Add device enrollment managers

A device enrollment manager (DEM) is a non-administrator user who can enroll devices in Intune. Device enrollment managers are useful to have when you need to enroll and prepare many devices for distribution. People signed in to a DEM account can enroll and manage up to 1,000 devices, while a standard non-admin account can only enroll 15.

A DEM account requires an Intune user or device license, and an associated Azure AD user. Global Administrators and Intune Service Administrators can add and manage device enrollment managers in the Microsoft Endpoint Manager admin center.

This article describes the limits and specifications of enrollment manager and how to manage permissions.

Supported enrollment methods

A device enrollment manager can use the following methods to enroll devices in Intune:

• Windows Autopilot
• Windows devices bulk enrollment
• DEM-initated via Company Portal enrollment
• DEM-initiated via Azure AD-join

Tip

To compare DEM best practices and capabilities alongside other Windows enrollment methods, see Intune enrollment method capabilities for Windows devices.

Account permissions

These Azure AD roles can manage device enrollment managers:

• Global Administrator
• Intune Service Administrator role in Azure AD

They can add and delete device enrollment managers, and view all DEM users in the Microsoft Endpoint Manager admin center.

Limitations

The device enrollment manager account can't be used with all features in Microsoft Intune and has some limitations when used with others. This section describes the limitations you could encounter while setting up devices from a DEM account.

Android Enterprise

You can enroll up to 10 personally owned devices with work profiles.

The following types of Android Enterprise devices can't be set up via DEM:

• Corporate-owned with a work profile
• Fully managed

Apple Automated Device Enrollment

DEM isn't compatible with Apple Automated Device Enrollment (ADE).

Apple volume purchased apps

DEM-enrolled devices can install VPP apps if they have Apple VPP device licenses. You can't use apps purchased through Apple VPP with Apple VPP user licenses, because of per-user Apple ID requirements for app management.

Azure AD

Applying an Azure AD device restriction to a DEM account will prevent you from reaching the 1,000 device limit that the DEM account can enroll.

Conditional access

Conditional access is only supported with DEM on devices running:

• Windows 10, version 1803 and later
• Windows 11

Device limit restrictions

DEM enrolls Windows 10/11 devices in shared device mode, so device limit restrictions won't work on them. Instead, you can configure a hard limit for these devices in the Azure AD admin center. For more information, see Manage device identities by using the Azure portal.

Intune Company Portal

Only the local device appears in the Company Portal app or Company Portal website. Device users can't wipe DEM-enrolled devices from Company Portal. You have to sign in to the Microsoft Endpoint Manager admin center to wipe these devices.

Number of accounts

There's a limit of 150 DEM accounts in Microsoft Intune.

Add a device enrollment manager

1. Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Device enrollment managers.

2. Select Add.

3. On the Add User blade, enter a user principal name for the DEM user, and select Add. The DEM user is added to the list of DEM users.

Remove device enrollment manager permissions

Removing a device enrollment manager doesn't affect enrolled devices.

To remove a device enrollment manager

1. Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Device enrollment managers.
2. On the Device enrollment managers blade, select the DEM user, and select Delete.