Intune Enrollment

Question

Currently, MDM management (other companies) of company terminals.
I'm considering migrating to intune.
I don't use ABM.
I want to manage intune as a corporate terminal without wiping.
I want to use conditional access.
Which features of the admin center can I use to achieve these?

Answer 1

@tarou chabi , Thanks for the reply.

"Add corporate identifiers by using a .csv file" is a way which can import corporate-owned device information in a batch before user enroll their devices into Intune. After that, the devices will be automatically assigned with corporate-owned status at the time of enrollment and extra information will be collected. This can be configured by Intune administrator under Intune portal in the location below:

For the question "What is the difference between setting device ownership to Corporate by 1. and manually setting device ownership to Corporate by the administrator?", I would like to say that when we add corporate identifiers in Intune portal in advance, it will collect more information like the phone number and app inventory during the enrollment. For the situation that the device is enrolled as personal device and then the administrator change the ownership to corporate. Based as I know, it will not collect these extra information again after we change the ownership.

Hope it can help.

Answer 2

@tarou chabi ,Thanks for posting in our Q&A. From your description, I know that we are considering migrating MDM to Intune, we want to know more details about wiping and conditional access. If there's any misunderstanding, feel free to let us know.

Based as I know, if devices are currently enrolled in another MDM provider, then we need to unenroll the devices from the existing MDM provider. Then enroll it into Intune Depending on the platform, a factory reset may be required before enrolling in Intune. We can check if the platform we choose needs factory reset.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment#unenroll-from-existing-mdm-and-factory-reset

For conditional access, we can go through the following link to find more details:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/migration-guide-drive-adoption

Here is an office article about moving to Intune for the reference:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/migration-guide

Welcome to Intune and hope the above information can help

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

@tarou chabi , From the above article, for iOS device, the factory reset is needed. So I think we still need to consider factory reset on these iPhones to avoid any issue in the future.

For your questions, here are my answers:
Q1: There are many registration methods for intune, but which one is feasible? Is the only way I have left to register with the itune portal app?
A1: In general, the different enrollment methods are designed for the different scenarios.

BYOD: Bring your own devices (BYOD) like personally-owned phones. Users install and run the Company Portal app to enroll BYODs
DEM: Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices. These types of devices are good for point-of-sale or utility apps,
ADE: Apple Automated Device Enrollment (ADE) management lets you create and deploy policy "over the air" to iOS/iPadOS and macOS devices that are purchased and managed with ADE. The device is enrolled when users turn on the device for the first time and run Setup Assistant
USB-SA:: IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment using Setup Assistant.
USB-Direct: For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator. Devices are managed as user-less devices. They're not locked or supervised and can't support Conditional Access, jailbreak detection, or mobile application management.

From your description, I know we don't have ABM and want use conditional access. Here, we can choose BYOD or USB-SA to enroll iOS devices.

Q2:About 1.2.3., Is the control content the same no matter which method is used for registration?
A2: Different MDM solutions handle device types differently. For Microsoft Intune, devices are considered personal by default. But some enrollment will make a device to become identified as corporate. We can see more detaisl in the following link:
https://learn.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add

Intune will collect a little bit more information about corporate devices. Intune will collect the phone number and app inventory of company owned devices for reporting and monitoring purposes, but will not do so for personal devices.

In addition, all iOS/iPadOS devices with version 13.0 and later are automatically supervised when enrolled with Automated Device Enrollment.An iOS/iPadOS device in supervised mode provides more management control, like blocking of screen captures and blocking of the installation of apps from App Store. For USB-SA, it supports iOS supervised mode. For BYOD, supervision is generally not carried out.

Not sure if the above information is what you want. If not, please make a more detailed description of "control content"

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.