List

Microsofts Senior Program Manager, Matt Shadbolt, recently confirmed that the company is working to more granular separate what devices and hardware vendors that users may enroll to your tenant.

Not surprisingly, the recent attention to the still ongoing situation with Huawei have given this (lacking) feature a lot of focus. Although it is not a out-of-box solution, nor a fail-proof one, there is a workaround to prevent your users to enroll devices from one or more hardware vendors and/or models.

Although you can’t block the device from enrolling, you can make it useless for the user from a corporate point of view

Azure Active Directory dynamic group

Sign in to the Azure Portal and browse;
Azure Active Directory –> Groups. Then, click “+ New group”
While creating the new group, ensure that you make this a dynamic group and enter the following values;
(device.deviceOSType -contains “OperatingSystem”) -and (device.deviceManufacturer -eq “HWVendor”)
eg; (device.deviceOSType -contains “Android”) -and (device.deviceManufacturer -eq “Huawei”)

Screenshot – Solaat.no

Then, the “impossible”

The trick is to use compliance policies to limit and/or restrict access to corporate resources by giving them an impossible compliance policy.
For this, navigate to;
Intune –> Device compliance –> Policies –> Create policy
Then, create a compliance policy with a “impossible” value, for instance, minimum version of Android to 10017 (as Android 9 is current, this should stay current for quite some time…)

Screenshot – Solaat.no

Now, make sure that you assign this device compliance policy to the newly created (or existing) AAD group.

Of course, as Apple is the only vendor of iOS devices, this would be an effective way to keep outdated Apple devices from accessing corporate data as devices gradually falls out of scope for newer versions of iOS. For instance, blocking iPhone 5s’ from accessing by setting the value to ’13’ later this year, would make an impossible policy for devices with iOS 12.x as their end-station.

Bear in mind however, limiting outdated devices will force users to update to the latest versions of the operating system to gain access. Not necessarily a bad thing, but something you outta keep in mind

If you prefer, you could browse the Microsoft Graph for the specific operating system, OS version or other attributes other than hardware vendor.

  • Alex

Leave a Reply

  Posts

1 2 3 4 5 6
January 16th, 2017

Join my sessions at NIC – Nordic Infrastructure Conference 2-3. feb.

Regardless of how many presentations I’ve had, there are always a line of questions to be answered when the session is over. One of my sessions are for you: Ask me anything!

January 1st, 2017

Congratulations 2017 Microsoft MVP!

For the fourth year, I’m truly honored to recieve the highest recognized award for ITpros.

December 18th, 2016

Resolving Modern Device Issues for SMBs

For many SMBs, modern device management have proven to give some challenges, as the devices just like other areas of the tech industry have been moving forwards

August 14th, 2016

Meet Ståle, Johan, John and myself and our take as MVP’s

Closing our series on Microsoft Most Valuable Professionals we’ve put together four more videos of some of the best IT […]

May 22nd, 2016

Device management and troubleshooting DIY-style

In a changing IT landscape where we move from managed devices to more or less unmanaged dittos the need for self-healing systems and smart shortcuts are ever increasing.

May 22nd, 2016

Meet Andy, Wally and Marius and their take as MVP’s

Becoming and being a MVP is like nothing I’ve ever imagined. So why take my word for it?

February 17th, 2016

Surface Book released in major european markets

It’s a little more than four months since the Windows 10 device launch event in NYC witch revealed the Surface Book. By the 18th of february the populear device is shipped in several major european countries.

February 5th, 2016

Guide: Windows Hello with two accounts

Any ITpro in the industry is used to a high number of user accounts, either it is admin- user, limited rights or ad-hoc user accounts.

February 5th, 2016

Download slide deck: Surface Pro&Book explained

For those of you who enjoyed our session Surface Pro&Book explained, or for some reason could not join the session […]

February 4th, 2016

A guide for Surface Data Eraser

Either it’s Repair, repurpose or decomission – secure wipe of your device should allways be a part of your device management lifecycle