Level 1.6: Donut

Question

Force settings on Dedicated devices during enrollment

Forum|Forum|2 years ago
March 4, 2024
2 replies
96 views

Hello all,

I'm trying to deploy a Dedicated device profile in Microsoft Intune, I created the configuration profiles and the compliance policy with some settings, in specific about PIN creation and complexity, but during the setup users are not asked to enter any PIN, and at the end the device result non-compliant until the PIN is set and is fulfilling the rules I set.

Is there by any chance a way to force the PIN creation request during the enrollment phase as happens for user-associated devices?

Thanks in advance

/Lucius

ReeceK

Level 3.0: Honeycomb

Hi @LFagni

Welcome to the community, I hope that you are doing well?

From my understanding I do not believe there is a way to force the creation of a PIN during the enrollment phase for user-associated devices. I will look into this further for you but just wanted to set expectations.

Thanks,

Reece.

L

LFagniAuthor

Level 1.6: Donut

Hi @ReeceK , all good here, hope the same on your side.
During the enrollment of standard Corporate Device with Work Profile we're asked to protect the device, just after the device registration.

and this is fully fine, same happen on Personally Owned Devices with Work Profile and also on Device Administrators (I'm anyhow working for remove them).

Device administrators are not in GZT so I suppose that the PIN request is part of the standard setup of the device, so I do not understand why it's not requested for dedicated devices.

I created a compliance policy too, that require the presence of a PIN protection, but those devices are marked as non-compliant with no real useful indication about the reason for the users, and PIN need to be created manually for make the devices compliant.

Michel

Level 4.0: Ice cream sandwich

Hi @Moombas , thanks for your reply.

This is exactly my question, compliance policies are really similar, but on the other enrollment profile the user is asked to create a passcode during the device setup, this not happen only for the Dedicated Device ones.

As example, I just made some fresh test and an S22 configured as Corporate Device with Work Profile on GZT ask to create a passcode after device registration:

For the Dedicated Device this is not happening at all if I use the Token QR from Intune, and I'm just asked to create one if the profile is assigned from GZT, but as example my policy set a minimum lenght of six chars and other settings, that are just ignored in this phase (now I just tried with a Pixel 8Pro)

The device at the end is just not compliant, but the error is not self-explanatory and might create confusion.

how are you applying policies to dedicated devices?

Since dedicated devices do not always ask for user credentials during enrollment, you are unable to assign policies to a user since they will probably not work.

If you assigned the policies to a dynamic group, Intune needs time to get the newly enrolled devices into that dynamic group. It can take up to an hour in some cases. You will see that it will ask for a password ones it has recieved a policy that configured that.

A work around for this is using device filters, as en example: Apply policy to all devices with an included filter capturing all devices enrolled via a specified enrollment profile (the one from your QR code for example).

S

SweTarzan

New Member

Hi Lfagni,

i know this is an old post but i wonder if you got any solution to your problem. i am facing the same issue with couple of 100s devices where the screen pin code doesnt apply.

kr

ahmed

EDI67

New Member

Hello, I know this message is quite old, but did you ever find a solution?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded