05/09/2023 21:05 IntuneDocs/intune/enrollment/device-enrollment.

md at main · MicrosoftDocs/IntuneDocs · GitHub

MicrosoftDocs / IntuneDocs Public

Code Issues 25 Pull requests 3 Actions Projects Security Ins

IntuneDocs / intune / enrollment / device-enrollment.md

ErikjeMS 4 years ago

125 lines (94 loc) · 8.89 KB

Preview Code Blame

title titleSuffix description keywords author ms.author m

Learn about
enrollment
What is
for
Microsoft
Microsoft iOS/iPadOS,
Intune ErikjeMS erikje d
Intune Android,
device
and
enrollment
Windows
devices.

What is device enrollment?

[!INCLUDE azure_portal]

Intune lets you manage your workforce’s devices and apps and how they access your
company data. To use this mobile device management (MDM), the devices must first be
enrolled in the Intune service. When a device is enrolled, it's issued an MDM certificate.
This certificate is used to communicate with the Intune service.

As you can see in the following tables, there are several methods to enroll your
workforce’s devices. Each method depends on the device's ownership (personal or
corporate), device type (iOS, Windows, Android), and management requirements
(resets, affinity, locking).

By default, devices for all platforms are allowed to enroll in Intune. However, you can
restrict devices by platform.

https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/enrollment/device-enrollment.md 1/5
05/09/2023 21:05 IntuneDocs/intune/enrollment/device-enrollment.md at main · MicrosoftDocs/IntuneDocs · GitHub

iOS/iPadOS enrollment methods

Method Reset Required User Affinity Locked Details

Devices are Associates If yes, users

wiped during each device can’t unenroll
enrollment. with a user. devices.

More
BYOD No Yes No
information

More
DEM No No No
information

More
DEP Yes Optional Optional
information

More
USB-SA Yes Optional No
information

USB- More
No No No
Direct information

macOS enrollment methods

Method Reset Required User Affinity Locked Details

BYOD No Yes No More information

DEM No No No More information

DEP Yes Optional Optional More information

Windows enrollment methods

| Method | Reset Required | User Affinity | Locked | Details| |:---:|:---:|:---:|:---:|:---:|:---:|
|BYOD | No | Yes | No | More information| |DEM| No |No |No |More information| |Auto-
enroll | No |Yes |No | More information| |Autopilot |Yes |Yes |No | More information
|Bulk enroll |No |No |No | More information | |Co-management |No |Yes |No | More
information |GPO |No |Yes |No | More information

https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/enrollment/device-enrollment.md 2/5
05/09/2023 21:05 IntuneDocs/intune/enrollment/device-enrollment.md at main · MicrosoftDocs/IntuneDocs · GitHub

Android enrollment methods

Enrollment Reset User

Personal Locked Details
Methods Required Affinity

Android User initiated

More
Device via Company No Yes No
information
Admin Portal

Android User initiated

More
Enterprise via Company No Yes No
information
Work Profile Portal

Enrollment Reset User

Corporate Locked Details
Methods Required Affinity

DEM
Android initiated
More
Device via No No No
information
Admin Company
Portal

(Pre-
declared
IMEI or
Android
SN) User More
Device No Yes No
initiated information
Admin
via
Company
Portal

Android
User or Yes if
Device
DEM user
Admin
initiated initiated, More
with No No
via No if information
Zebra
Company DEM
Mobility
Portal initiated
Extensions

NFC,
Android
Token, QR Configurable More
Enterprise Yes No
code, Zero via policy information
Dedicated
Touch

https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/enrollment/device-enrollment.md 3/5
05/09/2023 21:05 IntuneDocs/intune/enrollment/device-enrollment.md at main · MicrosoftDocs/IntuneDocs · GitHub

Enrollment Reset User

Corporate Locked Details
Methods Required Affinity

Android NFC,
Enterprise Token, QR Configurable More
Yes Yes
Fully code, Zero via policy information
Managed Touch

Bring your own device

Bring your own devices (BYOD) include personally-owned phones, tablets, and PCs.
Users install and run the Company Portal app to enroll BYODs. This program lets users
access company resources like email.

Corporate-owned device
Corporate-owned devices (COD) include phones, tablets, and PCs owned by the
organization and distributed to the workforce. COD enrollment supports scenarios like
automatic enrollment, shared devices, or pre-authorized enrollment requirements. A
common way to enroll CODs is for an administrator or manager to use the device
enrollment manager (DEM). iOS/iPadOS devices can be enrolled directly through the
Device Enrollment Program (DEP) tools that are provided by Apple. Devices with an
IMEI number can also be identified and tagged as corporate-owned.

Device enrollment manager

Device enrollment manager (DEM) is a special user account that's used to enroll and
manage multiple corporate-owned devices. Managers can install the Company Portal
and enroll many user-less devices. These types of devices are good for point-of-sale or
utility apps, for example, but not for users who need to access email or company
resources. Learn more about DEM.

Apple Device Enrollment Program

Apple Device Enrollment Program (DEP) management lets you create and deploy policy
“over the air” to iOS/iPadOS and macOS devices that are purchased and managed with
DEP. The device is enrolled when users turn on the device for the first time and run
Setup Assistant. This method supports iOS/iPadOS supervised mode, which enables a
device to be configured with specific functionality.

Learn more about iOS/iPadOS DEP enrollment:

Choose how to enroll iOS/iPadOS devices

Enroll iOS/iPadOS devices using Device Enrollment Program
https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/enrollment/device-enrollment.md 4/5
05/09/2023 21:05 IntuneDocs/intune/enrollment/device-enrollment.md at main · MicrosoftDocs/IntuneDocs · GitHub

USB-SA
IT admins use Apple Configurator, through USB, to prepare each corporate-owned
device manually for enrollment using Setup Assistant. The IT admin creates an
enrollment profile and exports it to Apple Configurator. When users receive their
devices, they're then prompted to run Setup Assistant to enroll their device. This
method supports iOS supervised mode, which in turn enables the following features:

Locked enrollment
Kiosk mode and other advanced configurations and restrictions

Learn more about iOS/iPadOS Apple Configurator enrollment with Setup Assistant:

Decide how to enroll iOS/iPadOS devices

Enroll iOS/iPadOS devices with Configurator and Setup Assistant

USB-Direct
For direct enrollment, the admin must enroll each device manually by creating an
enrollment policy and exporting it to Apple Configurator. USB-connected, corporate-
owned devices are enrolled directly and don't require a wipe. Devices are managed as
user-less devices. They're not locked or supervised and can't support Conditional
Access, jailbreak detection, or mobile application management.

To learn more about iOS/iPadOS enrollment, see:

Decide how to enroll iOS/iPadOS devices

Enroll iOS/iPadOS devices with Configurator and direct enrollment

Mobile device cleanup after MDM certificate expiration

The MDM certificate is renewed automatically when mobile devices are communicating
with the Intune service. If mobile devices are wiped, or they fail to communicate with
the Intune service for some period of time, the MDM certificate isn't renewed. The
device is removed from the Azure portal 180 days after the MDM certificate expires.

https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/enrollment/device-enrollment.md 5/5