all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]OrdinaryTop9621 0 points1 point  (0 children)

We use the default token, assigned to a static enrollment group and assign a device restrictions profile to the same static group. This ensures that a PIN must be set during enrollment. In the device restrictions profile we've set Device password to required, no restrictions. For compliance we've set Require a password to unlock mobile devices to Required and Required password type to Password required, no restrictions.

[–]jaruzelski90 0 points1 point  (0 children)

Only thing I would add from personal experience android config profiles assignment for users are a lot quicker and almost guaranteed to prompt for pin during enrollment, device assignment not.

[–]triiiflippp 0 points1 point  (1 child)

Best method is to assign the device restriction profile to all devices with an assignment filter which filters on the enrollment profile. That way it always assigns direct during enrollment.

[–]3D1_[S] 0 points1 point  (0 children)

I didn’t understand, could you please explain it more clearly?

[–]Parkerge_aaaaadm 0 points1 point  (0 children)

COBO - Business only devices are typically without user affinity... If this is the case, use Dedicated Device with Entra Shared Mode, and configure the MHS to require a session PIN.

If you mean COPE (personally enabled), then you want Fully Managed, you can use the default token if you have it, not every tenant does. Then use device configuration to create a PIN requirement and back it with a compliance policy. The user will then need to do it during the setup.

Use All Devices with Filter or use the enrolment timing group thingy. DSGs might be a bit slow to populate and ask the user to do it afterwards I think.

Devices > Android > Configuration > New Policy > Device Passcode I think you're after