List

Microsofts Senior Program Manager, Matt Shadbolt, recently confirmed that the company is working to more granular separate what devices and hardware vendors that users may enroll to your tenant.

Not surprisingly, the recent attention to the still ongoing situation with Huawei have given this (lacking) feature a lot of focus. Although it is not a out-of-box solution, nor a fail-proof one, there is a workaround to prevent your users to enroll devices from one or more hardware vendors and/or models.

Although you can’t block the device from enrolling, you can make it useless for the user from a corporate point of view

Azure Active Directory dynamic group

Sign in to the Azure Portal and browse;
Azure Active Directory –> Groups. Then, click “+ New group”
While creating the new group, ensure that you make this a dynamic group and enter the following values;
(device.deviceOSType -contains “OperatingSystem”) -and (device.deviceManufacturer -eq “HWVendor”)
eg; (device.deviceOSType -contains “Android”) -and (device.deviceManufacturer -eq “Huawei”)

Screenshot – Solaat.no

Then, the “impossible”

The trick is to use compliance policies to limit and/or restrict access to corporate resources by giving them an impossible compliance policy.
For this, navigate to;
Intune –> Device compliance –> Policies –> Create policy
Then, create a compliance policy with a “impossible” value, for instance, minimum version of Android to 10017 (as Android 9 is current, this should stay current for quite some time…)

Screenshot – Solaat.no

Now, make sure that you assign this device compliance policy to the newly created (or existing) AAD group.

Of course, as Apple is the only vendor of iOS devices, this would be an effective way to keep outdated Apple devices from accessing corporate data as devices gradually falls out of scope for newer versions of iOS. For instance, blocking iPhone 5s’ from accessing by setting the value to ’13’ later this year, would make an impossible policy for devices with iOS 12.x as their end-station.

Bear in mind however, limiting outdated devices will force users to update to the latest versions of the operating system to gain access. Not necessarily a bad thing, but something you outta keep in mind

If you prefer, you could browse the Microsoft Graph for the specific operating system, OS version or other attributes other than hardware vendor.

  • Alex

  Posts

1 2 3 6
November 8th, 2019

My slides from THR2037 – Microsoft Ignite 2019

It’s Friday and last day of Microsoft Ignite 2019 – still – a stronghold of geeks attended my last theater […]

November 8th, 2019

My slides from THR3032 – Microsoft Ignite 2019

First of all – a big thank you to all who attended my session on Thursday. As promised, I’m uploading […]

August 21st, 2019

Blocking specific hardware manufacturers from corporate resources

Microsofts Senior Program Manager, Matt Shadbolt, recently confirmed that the company is working to more granular separate what devices and […]

August 2nd, 2019

Updates to AAD and O365 Naming policy

Although it’s been available through PowerShell for quite some time, the option for adding and editing naming policies in Azure AD

May 22nd, 2019

Get my slides from VeeamON Miami

Thank you all!

March 14th, 2019

Get my slides from ExpertsLive Cafe Bergen

It’s amazing to see how many attended the local ExpertsLive Café event in Bergen the 14th of march 2019. As […]

January 1st, 2019

Congratulations 2019 Windows Insider MVP!

In addition to my fifth year as a Microsoft MVP, I’m truly honored to receive the award for Windows Insider […]

October 28th, 2018

Get my script from TechDays Sweden

A big thank you for attending Olav and mine session during TechDays Sweden. As promised (though late), here is the script I demoed

October 18th, 2018

My slides and videos from Cloud Camp Dublin

My slides and videos from Cloud Camp Dublin

September 26th, 2018

Slides and extras from my session @ Ignite 2018

A stunning 1100 Ignite participants had signed up for my session – Windows 10: Stories from the field – Onboarding […]