What is device enrollment?

Applies to: Intune in the Azure portal
Looking for documentation about Intune in the classic portal? Go here.

This topic describes enrollment and lists the different ways to enroll mobile devices in Intune management.

You enroll devices in Intune so that you can manage those devices. We refer to this capability in the Intune documentation as mobile device management (MDM). When devices are enrolled in Intune, they are issued an MDM certificate, which the devices then use to communicate with the Intune service.

The way you enroll your devices depends on the device type, ownership, and the level of management you needed. "Bring your own device" (BYOD) enrollment lets users enroll their personal phones, tablets, or PCs. Corporate-owned device (COD) enrollment enables management scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirements.

If you use Exchange ActiveSync, either on-premises or hosted in the cloud, you can enable simple Intune management without enrollment (more information is coming soon). You can manage Windows PCs as mobile devices, which is the recommended method described below.

Overview of device enrollment methods

The following table offers an overview of Intune enrollment methods with their capabilities and requirements described below.


  • Reset required - Device are factory reset during enrollment.
  • User Affinity - Associates devices with users. For more information, see User affinity.
  • Locked - Prevents users from unenrolling devices.

iOS enrollment methods

Method Reset Required User Affinity Locked Details
BYOD No Yes No More information
DEM No No No More information
DEP Yes Optional Optional More information
USB-SA Yes Optional No More information
USB-Direct No No No More information

Windows enrollment methods

Method Reset Required User Affinity Locked Details
BYOD No Yes No More information
DEM No No No More information
Auto-enroll No Yes No More information
Bulk enroll No No No More information

Android enrollment methods

Method Reset Required User Affinity Locked Details
BYOD No Yes No More information
DEM No No No More information
Android for Work No Yes No More information


"Bring your own device" users install and run the Company Portal app to enroll their devices. This program lets users access company resources like email.

Corporate-owned devices

The following are corporate-owned devices (COD) enrollment scenarios. iOS devices can be enrolled directly through the tools that are provided by Apple. All device types can be enrolled by an admin or manager using the device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-owned to enable COD scenarios.


Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices. Learn more about DEM.


Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS devices that are purchased and managed with DEP. The device is enrolled when users turn on the device for the first time and run iOS Setup Assistant. This method supports iOS supervised mode, which enables a device to be configured with the following functionality:

  • App Lock (Single App Mode)
  • Global HTTP Proxy
  • Activation Lock Bypass
  • Autonomous Single App Mode
  • Web Content Filter
  • Set background and lock screen
  • Silent App Push
  • Always-On VPN
  • Allow managed app installation exclusively
  • iBookstore
  • iMessages
  • Game Center
  • AirDrop
  • AirPlay
  • Host pairing
  • Cloud Sync
  • Spotlight search
  • Handoff
  • Erase device
  • Restrictions UI
  • Installation of configuration profiles by UI
  • News
  • Keyboard shortcuts
  • Passcode modifications
  • Device name changes
  • Wallpaper changes
  • Automatic app downloads
  • Changes to enterprise app trust
  • Apple Music
  • Mail Drop
  • Pair with Apple Watch


Apple confirmed that certain settings will move to supervised-only in 2018. We recommend taking this into consideration when using these settings instead of waiting for Apple to migrate them to supervised-only:

  • App installation
  • App removal
  • FaceTime
  • Safari
  • iTunes
  • Explicit content
  • iCloud documents and data
  • Multiplayer gaming
  • Add Game Center friends

Learn more about iOS DEP enrollment:


IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment using Setup Assistant. The IT admin creates an enrollment profile and exports it to Apple Configurator. When users receive their devices, they are then prompted to run Setup Assistant to enroll their device. This method supports iOS supervised mode, which in turn enables the following features:

  • Locked enrollment
  • Kiosk mode and other advanced configurations and restrictions

Learn more about iOS Apple Configurator enrollment with Setup Assistant:


For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly and don't require a factory reset. Devices are managed as user-less devices. They are not locked or supervised and cannot support conditional access, jailbreak detection, or mobile application management.

To learn more about iOS enrollment, see:

Mobile device management with Exchange ActiveSync and Intune

Mobile devices that aren't enrolled, but that connect to Exchange ActiveSync (EAS), can be managed by Intune using EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises or cloud-hosted. More information is coming soon.

Mobile device cleanup after MDM certificate expiration

The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate will not get renewed. The device is removed from the Azure portal 180 days after the MDM certificate expires.