Forum Discussion

Paddyman2025's avatar
Paddyman2025
Copper Contributor
Feb 21, 2025

Android Personal Devices enrollment in Microsoft Intune

Hi,

I want to enroll Android personal devices for my employees who use their phones to access company data like teams and mails. I need that even those who are already access outlook mobile with unmanaged devices be forced to enroll them before they access my company data.

I have tried the following.

Created managed google play account

Turned on automatic enrollment

Turned on: Personal and corporate-owned devices with device administrator privileges

Created a device platform restriction policy which pointed to dynamic device group

Created a compliance policy blocking rooted devices and requiring a password to access company apps

Created a Conditional Access policy in Entra ID which requires devices to be marked as compliant before accessing any cloud app. This policy is pointing to a dynamic device group. I had first assigned it to all users, but it didn't work out.

With the above settings, devices can enroll but even those which are not enrolled still have access to the cloud apps.

How can I force those unmanaged devices not to access the company mails and teams, and then prompt them to download a company portal app and enroll their BYOD/Personal devices?

NB: I have achieved the above on iOS but Androids failed

Please advise me.

Conditional Access
Intune
Mobile Device Management (MDM)
  • StuartK73's avatar
    StuartK73
    Iron Contributor
    Feb 23, 2025

    Hi There

    I hope you are well.

    Anyway, can I ask WHY you want user's to enroll their personal devices into a company owned MDM?

    Surely you'll get "kick back" on that and maybe Mobile Application Management (MAM) also known as Mobile Application Management without Enrollment (MAMwE) is a better fit, especially if you want to protect company data that is in Microsoft apps such as Outlook.

     

    Have a look here at Android Enterprise vs MAM here:

    https://learn.microsoft.com/en-us/mem/intune/apps/android-deployment-scenarios-app-protection-work-profiles

    And:

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-mamwe

     

    Stuart

  • rahuljindal-MVP's avatar
    rahuljindal-MVP
    Bronze Contributor
    Feb 21, 2025

    Conditional access policy can only be assigned to a user based group. Since you are assigning to a dynamic device based group, that is where you problem lies. You can also verify this using the What if tool and Entra ID sign in logs. 

Resources