Nice video again! I realy love your series!!! Last week i did some testing on kind of the same subject. One thing to mention is when you have both MDM and MAM auto enrollment active, a personal device will always enroll into MAM instead of MDM, while corporate devices will enroll into MDM. Blocking MDM then is great for blocking users to join there devices but for registred devices trying to enroll, there realy is not much of a differente since they still get the MAM policies. (Exept from the error you get when trying to enroll via modern authentication like the mail app like in your demo). When MAM autoenrollment is not set, then blocking the MDM enrollment is the only way to go....i think :)
I have a few questions. So what cause a device to show up as personal? the one you did showed up as corporate. If you stop people from registering in AzureAD under Azure AD > Devices > Device settings. what impact will that have?
28:02 - You can take a personal owned device and run the "hardware hash" powershell script to get the Serial number and hash. Then upload it to Device enrollment -> devices blade this will add the device to AutoPilot so when you try and AAD join the device it will pick up that the device belongs to that tenant.
On the personal to corporate question, yep you can. Create a dynamic or static group, add that personal machine, create an AP profile to convert all targeted machines to AP, then it will appear in the AP devices after a sync. Better way is hardware hash from vendor though direct into AP
great video, I'll be disabling the personal enrolment. you mentioned about only managing the data in the mail app assuming it's like MAM like android or iOS. have you covered this topic about protecting data on personal devices like email?
I’m having problem with android device admin (we are moving away from this once we got some better devices) my issue is enrollment being blocked when using a device type enrollment restriction, even with personal being selected as allow and it’s assigned to a group which has the enrolling user in. If we remove this restriction and use the default it works. Surely I am not missing something here?
Can you guys cover mapping network drives via intune? That is something I have been struggling with. I understand that I will have to use a script for it, but it never works for me. Thanx in advance.
perhaps if you already have the script and run it locally first to confirm it works, once done so you might want to just push it to one machine, update the policy, then see if it changes anything, also check if you are running the script from the "system" account or with the user credentials...
@@IvanRosaT The script works loally fine. When I roll it out to a group via intune it does not work. Dont understand why. Maybe because the user's don't have admin rights, not sure.
@@ArcusLabProjects when Assigning the script assign it to be run from "system" this will be the local admin in that computer, yuu might also want to add a " start-transcript to your script to catch any exceptions. Lastly there's an excellent video from this series where they show good practice PowerShell scripting
@@ArcusLabProjects do hav to say, if you are in a hybrid environment then you could also push s GPO, or make some changes to the script so you can touch all the objects in the forest
Hi Steve and Adam, Do you know maybe if there is an option to allow azure ad join (by work or school) and block only the option that the users won't be able to login azure AD when they are trying to open apps (''Allow your organization to manage your device" question)? Thank you!
Nice video I have a question on it so we have set the personal device as a block so what happens if I Join a cooperate device using Azure AD joined, I think it will block it so how to enroll that device then. I hope you understood the question your reply will solve my query
Hey Guys...I wanted to check if you ever recommend deploying a BYOD solution that requires enrolment. In my opinion, if enrolment is required then it's not BYOD anymore as enrolment should be used for Corporate owned devices only. Does Intune App Protection (MAM without enrolment) provide sufficient controls to convince IT security teams that we do not need to enroll users personal devices to protect data.
That’s really a question for your org and security team. These options all provided different options/value and should be evaluated based on your orgs needs.
You shouldn't need to configure the MDM user scope for Intune enrollment with SCCM 1910 and above. It doesn't rely on the users for enrollment, it now uses the Azure machine ID for enrollment. The devices need to be hybrid joined to azure, and if configured correctly within SCCM they will automatically enroll into intune. Users also no longer need to be assigned Intune licenses, you just need one license for the admin account used to configure co-management in SCCM.
Hi guys, that for another great video. The series is really helping! Would you be able to cover printing? I know you have mentioned the end user doing it, but I work in education and getting the Young’ ones to do it wouldn’t be an option .
Can I block people so they can't use others email than the company's, from a new computer or from one just have been Autopilot. ? the first time Windows ask for an email when I start a new bought computer Thanks for many amazing videos
One thing i need to understand is, Device type restrictions, what type of group does it need to be applied to, a User group or device group? As the default one is applied to "All devices" Yours is set to All users though.
It doesn’t really matter a whole lot. It really comes down to where you want the control to be applied. By user or by device. We generally target everything to users.
Android enrollment style. If they just use the apps on their phone, then it's personal. If they use Company Portal App and you assigned categories, then the Corporate device policy is assigned when selected.
Nice video again! I realy love your series!!! Last week i did some testing on kind of the same subject. One thing to mention is when you have both MDM and MAM auto enrollment active, a personal device will always enroll into MAM instead of MDM, while corporate devices will enroll into MDM. Blocking MDM then is great for blocking users to join there devices but for registred devices trying to enroll, there realy is not much of a differente since they still get the MAM policies. (Exept from the error you get when trying to enroll via modern authentication like the mail app like in your demo). When MAM autoenrollment is not set, then blocking the MDM enrollment is the only way to go....i think :)
I have a few questions. So what cause a device to show up as personal? the one you did showed up as corporate.
If you stop people from registering in AzureAD under Azure AD > Devices > Device settings. what impact will that have?
28:02 - You can take a personal owned device and run the "hardware hash" powershell script to get the Serial number and hash. Then upload it to Device enrollment -> devices blade this will add the device to AutoPilot so when you try and AAD join the device it will pick up that the device belongs to that tenant.
On 19min, You can use device enrollment managers. They can enroll a larger quantity of devices and leave the device enrollment limit setting to 5.
On the personal to corporate question, yep you can. Create a dynamic or static group, add that personal machine, create an AP profile to convert all targeted machines to AP, then it will appear in the AP devices after a sync. Better way is hardware hash from vendor though direct into AP
great video, I'll be disabling the personal enrolment. you mentioned about only managing the data in the mail app assuming it's like MAM like android or iOS. have you covered this topic about protecting data on personal devices like email?
I’m having problem with android device admin (we are moving away from this once we got some better devices) my issue is enrollment being blocked when using a device type enrollment restriction, even with personal being selected as allow and it’s assigned to a group which has the enrolling user in. If we remove this restriction and use the default it works. Surely I am not missing something here?
Can you guys cover mapping network drives via intune? That is something I have been struggling with.
I understand that I will have to use a script for it, but it never works for me.
Thanx in advance.
perhaps if you already have the script and run it locally first to confirm it works, once done so you might want to just push it to one machine, update the policy, then see if it changes anything, also check if you are running the script from the "system" account or with the user credentials...
@@IvanRosaT The script works loally fine. When I roll it out to a group via intune it does not work. Dont understand why. Maybe because the user's don't have admin rights, not sure.
@@ArcusLabProjects when Assigning the script assign it to be run from "system" this will be the local admin in that computer, yuu might also want to add a " start-transcript to your script to catch any exceptions. Lastly there's an excellent video from this series where they show good practice PowerShell scripting
@@ArcusLabProjects do hav to say, if you are in a hybrid environment then you could also push s GPO, or make some changes to the script so you can touch all the objects in the forest
@@IvanRosaT thank you I will try again.
Hi Steve and Adam,
Do you know maybe if there is an option to allow azure ad join (by work or school) and block only the option that the users won't be able to login azure AD when they are trying to open apps (''Allow your organization to manage your device" question)?
Thank you!
Nice video I have a question on it so we have set the personal device as a block so what happens if I Join a cooperate device using Azure AD joined, I think it will block it so how to enroll that device then. I hope you understood the question your reply will solve my query
I appreciate your work guys. Thanks. Shame we can't block device registrations completely to Azure.
Why would you want to block device registration in Azure? Without this, you limit cloud functionality on the client side like SSO and such.
Hey Guys...I wanted to check if you ever recommend deploying a BYOD solution that requires enrolment. In my opinion, if enrolment is required then it's not BYOD anymore as enrolment should be used for Corporate owned devices only. Does Intune App Protection (MAM without enrolment) provide sufficient controls to convince IT security teams that we do not need to enroll users personal devices to protect data.
That’s really a question for your org and security team. These options all provided different options/value and should be evaluated based on your orgs needs.
You shouldn't need to configure the MDM user scope for Intune enrollment with SCCM 1910 and above. It doesn't rely on the users for enrollment, it now uses the Azure machine ID for enrollment. The devices need to be hybrid joined to azure, and if configured correctly within SCCM they will automatically enroll into intune. Users also no longer need to be assigned Intune licenses, you just need one license for the admin account used to configure co-management in SCCM.
Hi guys, that for another great video. The series is really helping! Would you be able to cover printing? I know you have mentioned the end user doing it, but I work in education and getting the Young’ ones to do it wouldn’t be an option .
Can I block people so they can't use others email than the company's, from a new computer or from one just have been Autopilot. ? the first time Windows ask for an email when I start a new bought computer
Thanks for many amazing videos
register ad devices is greyed out. how can i block people from adding their personal devices?
Hi there,
Can we enroll/manage Linux based machines with Intune ?
Can this be used to uninstall apps that have already been deployed to devices with Intune?
One thing i need to understand is, Device type restrictions, what type of group does it need to be applied to, a User group or device group? As the default one is applied to "All devices" Yours is set to All users though.
It doesn’t really matter a whole lot. It really comes down to where you want the control to be applied. By user or by device. We generally target everything to users.
PSA: Blocking personal devices can cause problems with Autopilot device enrollment.
I just need to understand what makes an android device flag as personal to understand the concept.
Android enrollment style. If they just use the apps on their phone, then it's personal. If they use Company Portal App and you assigned categories, then the Corporate device policy is assigned when selected.
What we've all learned here is that BYOD in Windows is awful and it should just be disabled by default.
Obviously Adam is not a Pinky and the Brain fan lol
I love Pinky and the Brain! I got the reference, I just like throwing Steve curve balls :-) thanks for watching!
@@IntuneTraining Love these videos as they have helped me a lot with my current role.