Most users in companies have multiple devices, a mix of corporate and personal.
Most users don't mind enrolling Corporate devices but do not want to enrol personal devices but want access to email on those devices as well.
It should be possible to ensure the corporate devices must enroll, but the personal devices are only affected by MAM-WE policies so the personal devices for the same user do not need to enrol but only need to register.

Maybe add an option to say if device in Corporate Identifiers it must enrol or make the conditional access policy able to read an Azure AD Device Group, so if the device is in a group it must enrol.

Many of our users work from home and do not want their personal Windows computer to be either enrolled into our MDM suite or onto Azure AD. With our strict compliance regulations users are struggling to make their own Windows computer devices compliant.

Would it be possible to have a policy that is in the middle, where users can access emails, OneDrive for Business and SharePoint sites without the need to be on a domain joined computer or enrolled into our MDM suite. I would like to see this policy give the user access to all content but only from the browser such as IE and not from any applications as all the office packages are now mostly available to use in a web browser. This would mean that the user is just working in the cloud without the need to download any applications. I would also like this policy to stop users from downloading any content to their personal device so it just stays in the office applications that are cloud based while working in this way. This policy could be enforced by a user’s having to provide a two factor authentication to be able to access their OneDrive for Business and SharePoint Sites etc. from their own personal device.

Could we please look at implementing a policy such as this to help users work on their own personal device easier without the need to enrol on either Azure AD or MDM suite.

We have many MAC OS X Computer on our network and would like our Users to be able to access Sharepoint online and Exchange online from their MAC OS X Machines.

We have a conditional access policy setup for all our User to protect our data around Sharepoint and Exchange online however MAC OS X users cant access these features online or even offline due to the policy being in place. This could be a supported device if a user for MAC OS X could complete the authentication process with the use of the digital certificate which is prompted to be install on first time access and then can be seen in the Keychain on the MAC. The certificate is recognised on login to SharePoint online but then says that the browser is not a supported browser. This could work exactly the same as IOS Devices accessing SharePoint Online with the certificate being installed on the Mobile Device and then allowing access to the site by authenticating the users with the digital certificate.

In Windows 10 1607 devicestatus.csp was extended to include support for AV, firewall and UAC status.

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/devicestatus-csp

However none of these features can be utilised in Intune compliance policies. We would like the ability to block access to corporate resources if AV or FW are disabled etc. Whilst Windows 10 device health attestation can check for ELAM this requires TPM 2.0.

As the Windows 10 product team has added these capabilities into the OS... please add them into Intune! Unlike configuration policies we cannot create custom compliance policies in order to take advantage of these features ourselves. Allowing custom compliance policy will be my next idea :-).

I've been looking at deploying Windows Information Protection (WIP) to BYO Win10 devices. Got the policy working and thought we were good to go. The issue now is Windows 10 Home doesn't support WIP. So these users have access to the corporate data by default.

I think it would be nice to be able to base a condition on the version (edition) of Windows. This would allow us to block windows 10 Home from using OneDrive sync/office apps natively and only allow access via the session based policy. We can then allow a better experience on Window 10 Pro users with the help of WIP.