Configure enrollment restrictions

  • 6 minutes

As your organization rolls out its device management strategy, you need to ensure that only approved devices gain access to corporate resources. Microsoft Intune allows you to set clear boundaries on device onboarding through enrollment restrictions.

Configuring enrollment restrictions is a proactive security measure. Enrollment restrictions define which device types, platforms, and ownership models users are allowed to enroll into the organization’s Intune management environment. These restrictions act as a foundational compliance gate, ensuring only approved and supported devices gain access.

By applying these policies before users attempt to enroll, you can prevent unsupported operating systems or unauthorized personal hardware from ever connecting to your tenant.

Microsoft Intune distinguishes between two primary categories:

  • Device Type Restrictions: Control which OS platforms are allowed (Windows, macOS, iOS/iPadOS, Android, etc.).
  • Device Limit Restrictions: Define how many devices a user may enroll.

Device enrollment restrictions for the user

Each user is subject to one or more enrollment restriction policies. Depending on the intended usage scenario or ownership type, these policies can apply stricter rules.

Enrollment restrictions represent the required check before a device becomes managed and before additional compliance or Conditional Access policies apply.

Bring your own device (BYOD)

For BYOD scenarios, the user must be able to register or enroll their personal device themselves. This model supports flexible access while still enforcing minimum security requirements.

Characteristics:

  • Ownership: Personal

Enrollment methods:

  • Microsoft Entra ID device registration
  • Company Portal enrollment (mobile and desktop)

Typical Use Cases:

  • Email, Teams, and Microsoft 365 app access.
  • Conditional Access with App Protection.
  • Light management scenarios without controlling the entire device.

Recommended Restriction Settings:

  • Allow common platforms (iOS, Android, Windows).
  • Define a device limit (e.g., max. 3–5 devices per user).
  • Restrict unsupported platforms (e.g., macOS optional).
  • Enforce minimum OS versions.

Corporate-owned devices

Corporate-owned devices are managed more strictly and follow a controlled, standardized enrollment process. They are divided into fully owned devices that are just for internal use, meaning there is no private use for devices with that enrollment type.

Characteristics:

  • Ownership: Corporate
  • Usage: No private use (unless a COPE/Work Profile scenario is intentionally configured).

Enrollment methods:

  • Windows Autopilot
  • Apple ADE (via Apple Business Manager)
  • Android Enterprise (Fully Managed, Dedicated, or COPE)

Recommended Restriction Settings:

  • Block personal device platforms or unmanaged enrollment types.
  • Enforce strict OS and security requirements.
  • Require full enrollment workflows.