Today I noticed in a couple of Intune tenants that Microsoft is now supporting group-assigned enrollment restriction, with that you are also able to prioritize the restrictions.
With this change Microsoft Intune now also supports the ability to not only allow or disallow Android but also allow or disallow Android for Work (Android Enterprise) as a platform.
If you for instance want to allow macOS enrollment for only a specific group you can create a special restriction for allowing macOS whereas the default restriction blocks the macOS platform.
By assigning the device type restriction to only one or more groups, you are able to control who is allowed to enroll what kind of device.
By changing the order of the device type restrictions you are able to control the priority.
Restrictions with a higher priority always overwrite the default restriction or the ones with a lower priority.
Besides the device type restrictions you are now also able to create a device limit restrictions and assign them to groups, also for device type restrictions the priority can be changed.
Another great addition if you ask me, read more here.
Microsoft is currently rolling out this new feature so it might be that it is not yet available in your tenant. (dd 02/20/2018)
