You can add a denylisted (device restricted from enrollment) or allowlisted (device cleared for enrollment) based on various device attributes.

Note: Denylisting devices that are registered in the Device Enrollment Program (DEP) restricts those devices from having a DEP profile assigned to them in the future.


  1. Navigate to Devices > Lifecycle > Enrollment Status and select Add.
  2. Select Denylist Devices or Allowlist Devices from the Add drop-down menu and complete the settings.
    Setting Description
    Denylisted/Allowlisted Devices Enter the list of allowlisted or denylisted devices (by the Device Attribute selection), up to 30 at a time.
    Device Attribute Select the corresponding device attribute type. Select IMEI, Serial Number, or UDID.
    Organization Group Confirm to which Organization Group the devices are denylisted or allowlisted.

    You can allow devices only with the selected ownership type.

    This option is only available while Allowlisting devices.

    Additional Information Allows you to select a platform to apply your allowlist or denylist.

    You can denylist or allowlist all devices belonging to an entire platform.

    This option is only available when the Additional Information check box is enabled.

  3. Select Save to confirm the settings.