1. In your service you need to select the enforcement tab
2. Click Modify
3. Click on the Rules tab
4. Add New rule
5. Add the following condition
6. Move the condition to the top
7. Make sure select first match
CPPM will look in the endpoint repository to see how many device the user has and if its more than you specify it will deny access to that device. In my condition I limit each user to a max of 3 devices per user.
