Enrolling company own macOS and windows to Intue after setup

Question

Hey,

I Have multiple macOS and windows devices, there are all company devices.

I want to enroll all the endpoints to Intune but there are already running, meaning I can't do that in setup phase.

What is the best scalable way to that for both macOS and windows, I tried company portal for windows but I noticed that the user can delete the connection and unenroll.

thanks,

Answer 1

Since your device is already running, the recommended way is to enroll your macOS device using the company portal app.

Refer: https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp?source=recommendations

You already mentioned, you used the company portal app to register the windows device, however user have the option to unenroll. Refer the following article to understand how to do this

https://businesstechplanet.com/how-to-block-users-unenrolling-from-intune-on-company-devices-windows-10/

For macOS, the user will not have access to company data when they unenroll.

https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune-user-help/unenroll-your-device-from-intune-macos.md

Answer 2

@85985803, Thanks for posting in Q&A.

For windows device, we can enroll via the following method. You can choose one according to your situation:

BYOD: Enroll their personally owned devices via company portal. Ownership: Personal.

DEM: It is a special service account have permissions that let authorized users enroll and manage multiple corporate-owned devices. These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources.

Automatic enrollment via MDM: Joins the device with Azure Active Directory and enables users to sign in to Windows with their Azure AD credentials. If Auto Enrollment is enabled, the device is automatically enrolled in Intune.

Automatic enrollment via Group Policy: Configure Active Directory group policy to automatically enroll devices that are hybrid Azure AD joined. (Join on-premise domain, register to Azure AD device to enroll into Intune. Mainly for existing domain joined device.)

Windows Autopilot: Set up and pre-configure new devices, getting them ready for productive use. For existing device, it needs to do windows reset.

Bulk enrollment: lets an authorized user join large numbers of new corporate-owned devices to Azure Active Directory and Intune. non-user affinity, can use device license.

Co-management: lets administrators enroll their existing Configuration Manager managed devices into Intune to get the dual benefits of Intune and Configuration Manager..

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows

For MacOS devices, we have the following options when enrolling macOS device:

• BYOD: Device enrollment
• Automated device enrollment (ADE)
• Direct enrollment

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-macos

If the MacOS is bought from ABM, you can enroll devices that have already gone through Setup Assistant via the steps in the following link to enroll corporate-owned Macs running macOS 10.13 and later.

https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-macos#distribute-devices

Meanwhile, to prevent the user unenroll windows device, you can try the method which sreejukg provided to block the Accounts option. Or we can configure conditional access policy to only allow compliant device to access company resource to prevent it. Here is a link with more details:

https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

Hope it can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.