block non-intune managed devices

Lila Liang 20 Reputation points
2024-09-03T02:24:51.04+00:00

I tried to block non-intune managed device for all cloud apps.

However, regardless of logic I used to identify those devices, the insight of the result only shows reportOnlyNotApplied or reportOnlyFailure.

I tried both include and exclude clause on 2 policies, could somebody check this for me?


Exclude:

device.deviceOwnership -eq "Company" -or device.deviceOwnership -eq "Personal"

Include:

device.deviceOwnership -ne "Personal" -or device.deviceOwnership -ne "Company"

Please see the example below, I limited this to windows and non-company only. The device is unknown, so it is a personal device. Why it does not match? By the way, in intune, company device shows corporation, but there is no choice for corporation in condition.

User's image

User's image

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,976 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 48,001 Reputation points Microsoft Vendor
    2024-09-03T06:12:50.4466667+00:00

    @Lila Liang, Thanks for posting in Q&A. For the device ownership value, "Personal" is for bring your own devices and "Company" is for corporate owned devices.

    And from the note in the following official document. When using a positive operator, such as “Equals”, with an unregistered device, the device filter is not applied. Conversely, when using a negative operator, like “NotEquals”, with an unregistered device it causes the filter to be applied.User's image

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices

    If we only use the following filter, what is the conditional access policy details in sign in log show? Please get a screen shot to know the details.

    device.deviceOwnership -ne "Personal" -or device.deviceOwnership -ne "Company"

    If there's any update, feel free to let us know.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Lila Liang 20 Reputation points
    2024-09-04T01:38:45.8766667+00:00

    @Crystal-MSFT I checked the logs today, the rule does match the device detected.

    However, I noticed that some corporate devices(not all) did not return a device ID in sign-in logs when connected via VPN. Therefore these devices would be treated as unknown devices and subsequently blocked.

    How do I address this issue?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.