Overview of device enrollment methods

Applies to: System Center Configuration Manager (Current Branch)

After you extend Configuration Manager with Intune, you can enroll and manage corporate-owned devices or give users permission to enroll their personal devices. You can also manage company-owned devices with Intune using Configuration Manager.

The following table shows enrollment methods with their supported capabilities. These capabilities include:

  • Wipe - Factory reset the device, removing all data. Retire devices
  • Affinity - Associates devices with users. Required for mobile application management (MAM) and conditional access to company data. User Affinity
  • Lock Prevents users from removing the device from management. iOS devices require Supervised mode for Lock. Remote lock

iOS enrollment methods

Method Wipe Affinity Lock Details
BYOD No Yes No more
DEM No No No more
DEP Yes Optional Optional more
USB-SA Yes Optional No more

Windows and Android enrollment methods

Method Wipe Affinity Lock Details
BYOD No Yes No more
DEM No No No more

For a series of question that help you find the right method, see Choose how to enroll devices.

BYOD

"Bring your own device" (BYOD) users install the Company Portal app and enroll their device. This can let users connect to the company network, joining the domain or Azure Active Directory. Enabling BYOD enrollment is a prerequisite for many COD scenarios for most platforms. See Setup hybrid MDM. (Back to the table)

Corporate-owned devices

Corporate-owned devices (COD) can be managed with the Configuration Manager console. iOS devices can be enrolled directly through tools provided by Apple. All device types can be enrolled by an admin or manager using the device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-owned to enable COD scenarios.

Enroll corporate-owned devices

DEM

Device enrollment manager is a special user account used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices. Learn more about DEM. (Back to the table)

DEP

Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS devices purchased and managed with DEP. The device is enrolled when the user turns on the device for the first time and runs the iOS Setup Assistant. This method supports iOS Supervised mode which in turn enables:

  • Locked enrollment
  • Conditional access
  • Jailbreak detection
  • Mobile application management

Learn more about DEP. (Back to the table)

USB-SA

USB-connected, Setup Assistant enrollment. The admin creates a policy and exports it to Apple Configurator. USB-connected, corporate-owned devices are prepared with policy. The admin must enroll each device by hand. Users receive their devices and run Setup Assistant, enrolling their device. This method supports iOS Supervised mode which in turn enables:

  • Conditional access
  • Jailbreak detection
  • Mobile application management

Learn more about Setup Assistant enrollment with Apple Configurator. (Back to the table)

Mobile device management with Exchange ActiveSync and Configuration Manager

Mobile devices that aren't enrolled but that connect to Exchange ActiveSync (EAS) can be managed by Intune using EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises and cloud-hosted.

Mobile device management with Exchange ActiveSync and Intune