Merge pull request #8208 from lenewsad/EnrollmentRestrctionsGuide

TOC updates for enrollment restrictions

Author: v-stsavell

memdocs/intune/enrollment/android-move-device-admin-work-profile.md

@@ -45,7 +45,7 @@ When users see that they're out of compliance for this reason, they can tap **Re
 - [Set Android Enterprise personally-owned work profile enrollment](android-work-profile-enroll.md) for the group of users who are moving to personally-owned work profile.
 - Consider increasing your user device limits. When unenrolling devices from device administrator management, device records might not be immediately removed. To provide cushion during this period, you might need to increase device limit capacity. This increase is so that the users can enroll into personally-owned work profile management.
   - [Configure Azure Active Directory device settings](/azure/active-directory/devices/device-management-azure-portal#configure-device-settings) for Maximum number of devices per user.
-  - Adjust the [Intune device limit restrictions](enrollment-restrictions-set.md#create-a-device-limit-restriction) by setting the Device limit. 
+  - Adjust the [Intune device limit restrictions](create-device-limit-restrictions.md) by setting the device limit. 
 
 ## Create device compliance policy
 

memdocs/intune/enrollment/create-device-limit-restrictions.md

@@ -0,0 +1,112 @@
+---
+# required metadata
+
+title: Create device limit restrictions  
+titleSuffix: Microsoft Intune
+description: Restrict the number of devices allowed to enroll in Microsoft Intune.  
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 08/08/2022
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: enrollment
+ms.localizationpriority: 
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: maholdaa
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+  - M365-identity-device-management
+  - highpri
+---
+
+# Create device limit restrictions in Intune
+
+**Applies to**
+* Android  
+* iOS
+* macOS 
+* Windows 10
+* Windows 11 
+
+
+[!INCLUDE [azure_portal](../includes/azure_portal.md)]  
+
+Create a device limit enrollment restriction policy to limit the number of devices a user can enroll in Microsoft Intune. Device limit restrictions work on devices that meet the following criteria:  
+
+  * Microsoft Intune-managed  
+  * Established contact with Intune within last 90 days  
+  * Not in a registration-pending state for more than 24 hours  
+  * Hasn't failed Apple enrollment  
+  * Hasn't been deleted from Microsoft Intune  
+  * Enrollment type is not in shared mode (check DeviceCountsForDeviceCap for detail)  
+
+You can create a new device limit-enrollment restriction policy in the Microsoft Endpoint Manager admin center or use the default policy that's already available. You can have up to 25 device limit restriction policies. 
+
+This article describes how to create and configure a device limit-enrollment restriction policy in the admin center.  
+
+## Default policy 
+Microsoft Intune provides one default policy for device limit restrictions that you can edit and customize as needed. Intune applies the default policy to all user and userless enrollments until you assign a higher-priority policy.  
+
+## Create a device limit restriction  
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Go to **Devices** > **Enrollment restrictions** > **Create restriction** > **Device limit restriction**.  
+3. On the **Basics** page, give the restriction a **Name** and optional **Description**.
+4. Choose **Next** to go to the **Device limit** page.
+5. For **Device limit**, select the maximum number of devices that a user can enroll.
+    ![Screenshot that shows how to choose a device limit.](./media/enrollment-restrictions-set/choose-device-limit.png)
+6. Choose **Next** to go to the **Scope tags** page.
+7. On the **Scope tags** page, optionally add the scope tags you want to apply to this restriction. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md). 
+8. Choose **Next** to go to the **Assignments** page.
+9. Choose **Select groups to include** and then use the search box to find groups that you want to include in this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction to at least one group, it won't have any effect. Then choose **Select**. 
+    ![Screenshot that shows selecting groups.](./media/enrollment-restrictions-set/select-groups-device-limit.png)
+10. Select **Next** to go to the **Review + create** page.
+11. Select **Create** to create the restriction. The new restriction appears in your list of restrictions and is given a higher priority than the default policy. For information about changing the priority level, see [Change restriction priority](create-device-limit-restrictions.md#change-restriction-priority) (in this article).  
+
+## Edit enrollment restrictions    
+
+Edits are applied to new enrollments and don't affect devices that are already enrolled.  
+
+1. Go to **Enrollment device limit restrictions** to bring up the list of your policies. 
+2. Select the name of the policy you want to change.
+3. Select **Properties**.  
+4. Select **Edit**. 
+5. Make your changes and select **Review + save**. 
+6. Review your changes and select **Save**.  
+
+## Change restriction priority  
+
+When a group is assigned multiple restrictions, the priority level determines which policy gets applied. The restriction with highest priority (*1* being the highest priority position) is applied and the other restrictions are disregarded. For example:  
+
+1. Joe belongs to two user groups in Intune: Group A and Group B. 
+2. Group A is assigned a restriction policy. Its priority level is 5.
+3. Group B is assigned a restriction policy. The priority level is 2.
+4. Joe is subject only to the priority 2 restrictions.
+
+When you create a restriction, it's added to the list just above the default. You can change the priority of non-default restrictions.  
+
+1. Go to **Enrollment device limit restrictions**.
+2. Select **Device limit restrictions** to bring up the list of your policies.               
+3. Hover over the policy in the **Priority** column,and then select and drag the priority to the desired position in the list.   
+
+## Device user experience   
+BYOD users who reach their device limit receive a message during enrollment explaining the restriction. To continue enrolling, the device user must unenroll an existing device. Alternatively, as the admin you can increase the device limit in the admin center. For more information about troubleshooting enrollment errors such as this one, see [Troubleshoot device enrollment](/troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune#device-cap-reached).  
+
+![Example image of device limit notification which reads, "Couldn't add your device. You have added the maximum number of devices allowed by your IT support. You must remove a device before you can add a new one.](./media/enrollment-restrictions-set/enrollment-restrictions-ios-set-limit-notification.png)  
+
+
+ 
+
+

memdocs/intune/enrollment/create-device-platform-restrictions.md

@@ -0,0 +1,184 @@
+---
+# required metadata
+
+title: Create device platform restrictions  
+titleSuffix: Microsoft Intune  
+description: Restrict personally owned devices, and specific device platforms and OS versions from enrolling in Intune. 
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 08/08/2022
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: enrollment
+ms.localizationpriority: 
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: maholdaa
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+  - M365-identity-device-management
+  - highpri
+---
+
+# Create device platform restrictions   
+
+**Applies to**
+* Android  
+* iOS
+* macOS 
+* Windows 10
+* Windows 11 
+
+
+[!INCLUDE [azure_portal](../includes/azure_portal.md)]  
+
+Create a device platform enrollment restriction policy to restrict devices from enrolling in Intune. Available restrictions include:  
+
+* Device platform
+* OS version
+* Manufacturer
+* Ownership (personally-owned)
+
+ You can create a new device platform restriction policy in the Microsoft Endpoint Manager admin center or use the default policy that's already available. You can have up to 25 device platform restriction policies. 
+
+This article describes the device platform restrictions supported in Microsoft Intune and how to configure them in the admin center.  
+
+## Default policy 
+Microsoft Intune provides one default policy for device platform restrictions that you can edit and customize as needed. Intune applies the default policy to all user and userless enrollments until you assign a higher-priority policy.  
+
+## Best practice - Android platform restrictions          
+Since Intune supports two Android platforms, it's important to understand how OS version restrictions work when used together with device platform restrictions:   
+  * If you allow both platforms for the same group, and then refine it for specific and non-overlapping versions, devices are sent through the Android enrollment flow that's picked for their version.   
+  * If you allow both platforms, but block the same versions, devices running blocked versions can't enroll. Users on these devices are sent through the Android device administrator enrollment flow before they're blocked and prompted to sign out. 
+
+## Create a device platform restriction   
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  
+2. Go to **Devices** > **Enroll devices** > **Enrollment device platform restrictions**.  
+3. Select the tab along the top of the page that corresponds with the platform you're configuring. Your options:  
+
+    * **Android restrictions**
+    * **Windows restrictions**
+    * **MacOS restrictions**
+    * **iOS restrictions**  
+
+4. Select **Create restriction**.  
+5. On the **Basics** page, give the restriction a name and optional description. 
+6. Select **Next**.  
+7. On the **Platform settings** page, configure the restrictions for your selected platform. Your options:       
+    - **Platform** (Android): Select **Allow** to permit a platform to enroll, and **Block** to restrict it.       
+    - **MDM** (Windows, macOS, and iOS/iPadOS): Select **Allow** to permit a platform to enroll, and **Block** to restrict it.   
+    - **Personally-owned**: Select **Allow** to permit devices to enroll and operate as personal devices.  
+    - **Device manufacturer** (Android): Enter a comma-separated list of the manufacturers that you want to block. 
+    - **Allow min/max range** (Android, Windows, iOS/iPadOS): Enter the minimum and maximum OS versions allowed to enroll. Supported version formats include:  
+        - Windows supports major.minor.build.rev for Windows 10 and Windows 11 only.  
+        - Android device administrator and Android Enterprise work profile support major.minor.rev.build.  
+        - iOS/iPadOS supports major.minor.rev.  
+
+             > [!TIP]
+             > The min/max range isn't applicable to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app. Although Intune doesn't block ADE enrollments that use Company Portal to authenticate, not meeting OS requirements impacts registration because devices can't create the Azure AD device record used to evaluate Conditional Access policies. You can tell that this is the case if a device user receives an error message that says "Couldn't map device record with a user" after they sign in to Company Portal.        
+
+8. Select **Next**. 
+9. Optionally, add scope tags to the restriction. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md). 
+
+      > [!NOTE]
+      >  If you apply scope tags to a restriction, only Intune users within scope can view and manage the policy. Only people in scope can view and reorder a restriction, or change its priority level. They can also see the relative priority of the restriction, even if they can't see all restrictions.  
+
+10. Select **Next**. 
+11. On the **Assignments** page, select **Add groups** and then use the search box to find and select groups. To assign the restriction to all device users, select **Add all users**. If you don't assign a restriction to at least one group, the restriction won't take effect.  
+12. Optionally, after you assign groups, select **Edit filter** to restrict the policy assignment further with filters. Filters are available for macOS, iOS, and Windows policies. For more information, see [Apply assignment filters](create-device-platform-restrictions.md#apply-assignment-filters) (in this article).  
+13. Select **Next**. 
+14. Review your policy, and then select **Create** to create it. 
+
+You can view the new restriction policy and access its properties in the **Enrollment device platform restrictions** > **Device type restrictions** table. Select and drag the restriction to reposition it in the table and change its priority.   
+
+## Apply assignment filters 
+
+You can use assignment filters to include and exclude additional devices from certain group-targeted policies. Enrollment restrictions and ESP policies both support the use of assignment filters.   
+
+For example, you can use a filter to allow personal Windows devices to enroll while blocking devices that run a specific operating system SKU. To achieve this outcome, apply a preconfigured filter to your enrollment restriction assignments. The filter needs to have the `operatingSystemSKU` property in its rules. Example steps:  
+
+  1. Create a platform enrollment restriction policy for Windows.  
+  2. In the platform settings, select the option that allows personal devices to enroll. 
+  3. In the assignments settings, select the groups you want to assign.
+  4. Select **Edit filter** and then apply your preconfigured filter that contains the `operatingSystemSKU` property. The applied property blocks devices running Windows 10 Home edition. 
+
+For more information about creating filters, see [Create a filter](../fundamentals/filters.md). 
+
+### Supported filter properties  
+
+Enrollment restrictions support fewer filter properties than other group-targeted policies. This is because devices aren't yet enrolled, so Intune doesn't have the device info to support all properties. You'll see the limited selection of properties when you:  
+
+* Configure a device platform restriction policy for Apple and Windows devices. 
+* Configure an enrollment status page (ESP) policy for Windows. 
+* Edit a filter that's in-use in an enrollment restriction or ESP profile. 
+
+The following filter properties are always available to use with enrollment policies:    
+
+**Windows** 
+
+* OS version 
+* Operating System SKU 
+* Enrollment profile name
+
+**iOS/iPadOS and macOS**  
+* Manufacturer 
+* Model 
+* OS version 
+* Ownership 
+* Enrollment profile name 
+
+For more information about these properties, see [device properties](../fundamentals/filters-device-properties.md#device-properties). Filters can't be used with Android enrollment restrictions.  
+
+## Edit enrollment restrictions  
+
+Edits are applied to new enrollments and do not affect devices that are already enrolled.  
+
+1. Go to **Enrollment device platform restrictions**.  
+2. In the **Device type restrictions** table, select the name of the policy you want to change.
+3. Select **Properties**.  
+4. Select **Edit**.   
+5. Make your changes and select **Review + save**. 
+6. Review your changes and select **Save**.  
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

memdocs/intune/enrollment/device-enrollment.md

@@ -186,4 +186,4 @@ The MDM certificate renews automatically as long as enrolled devices are communi
 
 ## Next steps  
 
-You can adjust the settings in Intune to restrict specific platforms from enrolling. For more information, see [Create a device platform restriction](enrollment-restrictions-set.md#create-a-device-platform-restriction).  
+You can adjust the settings in Intune to restrict specific platforms from enrolling. For more information, see [Create a device platform restriction](create-device-platform-restrictions.md).  

memdocs/intune/enrollment/device-limit-intune-azure.md

@@ -1,9 +1,9 @@
 ---
 # required metadata
 
-title: Understand between Intune and Azure device limit restrictions
-titleSuffix:
-description: Understand the differences between Intune's device limit restrictions and Azure AD's delimit restrictions. 
+title: Understand Intune and Azure AD device limit restrictions
+titleSuffix: Microsoft Intune
+description: Learn the differences between Intune device limit restrictions and Azure AD's delimit restrictions. 
 keywords:
 author: Lenewsad
 ms.author: lanewsad
@@ -31,7 +31,7 @@ ms.collection:
   - highpri
 ---
 
-# Understand Intune and Azure AD's device limit restrictions  
+# Understand Intune and Azure AD device limit restrictions  
 
 **Applies to**
 - Android
@@ -48,7 +48,7 @@ This article clarifies when these limits are applied based on your configuration
 
 ## Intune device limit restrictions
 
-Intune device limit restrictions set the maximum number of devices that a user can control (maximum setting is 15). To set this **Device limit**, go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Enrollment restrictions**. For more information, see [Create a device limit restriction](enrollment-restrictions-set.md#create-a-device-limit-restriction)
+Intune device limit restrictions set the maximum number of devices that a user can control (maximum setting is 15). To set this **Device limit**, go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Enrollment restrictions**. For more information, see [Create a device limit restriction](create-device-limit-restrictions.md). 
 
 ## Azure device limit restriction
 
@@ -128,5 +128,4 @@ For the device limit restriction in Azure, the **Maximum number of devices per u
 ## Next steps
 
 - [Create a device limit restriction in Azure.](/azure/active-directory/devices/device-management-azure-portal#configure-device-settings)
-- [Configure device settings in Azure.](enrollment-restrictions-set.md#create-a-device-limit-restriction)
 - [Learn more about registration and domain joined.](/azure/active-directory/devices/overview#getting-devices-in-azure-ad)