List

Microsofts Senior Program Manager, Matt Shadbolt, recently confirmed that the company is working to more granular separate what devices and hardware vendors that users may enroll to your tenant.

Not surprisingly, the recent attention to the still ongoing situation with Huawei have given this (lacking) feature a lot of focus. Although it is not a out-of-box solution, nor a fail-proof one, there is a workaround to prevent your users to enroll devices from one or more hardware vendors and/or models.

Although you can’t block the device from enrolling, you can make it useless for the user from a corporate point of view

Azure Active Directory dynamic group

Sign in to the Azure Portal and browse;
Azure Active Directory –> Groups. Then, click “+ New group”
While creating the new group, ensure that you make this a dynamic group and enter the following values;
(device.deviceOSType -contains “OperatingSystem”) -and (device.deviceManufacturer -eq “HWVendor”)
eg; (device.deviceOSType -contains “Android”) -and (device.deviceManufacturer -eq “Huawei”)

Screenshot – Solaat.no

Then, the “impossible”

The trick is to use compliance policies to limit and/or restrict access to corporate resources by giving them an impossible compliance policy.
For this, navigate to;
Intune –> Device compliance –> Policies –> Create policy
Then, create a compliance policy with a “impossible” value, for instance, minimum version of Android to 10017 (as Android 9 is current, this should stay current for quite some time…)

Screenshot – Solaat.no

Now, make sure that you assign this device compliance policy to the newly created (or existing) AAD group.

Of course, as Apple is the only vendor of iOS devices, this would be an effective way to keep outdated Apple devices from accessing corporate data as devices gradually falls out of scope for newer versions of iOS. For instance, blocking iPhone 5s’ from accessing by setting the value to ’13’ later this year, would make an impossible policy for devices with iOS 12.x as their end-station.

Bear in mind however, limiting outdated devices will force users to update to the latest versions of the operating system to gain access. Not necessarily a bad thing, but something you outta keep in mind

If you prefer, you could browse the Microsoft Graph for the specific operating system, OS version or other attributes other than hardware vendor.

  • Alex

Leave a Reply

  Posts

1 2 3 4 5 6
February 1st, 2016

Microsoft Surface Deployment Accelerator now supporting Windows 10

A new version of Microsoft Surface Deployment Accelerator is now released from Microsoft. Version 1.9 now supports Window 10

January 1st, 2016

Congratulations 2016 Microsoft MVP!

Congratulations, you’re an Windows and Devices for IT MVP

November 30th, 2015

Interview: Ben Armstrong

What is distributed software engeneering, and what makes them work?
Of course, one may argue that the right toolset – witch is the mind – is all you need to get a good product. But don’t forget the leader!

October 18th, 2015

Speaking at TechDays Stockholm – Microsoft Surface is Commitment, Excellence, Intelligence and Focus

TechDays is a must-attend-to for every ITpro who works with Microsoft’s products, platforms and solutions. The theme of TechDays 2015 is […]

March 26th, 2015

New firmware for Surface – Disable components in UEFI

It’s not often I write about newly released firmwares for the Surface platforms, However, todays release is somewhat special.

February 24th, 2015

Watch our session: Optimizing Surface deployment and connected standby

Did you miss Olav and my session at NIC earlier in february?
Don’t be sad, now you can catch up on your Surface skills

February 13th, 2015

Brush up your Surface skills with MVA

Are you and your company investing in Surface Pro 3? This is your online training session. All for free!

February 12th, 2015

NIC 2015 winners

Are you feeling lucky?

February 12th, 2015

How-to: Fix PowerShell window on Surface

Have you ever tried to open PowerShell on a high-resolution, small-screen device? This is how you make the font readable.

February 12th, 2015

Power your Surface with LTE broadband

As Surface MVP I often get these question related to mobile broadband. My reply is something you oughta know!