It is up to the administrator to decide how to manage his/her devices.  In particular, the following should be noted:

(1) I personally advocate the practice of having two different add-devices-rules to separate enrollment of Work-Managed devices from Work-Profile devices. Those end-users who are informed CLEARLY to enrol their BYOD/CYOD devices will be given a different enrollment ID to use during the enrollment process that do not involve device factory-reset.  If your end-users are supposed to enrol their devices on hand into managed-device mode, they should be given the correct enrollment ID for Work-Managed model enrollment and told to factory reset their device during the enrollment process.

(2) MobiControl allows Work-Managed and Work-Profile devices to reside in the same device group, but i personally recommend my customers to separate them into two sub-groups for clarity purpose.  If two separate add-devices rules are used for different modes as mentioned in point (1), the corresponding target device group can easily be configured differently in the corresponding rule.

(3) It is currently not possible to block enrollment of a device in MobiControl if the target device mode is not the intended one.  It might be possible to use alert rule or REST api to implement some checking mechanism to signal administrator that a device of incorrect mode has been enrolled onto the system.  However, the above-mentioned simple mechanisms of clearly documenting the enrollment procedure and usage of different add-devices-rules/enrollment-ID's should already avoid most related problems.

Hi Allen,

Apologies for the wait, we are experiencing an unprecedented caseload at the moment.

How about filtering IP addresses to limit connections for enrollment?

https://www.soti.net/mc/help/v15.5/en/console/devices/managing/adding/usingrulefilters.html?hl=rule%2Cfilter

If the above step does not suites your requirement, please let me know.

I will keep on seeking for solutions.