question

HerveRichard avatar image
0 Votes"
HerveRichard asked HerveRichard answered

AZURE - Mobility (MDM & MAM) - Device Enrollment Manager - Restrictions

Hi everyone,

I would like to use just a DEM account to enroll the devices and prevent any user to perform the enrollment.

I have created a DEM account and set up into MEM.

In AAD should I:

  • In Intune, configure the MDM scope to "some", select a group where is my DEM account (leave Microsoft Intune Enrollment to "None")?

OR

  • In Intune, select the MDM scope to "All" + in Microsoft Intune Enrollment, select "Some" and select my group where there is my DEM account?

Thanks you in advance for your help,

Regards.


mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@HerveRichard Thanks for your explain.

I have done the test in my lab. It seems we can use DEM account to enroll the device during OOBE. The following are the steps as a reference:
1.Add a DEM account in intune portal.
104551-image.png

2.Use the DEM account to login the device.
104552-image.png

3.Check if the device is enrolled in intune. And I can see the device in intune portal.
104532-image.png

104533-image.png

Based on the test, I think we can use the DEM account to enroll devices during OOBE.

Hope it will help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (79.8 KiB)
image.png (68.5 KiB)
image.png (75.1 KiB)
image.png (43.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HerveRichard I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered HerveRichard commented

Are these newly provisioned systems? If not, are you going to manually log into every system to do this?

Are the systems currently joined to an on-prem AD (if already provisioned)?

Also, using a DEM account has some restrictions and is not intended for single-user systems.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HerveRichard Thanks for posting in our Q&A.

For this issue, the MDM user scope in "Microsoft Intune" is configured to automatic MDM enrollment. Don't change the settings in "Microsoft Intune Enrollment" and keep it as the default.
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#configure-automatic-mdm-enrollment

When we add the group included the DEM account to the MDM scope in "Microsoft Intune", we can auto-enroll the devices via DEM account. And it is suggested to try to block personal devices in Device type restrictions.

For restrictions with DEM that Jason said, I just add a link that lists the limitations:
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#limitations-of-devices-that-are-enrolled-with-a-dem-account

Hope the above information will help.

0 Votes 0 ·

Dear Both,

I would like to thank you for your reply.

Please note that:

  • The devices are kiosk machines (not single user)

  • The enrollment is performed during Windows 10 OOBE

  • There is not AD on-prem, just AAD P1 and MEM.

We do not want the machines to be linked specifically to the personal account of the user who enrolled the machine (if the person leaves the company, the account will be disabled and Intune license "recycled" we will loose the bound with the machine in Intune).

We also do not want the personnal machines to be enrolled.




0 Votes 0 ·

Have you looked at using Autopilot and self-deploying mode then? https://docs.microsoft.com/en-us/mem/autopilot/self-deploying

0 Votes 0 ·
Show more comments
HerveRichard avatar image
0 Votes"
HerveRichard answered

Dear @Jason-MSFT, @LuDaiMSFT-0289 and @NickHogarth-MVP,

I would like to thank you for your help and apologize for my late reply.

I have done the following:

  1. Setup a DEM account in MEM

  2. Setup in AAD, Mobility (MDM and MAM) and configure Microsoft Intune / MDM user scope to "Some" and target a group of which my DEM account is a member

  3. Create and Enrollment restristion to allow Windows (MDM) platform and deny "Personally owned" platform.

So, the accounts the DEM group can auto enroll the machines in MEM during OOBE and no other user account can join/enroll a machine.

Thanks again for your help,

Kind regards



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.