Detections
Analytics

4.2 (L2) Ensure device enrollment for personally owned devices is blocked by default

Information

Device enrollment restrictions let you restrict devices from enrolling in Intune based on certain device attributes such as device limit, device platform, OS Version, manufacturer or device ownership (Personally owned devices).

The recommended state is to Block personally owned devices from enrollment.

Restricting the enrollment of personally owned devices prevents attackers who have bypassed other controls from registering a new device to gain an additional foothold, further hiding or obscuring their activities.

An attack path could be:

 - Account Compromise via Phishing and AiTM
 - Conditional Access Bypass
 - Reconnaissance using e.g. ROADrecon, GraphRunner or AADInternals
 - Lateral Movement, Privilege Escalation or Persistence through a newly registered device enrolled in Intune

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to Microsoft Intune admin center

https://intune.microsoft.com/

 - Select Devices and then under Device onboarding click Enrollment
 - Under Enrollment options select Device platform restriction
 - Inspect the policies listed under Device type restrictions
 - For the Default priority policy, click All Users
 - Select Properties

 - Click Edit to change Platform settings
 - In the Personally owned column set each platform to Block

Note: Blocking platforms that are not used in the organization is a more restrictive best practice and will also effectively block enrollment of personally owned devices for the selected platform, ensuring compliance for this recommendation.

Impact:

Per platform personally owned device enrollment impacts are listed below. It is important to test the changes to the defaults prior to moving into production and implementing this control.

Windows Devices

The following enrollment methods are authorized for corporate enrollment for Windows devices, any other enrollment method will be considered "Personal" and blocked:

 - The device enrolls through Windows Autopilot.
 - The device enrolls through GPO, or automatic enrollment from Configuration Manager for co-management.
 - The device enrolls through a bulk provisioning package.
 - The enrolling user is using a device enrollment manager account.

MacOS

By default, Intune classifies macOS devices as personally owned. To be classified as corporate-owned, a Mac must fulfill one of the following conditions:

 - Registered with a serial number.
 - Enrolled via Apple Automated Device Enrollment (ADE).

iOS/IPadOS devices

By default, Intune classifies iOS/iPadOS devices as personally owned. To be classified as corporate-owned, an iOS/iPadOS device must fulfill one of the following conditions:

 - Registered with a serial number or IMEI.
 - Enrolled by using Automated Device Enrollment (formerly Device Enrollment Program).

Android devices

By default, until you manually make changes in the admin center, your Android Enterprise work profile device settings and Android device administrator device settings are the same.

If you block Android Enterprise work profile enrollment on personal devices, only corporate-owned devices can enroll with personally owned work profiles.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-19(5), 800-53|CM-6, 800-53|CM-7, 800-53|SC-39

Plugin: microsoft_azure

Control ID: a78a2ac7306f8fe0e2062a90b9118ed7979155f8a6e424171f3bf4f9cd600c3d