Microsofts Senior Program Manager, Matt Shadbolt, recently confirmed that the company is working to more granular separate what devices and hardware vendors that users may enroll to your tenant.
Not surprisingly, the recent attention to the still ongoing situation with Huawei have given this (lacking) feature a lot of focus. Although it is not a out-of-box solution, nor a fail-proof one, there is a workaround to prevent your users to enroll devices from one or more hardware vendors and/or models.
Although you can’t block the device from enrolling, you can make it useless for the user from a corporate point of view
Azure Active Directory dynamic group
Sign in to the Azure Portal and browse;
Azure Active Directory –> Groups. Then, click “+ New group”
While creating the new group, ensure that you make this a dynamic group and enter the following values;
(device.deviceOSType -contains “OperatingSystem”) -and (device.deviceManufacturer -eq “HWVendor”)
eg; (device.deviceOSType -contains “Android”) -and (device.deviceManufacturer -eq “Huawei”)
Then, the “impossible”
The trick is to use compliance policies to limit and/or restrict access to corporate resources by giving them an impossible compliance policy.
For this, navigate to;
Intune –> Device compliance –> Policies –> Create policy
Then, create a compliance policy with a “impossible” value, for instance, minimum version of Android to 10017 (as Android 9 is current, this should stay current for quite some time…)
Now, make sure that you assign this device compliance policy to the newly created (or existing) AAD group.
Of course, as Apple is the only vendor of iOS devices, this would be an effective way to keep outdated Apple devices from accessing corporate data as devices gradually falls out of scope for newer versions of iOS. For instance, blocking iPhone 5s’ from accessing by setting the value to ’13’ later this year, would make an impossible policy for devices with iOS 12.x as their end-station.
Bear in mind however, limiting outdated devices will force users to update to the latest versions of the operating system to gain access. Not necessarily a bad thing, but something you outta keep in mind
If you prefer, you could browse the Microsoft Graph for the specific operating system, OS version or other attributes other than hardware vendor.
- Alex