Enroll devices for management in Intune

Nathan Barnett
Contributors

You can enroll devices, including Windows PCs, to enable mobile device management (MDM) with Microsoft Intune. This topic describes different ways to enroll mobile devices in Intune management. How devices enroll devices depends on the device type, ownership, and the level of management needed. "Bring your own device" (BYOD) enrollment lets users enroll their personal phones, tablets, or PCs. Corporate-owned device (COD) enrollment enables management scenarios like remote wipe, shared devices, or user affinity for a device.

If you use Exchange ActiveSync, either on-premises or hosted in the cloud, you can enable simple Intune management without enrollment. Windows PCs can also be managed using Intune client software.

Overview of device enrollment methods

The following table shows Intune's enrollment methods with their supported capabilities. These capabilities include:

  • Wipe - Factory reset the device, removing all data. Retire devices
  • Affinity - Associates devices with users. Required for mobile application management (MAM) and conditional access to company data. User Affinity
  • Lock Prevents users from removing the device from management. iOS devices require Supervised mode for Lock. Remote lock

iOS enrollment methods

Method Wipe Affinity Lock Details
BYOD No Yes No more
DEM No No No more
DEP Yes Optional Optional more
USB-SA Yes Optional No more
USB-Direct No No No more

Windows enrollment methods

Method Wipe Affinity Lock Details
BYOD Yes Yes No more
DEM No No No more

Android enrollment methods

Method Wipe Affinity Lock Details
BYOD No Yes No more
DEM No No No more

For a series of question that help you find the right method, see Choose how to enroll devices.

BYOD

"Bring your own device" users install the Company Portal app and enroll their device. This can let users connect to the company network, joining the domain or Azure Active Directory. Enabling BYOD enrollment is a prerequisite for many COD scenarios for most platforms. See Prerequisites for device enrollment. (Back to the table)

Corporate-owned devices

Corporate-owned devices (COD) can be managed with the Intune console. iOS devices can be enrolled directly through tools provided by Apple. All device types can be enrolled by an admin or manager using the device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-owned to enable COD scenarios.

Enroll corporate-owned devices

DEM

Device enrollment manager is a special Intune account used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices. Learn more about DEM. (Back to the table)

DEP

Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS devices purchased and managed with DEP. The device is enrolled when the user turns on the device for the first time and runs the iOS Setup Assistant. This method supports iOS Supervised mode which in turn enables:

  • Locked enrollment
  • Conditional access
  • Jailbreak detection
  • Mobile application management

Learn more about DEP. (Back to the table)

USB-SA

USB-connected, Setup Assistant enrollment. The admin creates an Intune policy and exports it to Apple Configurator. USB-connected, corporate-owned devices are prepared with Intune policy. The admin must enroll each device by hand. Users receive their devices and run Setup Assistant, enrolling their device. This method supports iOS Supervised mode which in turn enables:

  • Conditional access
  • Jailbreak detection
  • Mobile application management

Learn more about Setup Assistant enrollment with Apple Configurator. (Back to the table)

USB-Direct

Direct enrollment. The admin creates an Intune policy and exports it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly without requiring a factory reset. The admin must enroll each device by hand. Devices are managed as user-less devices. They are not locked or supervised and cannot support conditional access, jailbreak detection, mobile application management. Learn more about direct enrollment with Apple Configurator. (Back to the table)

Mobile device management with Exchange ActiveSync and Intune

Mobile devices that aren't enrolled but that connect to Exchange ActiveSync (EAS) can be managed by Intune using EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises and cloud-hosted.

Mobile device management with Exchange ActiveSync and Intune

Manage Windows PCs with Intune

You can also use Microsoft Intune to manage Windows PCs using the Intune client software. PCs managed with the Intune client can:

  • Report software and hardware inventories
  • Install desktop applications (for example .exe and .msi files)
  • Firewall settings

PCs managed with the Intune client software cannot be wiped, and cannot take advantage of many Intune management features such as conditional access, VPN and Wi-Fi settings, or deployment of certificates and email configurations.

Manage Windows PCs with Intune

Supported device platforms

Intune can manage the following device platforms:

  • Apple iOS 8.0 and later
  • Google Android 4.0 and later (including Samsung KNOX SDK 4.0 and higher)
  • Windows Phone 8.0 and later
  • Windows RT and Windows 8.1 RT
  • PCs running Windows 8.1
  • PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)
  • Mac OS X 10.9 and later

The Intune software client can manage Windows PC running Windows Vista operating system and later, excluding all Home editions of Windows, which are not supported. Customers with Enterprise Management + Security (EMS) can also use Azure Active Directory (AAD) to register Windows 10 devices.

Next steps

To submit product feedback, please visit Intune Feedback