Thursday, 13 May 2021

Controlling MAM device enrolment.

During the early stages of the project a mistake that schools often make when adopting Microsoft Modern Management is to ignore the question of device enrolment and as a result thing can become unmanageable pretty quickly.

Without changes to the base settings Microsoft Device Manager is quite relaxed about restricting access to the enrolment process and a limited rollout of a six devices can quickly extended to many dozens by students downloading the Company Portal App and taking advantage of the generous personal enrolment allowance of five devices each.

Things get even worse if the admin allocates the students an Azure P1 premium licence because with the MAM Users scope set to All (default), any device registered with Azure AD using a school account will also also push the device into the MDM.

The solution is to do a bit of work on the MAM console to make sure the settings match the schools IT policy before things get out of hand.




You can use Device Restrictions to block hardware device types and set conditions on the operating systems but you need to be a careful that you don't go too far and also block auto-enrolment for any Autopilot rollouts you may have planned.

Although most of the options are controlled through MEM policies an often over-looked setting is located in the Azure AD - Devices section. 

  • Navigate your browser to https://portal.azure.com.
  • In the Azure Active Directory pane, click Devices.
  • In the Devices pane, click Device settings.
  • Check the option settings for  Users may join devices to Azure AD
If you are using an account that's out of scope you'll see the 801c03ed error during device enrolment . 


Setting an account as an enrolment manager doesn't override this restriction.

A great reference is a post by Samuel McNeill that explains the options in a clear fashion.

https://samuelmcneill.com/2020/10/30/how-to-blocking-personal-byod-devices-from-enrolling-into-intune-but-allowing-autopilot-enrollments/

It's an essential read for anybody planning to rollout of Microsoft Device Manager for the first time or who been given the job of cleaning up the device list.

Recommended.


No comments:

Post a Comment