What is device enrollment?

Is this page helpful?

Intune lets you manage your workforce’s devices and apps and how they access your company data. To use this mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune service.

As you can see in the following tables, there are several methods to enroll your workforce’s devices. Each method depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management requirements (resets, affinity, locking).

By default, devices for all platforms are allowed to enroll in Intune. However, you can restrict devices by platform.

iOS enrollment methods

Method Reset Required User Affinity Locked Details
Devices are wiped during enrollment. Associates each device with a user. Users can’t unenroll devices.
BYOD No Yes No More information
DEM No No No More information
DEP Yes Optional Optional More information
USB-SA Yes Optional No More information
USB-Direct No No No More information

macOS enrollment methods

Method Reset Required User Affinity Locked Details
BYOD No Yes No More information
DEM No No No More information
DEP Yes Optional Optional More information

Windows enrollment methods

Method Reset Required User Affinity Locked Details
BYOD No Yes No More information
DEM No No No More information
Auto-enroll No Yes No More information
Autopilot Yes Yes No More information
Bulk enroll No No No More information
Co-management No Yes No More information
GPO No Yes No More information

Android enrollment methods

Personal Enrollment Methods Reset Required User Affinity Locked Details
Android Device Admin User initiated via Company Portal No Yes No More information
Android Enterprise Work Profile User initiated via Company Portal No Yes No More information
Corporate Enrollment Methods Reset Required User Affinity Locked Details
Android Device Admin DEM initiated via Company Portal No No No More information
Android Device Admin (Pre-declared IMEI or SN) User initiated via Company Portal No Yes No More information
Android Device Admin with Zebra Mobility Extensions User or DEM initiated via Company Portal No Yes if user initiated, No if DEM initiated No More information
Android Enterprise Dedicated NFC, Token, QR code, Zero Touch Yes No Configurable via policy More information
Android Enterprise Fully Managed (Preview) NFC, Token, QR code, Zero Touch Yes Yes Configurable via policy More information

Bring your own device

Bring your own devices (BYOD) include personal phones, tables, and PCs. Users install and run the Company Portal app to enroll BYODs. This program lets users access company resources like email.

Corporate-owned device

Corporate-owned devices (COD) include phones, tablets, and PCs owned by the organization and distributed to the workforce. COD enrollment supports scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirements. A common way to enroll CODs is for an administrator or manager to use the device enrollment manager (DEM). iOS devices can be enrolled directly through the Device Enrollment Program (DEP) tools that are provided by Apple. Devices with an IMEI number can also be identified and tagged as corporate-owned.

Device enrollment manager

Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices. These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources. Learn more about DEM.

Apple Device Enrollment Program

Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS and macOS devices that are purchased and managed with DEP. The device is enrolled when users turn on the device for the first time and run Setup Assistant. This method supports iOS supervised mode, which enables a device to be configured with specific functionality.

Learn more about iOS DEP enrollment:

USB-SA

IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment using Setup Assistant. The IT admin creates an enrollment profile and exports it to Apple Configurator. When users receive their devices, they are then prompted to run Setup Assistant to enroll their device. This method supports iOS supervised mode, which in turn enables the following features:

  • Locked enrollment
  • Kiosk mode and other advanced configurations and restrictions

Learn more about iOS Apple Configurator enrollment with Setup Assistant:

USB-Direct

For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly and don't require a wipe. Devices are managed as user-less devices. They are not locked or supervised and cannot support Conditional Access, jailbreak detection, or mobile application management.

To learn more about iOS enrollment, see:

Mobile device cleanup after MDM certificate expiration

The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate is not renewed. The device is removed from the Azure portal 180 days after the MDM certificate expires.