question

svjs-0437 avatar image
0 Votes"
svjs-0437 asked LuDaiMSFT-0289 edited

best practice to create groups for BYOD & corporate ios/Android

i am setting up Intune for my client and i have few query around applying profiles from intune. Kindly please help with best way i can handle this based on below

1) till date all corporate owned devices are ios and they have plan to add existing devices to ADE program. In this scenario if i set The ADE enrollment profile as default,
a) all devices from ABM shall have corporate identifier applied even bfore profile assignment?
b) will it automatically apply the profile to all devices enrolled via ABM only?
C) will the profile get applied to BYOD iOS also?
d) what type of profile should be applied for BYOD iOS device enrollment
e) what about scenario where user have both corporate and wants to use BYOD as well?

2) how to apply Android work profile for BYOD devices, what rule can i use for dynamic group

Appreciate your inputs around these .

Thank you




mem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 edited

@svjs-0437 Thanks for posting in our Q&A.

For the issue 1), I will share some information about it.
a)Based on my understanding, corporate or personal is defined in Intune. Before enrolling devices to intune successfully, we couldn't see the device's identifier. For ADE enrollment, intune automatically assigns corporate-owned status to iOS devices.

b)Before we assgin the default profile, it is needed to get an ADE token and add devices in the token. So, it will automatically apply the default profile to all devices that are added in the ADE token.
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios#assign-a-default-profile

c)As I said in the above, if the BYOD device is added in the ADE token, the default profile will get applied to it.

d)Based on my understanding, if you use ADE enrollment for BYOD devices, intune will make the device as corporate, not personal. It means that the device will be owned by the company after enrollment. So, it is not suggested to use ADE enrollment for BYOD devices and it is suggested to use BYOD enrollment.
1.Get an Apple MDM push certificate:
https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get
2.Enroll BYOD devices:
https://docs.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-ios

e)You can use ADE enrollment to make devices as corporate and use BYOD enrollment to make devices as personal.

2)What did you mean Android work profile? Android enrollment profiles or any other profiles?

If there is anything update, feel free to let us know.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

svjs-0437 avatar image svjs-0437 ·

@LuDaiMSFT-0289 Thank you for the response! it helps a lot. Please help me if i have summed up the below correctly for my infra

For iOS scenarion if i undrstand the shared details above,
a) ADE enrollment profile should not be default in my infra as i also have BYOD iOS devices which i dont want to be converted to corporate devices
b) for ADE enrollment profile, how do i define dynamic group? will devices imported form ABM be identified as corporate and can this be utilised here to create dynamic groups?

For Android devices, it is only BYOD devices, so i am assuming creating an Android enrollment with work profile should suffice. But could you guide me how i should target the deploymnet, should this be via dynamic groups, if so what rules should be created for this?

0 Votes 0 ·
LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 svjs-0437 ·

@svjs-0437 Thanks for your reply.

For iOS:
a)If you don't add BYOD devices to the token in ABM, the default enrollment profile will not deliver to BYOD devices.
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios#assign-devices-to-the-apple-token-mdm-server

b)It is suggested to define the dynamic group with ADE enrollment profile name. All the devices deployed by this ADE enrollment profile will be enrolled as corporate devices.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#rules-for-devices
185012-image.png

For Android:
Based on my experence, we usually use Personally-owned devices with work profile enrollment for android BYOD devices. And for android enrollment, it is not needed to create groups. Please refer to the followinf article to enroll android devices.
https://docs.microsoft.com/en-us/mem/intune/user-help/enroll-device-android-work-profile

Hope it will help.


0 Votes 0 ·
image.png (15.9 KiB)