Skip to Content
DevicesEnrollmentEnrollment Restrictions

Enrollment Restrictions

Control which devices can enroll in Microsoft Intune by defining platform, OS version, and device type restrictions. Block personally owned devices, require specific OS versions, and limit enrollment counts per user.

Restriction Types

Device Type Restrictions

Control which platforms and device types can enroll. Block specific manufacturers or ownership types.

  • Platform allow/block
  • OS version requirements
  • Manufacturer restrictions
  • Personal device blocking

Device Limit Restrictions

Limit how many devices each user can enroll. Prevents device hoarding and shadow IT.

  • Per-user device limits
  • Per-platform limits
  • Customizable by group
  • Default limit: 15 devices

Platform Restrictions

PlatformMDMPersonalMin VersionMax Version
WindowsAllowBlock10.0.19045
macOSAllowBlock13.0
iOS/iPadOSAllowAllow15.0
Android EnterpriseAllowAllow11.0
Android Device AdminBlockBlock

Device Limit Configuration

Default Limits

  • Total devices per user: 15
  • Windows devices: 5
  • iOS devices: 5
  • Android devices: 5

Group Overrides

  • IT Department: 25 devices
  • Executives: 10 devices
  • Contractors: 1 device

Create Restriction Policy

To create a restriction policy:

  1. Policy Name — Give the policy a descriptive name (e.g., “Corporate Device Only”)
  2. Restriction Type — Choose Device Type Restrictions or Device Limit Restrictions
  3. Platform Settings — Set Allow or Block for each platform (Windows MDM, macOS, iOS/iPadOS, Android Enterprise)
  4. Ownership — Allow or block corporate-owned and/or personally-owned devices
  5. Version Requirements — Set minimum and maximum OS version constraints

Manufacturer Blocking

Block specific device manufacturers from enrollment (Android only):

  • Unknown manufacturers — Blocked
  • Huawei — Blocked
  • Samsung — Allowed
  • Google — Allowed

Policy Priority

When multiple policies apply, priority determines which one takes effect:

  1. IT Admins - Allow All — Highest priority
  2. Corporate Devices Only — Default for most users
  3. Contractors - Limited — 1 device limit
  4. Default Restriction — Fallback policy

First matching policy is applied. Reorder to adjust priority.

Blocked Enrollment Reasons

  • 45 Platform Blocked
  • 23 OS Version
  • 12 Device Limit
  • 8 Personal Device

Recent Blocked Attempts:

UserReason
john.doe@company.comAndroid Device Admin blocked
jane.smith@company.comiOS 14.0 below minimum
bob.jones@company.comDevice limit (5) reached

API Reference

  • GET /api/devices/enrollment-restrictions — List enrollment restriction policies
  • POST /api/devices/enrollment-restrictions — Create restriction policy
  • PUT /api/devices/enrollment-restrictions/:id — Update restriction policy
  • PUT /api/devices/enrollment-restrictions/priority — Update policy priority order
  • GET /api/devices/enrollment-restrictions/blocked — Get blocked enrollment attempts
Last updated on
Enrollment StatusTerms and Conditions