Enroll devices for management in Intune

Nathan Barnett
Contributors

Microsoft Intune mobile device management (MDM) uses enrollment to bring devices into management and allow access to resources. The way you'll enroll devices depends on the device type, ownership, and the level of management needed. "Bring your own device" (BYOD) and company-owned device (COD) scenarios require an enrollment process. Organizations using Exchange ActiveSync, either on-premises or hosted in the cloud, can enable lighter management without enrollment requirements. Windows PCs can also be managed using Intune client software.

See choose how to enroll devices for help.

Supported device platforms

Intune can manage the following device platforms:

  • Apple iOS 7.1 and later
  • Google Android 4.0 and later (including Samsung KNOX SDK 4.0 and higher)
  • Windows Phone 8.0 and later
  • Windows RT and Windows 8.1 RT
  • PCs running Windows 8.1
  • PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)
  • Mac OS X 10.9 and later

The Intune software client can manage Windows PC running Windows 7 operating system and later. Customers with Enterprise Management Suite (EMS) can also use Azure Active Directory (AAD) to register Windows 10 devices.

Set mobile device management authority

The MDM authority defines the management service that has permission to manage a set of devices. The options for the MDM authority include Intune by itself and Configuration Manager with Intune. If you set Configuration Manager as the management authority, no other service can be used for mobile device management.

Important

Consider carefully whether you want to manage mobile devices by using Intune only (online service) or System Center Configuration Manager with Intune (on-premises software solution in conjunction with the online service). After you set the mobile device management authority, this cannot be changed.

  1. In the Microsoft Intune administration console, choose Admin > Mobile Device Management.

  2. In the Tasks list, click Set Mobile Device Management Authority. The Set MDM Authority dialog box opens.

    Set MDM authority dialog box

  3. Intune requests confirmation that you want Intune as your MDM authority. Select the check box, and then choose Yes to use Microsoft Intune to manage mobile devices.

Configure the Intune Company Portal

The Intune Company Portal is where users access company data and can do common tasks like enrolling devices, installing apps, and locating information for assistance from your IT department.

Tip

When you customize the Company Portal, the configurations apply to both the Company Portal website and Company Portal apps.

Customizing the Company Portal helps to provide a familiar and helpful experience for your end users. To do this, just sign in to the Microsoft Intune administration console as a tenant or service administrator, choose Admin > Company Portal, and configure the Company Portal settings.

admin-console-admin-workspace-comp-portal-settings

Overview of device enrollment methods

The following table shows enrollment methods for corporate-owned device enrollment methods with their benefits.

iOS Enrollment Methods

Method Wipe Affinity Locked
BYOD No Yes No
DEM No No No
DEP Yes Opt Opt
USB-SA Yes Opt No
USB-Direct No No No

Windows and Android Enrollment Methods

Method Wipe Affinity Locked
BYOD No Yes No
DEM No No No

Enrollment methods for devices

BYOD

“Bring Your Own Device.” Users install the Company Portal app and enroll their device. Enrolling a device with the Company Portal will work place join the device. Enrolling iOS devices with the Company Portal requires an Apple ID. BYOD does not require additional configuration for corporate-owned devises. See steps to set up device management. (Back to the table)

DEM

Device enrollment manager. Admin creates DEM accounts to manage corporate-owned devices. Managers can then install the Company Portal and enroll many user-less devices. Learn more about DEM. (Back to the table)

DEP

Apple Device Enrollment Program. Admin creates and deploys policy “over the air” to corporate-owned iOS devices purchased and managed with DEP. The device is enrolled when the user runs the iOS Setup Assistant. This method supports iOS Supervised mode which in turn enables:

  • Locked enrollment
  • Conditional access
  • Jailbreak detection
  • Mobile application management

Learn more about DEP. (Back to the table)

USB-SA

USB-connected, Setup Assistant enrollment. The admin creates an Intune policy and exports it to Apple Configurator. USB-connected, corporate-owned devices are prepared with Intune policy. The admin must enroll each device by hand. Users receive their devices and run Setup Assistant, enrolling their device. This method supports iOS Supervised mode which in turn enables:

  • Conditional access
  • Jailbreak detection
  • Mobile application management

Learn more about Setup Assistant enrollment with Apple Configurator. (Back to the table)

USB-Direct

Direct enrollment. The admin creates an Intune policy and exports it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly without requiring a factory reset. The admin must enroll each device by hand. Devices are managed as user-less devices. They are not locked or supervised and cannot support conditional access, jailbreak detection, mobile application management. Learn more about direct enrollment with Apple Configurator. (Back to the table)

Behavior for corporate-owned mobile devices

Wipe

Specifies whether enrolling the device requires that the device be factory reset, removing all data from the device and returning it to its original state. Retire devices (Back to the table)

Affinity

Specifies whether the enrollment method supports “User Affinity” which connects a device with a specific user. “Opt” devices can be enrolled with or without user affinity. User affinity is required to support the following:

  • Mobile application management (MAM) apps
  • Conditional access to email and company data
  • Company Portal app

User Affinity (Back to the table)

Lock

Specifies whether the device can be locked to prevent the user from removing the Intune policy, effectively removing the device from management. For iOS devices, locking the device requires that it be in Supervised mode. (Back to the table)

Enable device enrollment

Enrollment lets users access company resources on their personal devices and lets the admin ensure those devices comply with policies that protect company resources. This is the best way to enable "bring your own device" scenarios with Intune. The admin must enable enrollment in the Intune console, which might require creating a trust relationship with the device and assigning licenses to users. The device is then enrolled, usually by users entering their work or school credentials. The device then receives policy from Intune and gains access to resources.

Get ready to enroll devices in Intune

Enroll corporate-owned devices

Corporate-owned devices (COD) can be managed with the Intune console. iOS devices can be enrolled directly through tools provided by Apple. All device types can be enrolled by an admin or manager using the device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-owned to enable COD scenarios.

Enroll corporate-owned devices

Mobile device management with Exchange ActiveSync and Intune

Mobile devices that aren't enrolled but that connect to Exchange ActiveSync (EAS) can be managed by Intune using EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises and cloud-hosted.

Mobile device management with Exchange ActiveSync and Intune

Manage Windows PCs with Intune

You can also use Microsoft Intune to manage Windows PCs using the Intune Windows PC client software. PCs managed with the Intune client can:

  • Report software and hardware inventories
  • Install desktop applications (for example .exe and .msi files)
  • Firewall settings

Computers managed with the Intune client software cannot be selectively wiped or retired, and cannot take advantage of many Intune management features such as conditional access, VPN and Wi-Fi settings, or deployment of certificates and email configurations.

Manage Windows PCs with Intune

To submit product feedback, please visit Intune Feedback