Support multiple user contexts with Device Compliance
We have multiple deployments where devices have been enrolled with a Device Enrolment Manager account and then issued to users.
Using a DEM account has allowed us to manage the enrolment of devices and configure any steps not yet supported by Intune before issuing to users. This isn't something that would be appropriate to change with AutoPilot.
These same deployments are relying on the ability to use the devices Compliance state as telemetry within a Conditional Access policy. Unfortunately we have seen mixed results where devices do not consistently report as compliant nor do they consistently report the reason for their non compliance.
Through working with support I have been provided with this article where it is stated this is an unsupported scenario -
We need this added as a supported scenario.
It's not appropriate for everyone to use AutoPilot or to rely on user led enrolment or to issue one device to a user or for devices to not be ever shared without needing re-enrolment.
This is proving a major blocker to adoption of Intune and Conditional Access.
If you need anymore information or scenarios at all please let me know.
Checkout this new Modern MDM tool we are using, they allow you to edit, remove or duplicate 1000s of policies and profiles. Plus they have compliance both Microsoft Baseline and CIS benchmarks integrated in apps, scripts, policies and etc.
Robert van Leiden commented
Is this still an issue? We use device based conditional access with shared devices for almost 2 years without issues. Also see https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment-manager-enroll : "Devices are blocked for Conditional Access with the exception of Windows 10 1803+". So supported since version 1803.
Tore johnny Blomhaug commented
This also stop company to migrate from AD to AAD
using Conditional access and "Require Hybrid Azure AD joined device" when migrating to AAD "Require device to be marked as compliant" will not work on all of the users/devices. And the user will not be able to access company resources
Albert Hooijer commented
shared computers are very common, so this is a must have
Alex Fields commented
There would be multiple ways to address the shared computer problem with device compliance. For example, we don't necessarily need to measure compliance against shared computers. We just want Conditional access. Therefore, why not add an access control called "Require device to be enrolled" that would allow us to implement conditional access without requiring compliance? That would allow us to have every Windows 10 device with access to resources enrolled to Intune, so that we could have leverage over the device.
Otherwise why not just stop evaluating every single user for compliance, and instead measure the active/most recent user session only? Or just target the device and not the user with compliance.
It is just not possible today to implement Conditional access for Windows 10 in like 90% of the environments out there. Please fix this in any of those ways.
Hoder Jensen commented
This is really needed and a huge showstopper.
Also can anyone comment on "enroll without a primary user." How?
Is it possible to get a comment from the moderator or the Product Team regarding this?
It is making so many different deployments impossible or un-viable for customers which is reducing how widely we can utilise Windows 10 + Intune
Wolfgang Bach commented
As stated here Intune Device Compliance policies still are not supported on Multiuser devices:
Before you begin: Enroll devices to one user, or enroll without a primary user. Devices enrolled to multiple users aren't supported.
When will this be supported?
Mike M commented
We're unable to continue with Windows 10 deployment because there is no viable solution to Shared computers. Kiosk mode is very niche and is not a shared computer experience.
This is a must have, very few organisations have only personal devices. Shared devices are common and should be supported