What are enrollment restrictions?

Applies to

  • Android
  • iOS
  • macOS
  • Windows 10
  • Windows 11

Device enrollment restrictions let you restrict enrollment based on device attributes. When restrictions are applied, users on restricted devices or who exceed the device limit are blocked from enrolling in Microsoft Intune. There are two types of device enrollment restrictions you can configure in Microsoft Intune:

  • Device platform restrictions define which platforms, versions, and management types can enroll. In Intune, you can restrict device platforms, OS versions, manufacturer, and personally owned devices.
  • Device limit restrictions define how many devices each user can enroll.

Each restriction type comes with one default policy that you can edit and customize as needed. Intune applies the default to all user and userless enrollments until you assign a higher-priority policy.

This article provides an overview of the available enrollment restrictions. When you're ready to create an enrollment restriction policy, see Next steps (in this article).

Available restrictions

You can configure the following restrictions in the admin center:

  • Device limit
  • Device platform
  • OS version
  • Device manufacturer
  • Device ownership (personally-owned devices)

Device limit

Put a limit on the number of devices a person can enroll. You can set the device limit from 1 to 15.

This configuration is in the admin center under Enrollment device limit restrictions.

Device platform

Block devices running on a specific device platform. You can apply this restriction to devices running:

  • Android device administrator
  • Android Enterprise work profile
  • iOS/iPadOS
  • macOS
  • Windows 10/11

In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment.

This restriction is in the admin center under Enrollment device platform restrictions.

OS version

This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems:

  • Android device administrator*
  • Android Enterprise work profile*
  • iOS/iPadOS*
  • Windows

* Version restrictions are supported on these operating systems for devices enrolled via Intune Company Portal only.

This restriction is in the admin center under Enrollment device platform restrictions.

Device manufacturer

This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under Enrollment device platform restrictions.

Personally-owned devices

This restriction helps prevent device users from accidentally enrolling their personal devices, and applies to devices running:

  • Android
  • iOS/iPad OS
  • macOS
  • Windows 10/11

This restriction is in the admin center under Enrollment device platform restrictions.

Blocking personal Android devices

By default, until you manually make changes in the admin center, your Android Enterprise work profile device settings and Android device administrator device settings are the same.

If you block Android Enterprise work profile enrollment on personal devices, only corporate-owned devices can enroll with personally-owned work profiles.

Blocking personal iOS/iPadOS devices

By default, Intune classifies iOS/iPadOS devices as personally-owned. To be classified as corporate-owned, an iOS/iPadOS device must fulfill one of the following conditions:

Note

An iOS User Enrollment profile overrides an enrollment restriction policy. For more information, see Set up iOS/iPadOS and iPadOS User Enrollment (preview).

Blocking personal Macs

By default, Intune classifies macOS devices as personally-owned. To be classified as corporate-owned, a Mac must fulfill one of the following conditions:

Blocking personal Windows devices

If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized for corporate enrollment. Unauthorized enrollments are blocked.

The following enrollment methods are authorized for corporate enrollment:

Note

Since a co-managed device enrolls in the Microsoft Intune service based on its Azure AD device token, and not a user token, only the default Intune enrollment restriction will apply to it.

Intune marks devices going through the following types of enrollments as corporate-owned, and blocks them from enrolling because these methods don't offer the Intune administrator per-device control:

Intune also blocks personal devices using these enrollment methods:

* These won't be blocked if registered with Autopilot.

Limitations

  • Enrollment restrictions are applied to users. For enrollment scenarios that aren't user-driven, such as Windows Autopilot self-deploying mode, bulk enrollment (WCD), or Azure Virtual desktop, Intune enforces the default policy.

  • Device limit restrictions can't be applied to devices in the following Windows enrollment scenarios, because these scenarios utilize shared device mode:

    • Co-managed enrollments
    • Group Policy (GPO) enrollments
    • Azure Active Directory (Azure AD) joined enrollments, including bulk enrollments
    • Windows Autopilot enrollments
    • Device enrollment manager enrollments

    Instead, you can configure a hard limit for these enrollment types in Azure AD. For more information, see Manage device identities by using the Azure portal.

Next steps

Use the table-of-contents to step through each article in the enrollment restrictions how-to guide, or jump to an article using the following links: