Enforce the "Allow my organization to manage my device" Prompt

Ahmad Zein 20 Reputation points
2024-06-25T12:12:30.2966667+00:00

Hello everyone!
I hope you are all doing well. I am trying to prevent users from ignoring the "Allow my organization to manage my device" prompt since it is vital for users to have their devices managed by using Microsoft Intune. I am looking to see if there is a certain Conditional Access policy that we can implement to block users from accessing their corporate resources if they haven't enrolled their devices.
We have tested the two scenarios of unchecking the above parameter and also the "Sign in only to this app" to see the effects of such actions. It seems they can pass through, although we must disallow the users to continue. We need them to be registered and enrolled into Intune otherwise they would be restricted.

Kindest regards!

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,299 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,640 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganeshkumar R 265 Reputation points
    2024-06-25T12:27:24.9433333+00:00

    Hello!

    To ensure that users enroll their devices into Microsoft Intune and prevent them from accessing corporate resources unless their devices are managed, you can set up a Conditional Access policy in Azure Active Directory (Azure AD). Here’s a guide to help you achieve this:

    Steps to Create a Conditional Access Policy for Intune Enrollment

    1. Navigate to Azure AD:
      • Go to the Azure portal.
      • Navigate to Azure Active Directory.
    2. Access Conditional Access Policies:
      • In the Azure AD menu, select Security.
      • Under Security, select Conditional Access.
    3. Create a New Policy:
      • Click on + New policy.
    4. Name the Policy:
      • Give your policy a meaningful name, such as "Require Intune Enrollment for Corporate Resources".
    5. Assign Users and Groups:
      • Under Assignments, select Users and groups.
      • Choose the users or groups that this policy will apply to. You might want to select All users or specific groups such as "All employees".
    6. Specify Cloud Apps:
      • Select Cloud apps or actions.
      • Choose the applications that you want to protect. For example, you can select All cloud apps to enforce this policy across all applications.
    7. Set Conditions (Optional):
      • If you want to apply this policy under specific conditions, you can configure them under Conditions (e.g., specific locations or device platforms).
    8. Configure Access Controls:
      • Under Access controls, select Grant.
      • Choose Require device to be marked as compliant. This ensures that the device must be enrolled in Intune and comply with Intune policies to access the specified resources.
    9. Enable Policy:
      • Set the policy to On under Enable policy.
    10. Review and Create:
      • Review your settings and click Create to save the policy.

    Additional Recommendations

    • Enrollment Restrictions:
      • Ensure that enrollment restrictions are configured in Intune to allow only compliant devices.
      • In the Intune portal, navigate to Devices > Enrollment restrictions and configure the necessary restrictions.
    • Notification and Training:
      • Communicate with your users about the new policy and provide instructions on how to enroll their devices in Intune.
      • Provide training or resources to help users understand the importance of device management and compliance.
    • Testing:
      • Before enforcing the policy for all users, test it with a small group of users to ensure it works as expected without disrupting access to corporate resources.

    Example Policy Summary

    Policy Name: Require Intune Enrollment for Corporate Resources

    Assignments:

    • Users: All users
    • Cloud apps: All cloud apps

    Conditions:

    • Device platforms: Any (optional)
    • Locations: Any (optional)

    Access Controls:

    • Grant: Require device to be marked as compliant

    Enable Policy: On

    By implementing this Conditional Access policy, you can ensure that only devices enrolled in Intune and marked as compliant can access your corporate resources, thereby enforcing device management and compliance across your organization.

    If you have any specific requirements or need further assistance, feel free to ask!

  2. Xenia-MSFT 545 Reputation points Microsoft Vendor
    2024-06-26T01:32:16.2333333+00:00

    @Ahmad Zein Thanks for posting in our Q&A.

    For this issue, there is no method to prevent users from ignoring the "Allow my organization to manage my device" prompt. If the device is not enrolled to intune and try to access the corporate resource, CA policy with compliance policy will block it, ask the device to be enrolled and marked as compliant. It is by design.

    Hope it clarify something.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Ahmad Zein 20 Reputation points
    2024-06-26T11:54:23.6366667+00:00

    @Xenia-MSFT Thank you for answering! Regarding this matter, how will the conditional access block the user from proceeding to the application without being enrolled and registered into Azure AD ? As far as I know, a Conditional Access policy would block a user whenever he is not compliant, however the device would have already been Azure AD registered (BYOD case for us) thus the compliancy would have triggered this effect. What happens if we apply the CA policy while the device is still running free (meaning that it skipped enrollment through the options I had shown previously) without having any compliance policies nor appearing in both Intune & AAD?