Intune enables mobile device management MDM of iPads and iPhones to give users secure access to company email, data, and apps. You can let users enroll personally-owned devices, known as "bring your own device" BYOD enrollment. You can also set up enrollment of company-owned devices. You can let users enroll their personal devices for Intune management, know as "bring your own device" or BYOD. There are three options for enrolling users:. After you've completed the prerequisites and assigned user licenses, users can download the Intune Company Portal app from the App Store, and follow enrollment instructions in the app.
ADE lets you deploy an enrollment profile "over the air" to bring devices into management. User Enrollment gives admins a subset of management options compared to other enrollment methods. Apple School Manager is a device purchase and enrollment program for schools.
Like ADE, you can deploy a profile to enroll devices in management. Learn more about Apple School Manager. To prepare devices, you USB-connect them and install an enrollment profile. You can enroll devices with Apple Configurator in two ways:. Learn more about Apple Configurator enrollment. Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices.
After users receive their devices, they must complete a number of additional steps to complete the Setup Assistant and install the Company Portal app. Devices that are configured with no user affinity do not support the Company Portal and should not have the app installed. The Company Portal is designed for users who have corporate credentials and require access to personalized corporate resources like email. Devices that are enrolled with no user affinity aren't intended to have a dedicated user sign in.
Kiosk, point of sale POSor shared-utility devices are typical use cases for devices that are enrolled with no user affinity. If user affinity is required, be sure that the device's enrollment profile has User Affinity selected before enrolling the device. To change the affinity status on a device, you must retire the device and reenroll it. Submit and view feedback for. Skip to main content. Contents Exit focus mode. Set up Intune - These steps set up your Intune infrastructure.
In particular, device enrollment requires that you set your MDM authority. There are three options for enrolling users: App Protection Policies give you the lightest BYOD experience, providing management at an app level only.
However, if you want to also secure the device with a 6-digit complex PIN, you can use these policies along with User Enrollment. It provides admins with a wide range of management options. User Enrollment is a more streamlined enrollment process that provides admins with a subset of device management options.
This feature is currently in preview. User enrollment User Enrollment gives admins a subset of management options compared to other enrollment methods. You can enroll devices with Apple Configurator in two ways: Setup Assistant enrollment - Wipes the device, prepares it to run Setup Assistant, and installs the company's policies for the device's new user.
Direct enrollment - Doesn't wipe the device and enrolls the device with a predefined policy.Intune lets you manage your workforce's devices and apps and how they access your company data. To use this mobile device management MDMthe devices must first be enrolled in the Intune service. When a device is enrolled, it's issued an MDM certificate.
This certificate is used to communicate with the Intune service. As you can see in the following tables, there are several methods to enroll your workforce's devices.
Each method depends on the device's ownership personal or corporatedevice type iOS, Windows, Androidand management requirements resets, affinity, locking. By default, devices for all platforms are allowed to enroll in Intune. However, you can restrict devices by platform. This program lets users access company resources like email. Corporate-owned devices COD include phones, tablets, and PCs owned by the organization and distributed to the workforce.
COD enrollment supports scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirements. Devices with an IMEI number can also be identified and tagged as corporate-owned. Device enrollment manager DEM is a special user account that's used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices. These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources.
Learn more about DEM. The device is enrolled when users turn on the device for the first time and run Setup Assistant.
The IT admin creates an enrollment profile and exports it to Apple Configurator. When users receive their devices, they're then prompted to run Setup Assistant to enroll their device. This method supports iOS supervised mode, which in turn enables the following features:. For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator.
USB-connected, corporate-owned devices are enrolled directly and don't require a wipe. Devices are managed as user-less devices. They're not locked or supervised and can't support Conditional Access, jailbreak detection, or mobile application management. The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate isn't renewed.
The device is removed from the Azure portal days after the MDM certificate expires. Submit and view feedback for. Skip to main content. Contents Exit focus mode. What is device enrollment? Associates each device with a user. If yes, users can't unenroll devices. Corporate-owned device Corporate-owned devices COD include phones, tablets, and PCs owned by the organization and distributed to the workforce.
Device enrollment manager Device enrollment manager DEM is a special user account that's used to enroll and manage multiple corporate-owned devices. Related Articles Is this page helpful?This article helps IT administrators simplify Windows enrollment for their users. Once you've set up Intuneusers enroll Windows devices by signing in with their work or school account.
Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows Configuration Designer app. Before an administrator can enroll devices to Intune for management, licenses should have already been assigned to the administrator's account. Read about assigning licenses for device enrollment. When standard users sign in with their Azure AD credentials, they receive apps and policies assigned to their user name. Only the device's Primary user can use the Company Portal for self-service scenarios like installing apps and performing device actions Remove, Reset.
For shared Windows 10 devices that do not have a primary user assigned, the Company Portal can still be used to install Available apps. Automatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory.
Intune enrollment methods for Windows devices
In the background, the device registers and joins Azure Active Directory. Once registered, the device is managed with Intune. Sign in to the Azure portaland select Azure Active Directory. Configure MDM User scope. Specify which users' devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune. Some - Select the Groups that can automatically enroll their Windows 10 devices.
The device will get automatically enrolled in the configured MDM. By default, two-factor authentication is not enabled for the service.
However, two-factor authentication is recommended when registering a device. To enable two-factor authentication, configure a two-factor authentication provider in Azure AD and configure your user accounts for multi-factor authentication.
Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment. For example, if your company's website is contoso. Changes to DNS records might take up to 72 hours to propagate. There are two other endpoints that have been used by customers in the past and still work, but they are no longer supported. If you point to EnterpriseEnrollment-s. For example, using a proxy server to redirect enterpriseenrollment. Tell your users how to enroll their Windows devices and what to expect after they're brought into management.
End users must access the Company Portal website through Microsoft Edge to view Windows apps that you've assigned for specific versions of Windows. Other browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer do not support this type of filtering. For end-user enrollment instructions, see Enroll your Windows device in Intune. You can also tell users to review What can my IT admin see on my device.
If you do not have Auto-MDM enrollment enabled, but you have Windows 10 devices that have been joined to Azure AD, two records will be visible in the Intune console after enrollment. For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune. Intune conditional access requires devices to be registered, also called "workplace joined".
For more information about device registration, see Manage device identities using the Azure portal. Submit and view feedback for.This article helps Intune administrators understand and troubleshoot problems when enrolling Windows devices in Intune. Before you start troubleshooting, it's important to collect some basic information. This information can help you better understand the problem and reduce the time to find a resolution. Error 0xc "This user is not authorized to enroll.
You can try to do this again or contact your system administrator with the error code 0xc This user is not authorized to enroll. You can try to do this again or contact your system administrator with error code Sign in to the Microsoft Endpoint Manager admin center with a global administrator account. If the current setting is already Allowchange it to Blocksave the setting, and then change it back to Allow and save the setting again. This resets the enrollment setting.
Upgrade Windows 10 Home to Windows 10 Pro or a higher edition. Error 0xc "This user is not allowed to enroll. You can try again or contact your system administrator with the error code c This prevents new users from joining their devices to Azure AD.
Therefore Intune enrollment fails. Error a: "Something went wrong. The device is already enrolled. You can contact your system administrator with the error code a. Error: "This account is not allowed on this phone. Make sure the information you provided is correct, and then try again or request support from your company.
Cause: The user who tried to enroll the device doesn't have a valid Intune license. Go to the Microsoft Admin Centerand then assign either an Intune or an Office license to the user. Error "Something went wrong. Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code Cause: This error can occur when you try to join a Windows 10 computer to Azure AD and both of the following conditions are true:.
Error: "There was a problem. Your organization does not support this version of Windows. Sign in to the Azure portal as administrator. Make sure that all Azure AD accounts for the provisioning package are added.Therefore the device is now marked as non-compliant by the built-in compliancy policy because of the "Enrolled user exists" check.
How can we change the Enrolled User without re-installing the device? Is there another way to achieve this or do we need to re-enroll the device? If the answer is yes, what is the best way? AAD owner doesn't have any impact on the Intune side.
Intune device belongs to the enrollment owner. If you want to change that you must do a factory reset. Fresh start is not necessary as this will try to remove bloatware as well. So for some reason, the users account was deleted last night. I restored it this morning. But after running a sync in InTune the device is still coming back as Not Compliant even though the user who registered the device is active and the one logged into the device. If it's different, this is probably the cause of the issue.
Thank you for that, I'll check that! That makes perfect sense if that is the case. Just curious how would I know what the old one was? Is there some type of log file I can pull up? You rock! Again thank you for all of your help. I'm just kicking off a project to get rid of our environments Physical Domain Controller.
Very exciting stuff, but I'll give the docs a gander and see what happens. I'll update the thread with what I find. Sign In. Products 70 Special Topics Most Active Hubs Microsoft Teams. Azure Active Directory. Microsoft Edge Insider.
Azure Databases. Project Bonsai. Microsoft Security and Compliance. Education Sector. Healthcare and Life Sciences. Premier Field Engineering.You can enroll up to 1, mobile devices with a single Azure Active Directory account by using a device enrollment manager DEM account. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices.
DEM user accounts and devices that are enrolled with a DEM user account have the following limitations:. If a user doesn't have the Global Administrator or Intune Service Administrator role assigned to them, but has read permissions enabled for the Device Enrollment Managers role assigned to them, they can see only the DEM users they've created. Submit and view feedback for. Skip to main content. Contents Exit focus mode.
Wipe can't be done from the Company Portal. Only the local device appears in the Company Portal app or website. The license could be an Intune user license or an Intune device license.
If you're enrolling Android Enterprise work profile devices by using a DEM account, there is a limit of 10 devices that can be enrolled per account.
Select Add. Remove device enrollment manager permissions Removing a device enrollment manager doesn't affect enrolled devices. Related Articles Is this page helpful? Yes No.
Enroll iOS/iPadOS devices in Intune
Any additional feedback? Skip Submit. Submit and view feedback for This product This page. View all page feedback. Is this page helpful?To manage devices in Intune, devices must first be enrolled in the Intune service. Both personally owned and corporate-owned devices can be enrolled for Intune management.
Windows 10 Intune Enrollment Process BYOD Scenario
Learn the capabilities of the Windows enrollment methods. Submit and view feedback for. Skip to main content. Contents Exit focus mode. There are two ways to get devices enrolled in Intune: Users can self-enroll their Windows PCs Admins can configure policies to force automatic enrollment without any user involvement User self-enrollment in Intune Users can self-enroll their Windows device by using any of these methods: Bring your own device BYOD : Users enroll their personally owned devices by downloading and installing the Company Portal App This process: Registers the device with Azure Active Directory to gain access to corporate resource like email.
If an administrator has configured Auto enrollment available with Azure AD premium subscriptionsthe user only has to enter their credentials once. Otherwise, they'll have to enroll separately through MDM only enrollment and reenter their credentials.
Users enroll from Settings on the existing Windows PC. This method isn't recommended because it doesn't register the device into Azure Active Directory. It also prevents the use of features such as Conditional Access.
If Auto Enrollment is enabled, the device is automatically enrolled in Intune. The benefit of auto enrollment is a single-step process for the user. The device is marked as a corporate owned device in Intune. This method simplifies the out-of-box experience and removes the need to apply custom operating system images onto the devices. When admins use Intune to manage Autopilot devices, they can manage policies, profiles, apps, and more after they're enrolled.
There are four types of Autopilot deployment: Self Deploying Mode for kiosks, digital signage, or a shared deviceUser Driven Mode for traditional usersWhite Glove enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready and Autopilot for existing devices enables you to easily deploy the latest version of Windows 10 to your existing devices.
Administrator-based enrollment in Intune Administrators can set up the following methods of enrollment that require no user interaction: Hybrid Azure AD Join lets administrators configure Active Directory group policy to automatically enroll devices that are hybrid Azure AD joined.
Configuration Manager Co-management lets administrators enroll their existing Configuration Manager managed devices into Intune to get the dual benefits of Intune and Configuration Manager. Device enrollment manager DEM is a special service account.
DEM accounts have permissions that let authorized users enroll and manage multiple corporate-owned devices. These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources. This method does not allow the use of features such as Conditional Access. Bulk enroll lets an authorized user join large numbers of new corporate-owned devices to Azure Active Directory and Intune.
This method does not allow the use of Conditional Access. Then, using SD Card media during initial boot up, it installs the provisioning package to automatically enroll the devices into Intune.
Next steps Learn the capabilities of the Windows enrollment methods Related Articles Is this page helpful? Yes No. Any additional feedback? Skip Submit. Submit and view feedback for This product This page.
View all page feedback. Is this page helpful?