Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Enrollment Restrictions: Complete Configuration Guide

Learn how to configure enrollment restrictions in Intune to control device enrollment, including platform restrictions, device limits, OS version requirements, and personal device blocking.

By Ali Alame
intuneenrollment-restrictionsdevice-enrollmentplatform-restrictionsdevice-limitsbyod

Enrollment restrictions in Microsoft Intune allow you to control which devices can enroll and be managed by Intune. These restrictions help prevent unauthorized device enrollment, limit the number of devices per user, and enforce platform and OS version requirements.

Understanding Enrollment Restrictions

Enrollment restrictions in Intune help you control device enrollment by restricting platforms, limiting device counts, enforcing OS versions, and blocking personal devices. These restrictions apply before devices enroll, preventing unauthorized or noncompliant devices from being managed.

Key Benefits

  • Security: Prevent unauthorized device enrollment
  • Control: Limit devices per user
  • Compliance: Enforce OS version requirements
  • BYOD Management: Control personal device enrollment
  • Platform Control: Restrict specific platforms

For an overview, see What are enrollment restrictions?.

Types of Enrollment Restrictions

Device Limit Restrictions

Limit the number of devices a user can enroll:

  1. Navigate to Devices > Enroll devices > Enrollment device limit restrictions
  2. Select Create restriction
  3. Configure device limit (1-15 devices)
  4. Assign to user groups

Use Cases:

  • Control device sprawl
  • Limit per-user device count
  • Manage enrollment costs

Device Platform Restrictions

Block or allow specific device platforms:

  1. Navigate to Devices > Enroll devices > Device platform restrictions
  2. Select platform tab (Windows, Android, iOS, macOS)
  3. Select Create restriction
  4. Configure platform settings

Available Restrictions:

  • Platform: Allow or Block platform
  • MDM: Allow or Block MDM enrollment (Windows, macOS, iOS)
  • Personally owned devices: Allow or Block personal devices
  • OS version: Minimum and maximum OS versions
  • Device manufacturer: Block specific manufacturers (Android)

For details, see Create device platform restrictions.

Creating Platform Restrictions

Windows Restrictions

  1. Navigate to Devices > Enroll devices > Device platform restrictions > Windows restrictions
  2. Select Create restriction
  3. Configure:
    • MDM: Allow or Block
    • Personally owned devices: Allow or Block
    • OS version: Min and max versions

Authorized Corporate Enrollment Methods:

  • Windows Autopilot
  • Group Policy enrollment
  • Configuration Manager co-management
  • Bulk provisioning package
  • Device enrollment manager account

For details, see Blocking personal Windows devices.

Android Restrictions

  1. Navigate to Android restrictions tab
  2. Select Create restriction
  3. Configure:
    • Platform: Allow or Block
    • Personally owned devices: Allow or Block
    • OS version: Min and max versions
    • Device manufacturer: Block specific manufacturers

Note: Android device administrator is deprecated. Consider blocking it.

iOS/iPadOS Restrictions

  1. Navigate to iOS restrictions tab
  2. Select Create restriction
  3. Configure:
    • MDM: Allow or Block
    • Personally owned devices: Allow or Block
    • OS version: Min and max versions

Corporate Device Identification:

  • Registered with serial number or IMEI
  • Enrolled via Automated Device Enrollment

macOS Restrictions

  1. Navigate to macOS restrictions tab
  2. Select Create restriction
  3. Configure:
    • MDM: Allow or Block
    • Personally owned devices: Allow or Block
    • OS version: Min and max versions

Corporate Device Identification:

  • Registered with serial number
  • Enrolled via Apple Automated Device Enrollment

OS Version Restrictions

Enforce minimum and maximum OS versions:

Supported Platforms:

  • Android device administrator*
  • Android Enterprise work profile*
  • iOS/iPadOS*
  • Windows

*Version restrictions supported for Company Portal enrollment only.

Version Formats:

  • Windows: major.minor.build.0 (revision always 0)
  • Android: major.minor.rev.build
  • iOS/iPadOS: major.minor.rev

Device Manufacturer Restrictions

Block specific Android device manufacturers:

  1. Configure Android platform restriction
  2. Enter comma-separated list of manufacturers
  3. Devices from listed manufacturers are blocked

Use Cases:

  • Block unsupported manufacturers
  • Restrict to approved vendors
  • Control device compatibility

Assignment Filters

Use assignment filters to refine restrictions:

  1. Create enrollment restriction
  2. Assign to groups
  3. Select Edit filter
  4. Apply preconfigured filter

Supported Filter Properties:

  • Limited properties available (devices not yet enrolled)
  • Windows: operatingSystemSKU, manufacturer
  • iOS: manufacturer
  • Android: manufacturer

For details, see Apply assignment filters.

Best Practices

1. Block Unsupported Platforms

  • Block platforms you don't support
  • Keep restrictions current
  • Review platform support regularly
  • Update restrictions as needed

2. Limit Personal Devices

  • Block personal devices when possible
  • Use corporate identifiers
  • Configure authorized enrollment methods
  • Document exceptions

3. Enforce OS Versions

  • Set minimum OS versions
  • Block unsupported versions
  • Plan OS upgrade strategy
  • Communicate requirements

4. Set Device Limits

  • Configure appropriate limits
  • Consider user needs
  • Monitor enrollment counts
  • Adjust as needed

5. Test Restrictions

  • Test with pilot groups
  • Verify restriction behavior
  • Test authorized methods
  • Validate user experience

Troubleshooting

Common Issues

  1. Authorized Devices Blocked

    • Verify corporate identifiers
    • Check enrollment method
    • Review restriction settings
    • Test with different methods

  2. Restrictions Not Applying

    • Verify group assignments
    • Check restriction priority
    • Review filter settings
    • Wait for sync (up to 15 minutes)

  3. Unexpected Enrollment

    • Review all restrictions
    • Check restriction priority
    • Verify group membership
    • Review authorized methods

For troubleshooting, see Unblock Windows "Set up for work or school" enrollment.

Additional Resources

Conclusion

Enrollment restrictions provide essential controls for managing device enrollment. By following these best practices:

✅ Block unsupported platforms
✅ Limit personal device enrollment
✅ Enforce OS version requirements
✅ Set appropriate device limits
✅ Test restrictions thoroughly

You can control which devices enroll in Intune, prevent unauthorized enrollment, and ensure devices meet your organization's requirements.

Remember: Enrollment restrictions apply before devices enroll. Always test restrictions with pilot groups and verify authorized enrollment methods work correctly before enforcing restrictions broadly.