Step 5 – Enroll devices in Microsoft Intune
In the final phase of deployment, devices are registered or joined in Azure Active Directory (Azure AD), enrolled in Microsoft Intune, and checked for compliance.
During enrollment, Microsoft Intune installs a mobile device management (MDM) certificate on the device, which enables Intune to enforce enrollment profiles, enrollment restrictions, and the policies and profiles you created earlier in this guide.
This article describes:
- How-to prepare enrollment in Microsoft Intune for corporate-owned and user-owned devices.
- Enrollment options for each OS platform.
- Post-enrollment monitoring, troubleshooting, and resources.
If this is your first time deploying enrollment profiles with Intune, or you're trying a new configuration, start small and use a staged approach. Assign the enrollment profile to a pilot or test group. After initial testing, add more users to the pilot group. If everything is going well, assign the enrollment profile to more pilot groups. For more information and suggestions, see the Planning guide: Step 5 - Create a rollout plan.
Registration in Azure AD is a required step for Intune management. Before a device can enroll in Intune, the user of the device must authenticate and establish a device identity in your org's Azure AD. This step grants the user single sign-on access to cloud-based work apps and other resources. It's important to know which identity option you're utilizing because it determines the enrollment methods you can use, and also determines the sign-in experience for the device user. Identity options include:
- Azure AD registration is the device identity option available for personal and corporate-owned mobile devices. Users on these devices authenticate by signing in to work resources, like apps and web browsers, using their Azure AD work account.
- Azure AD joined is the device identity option available for corporate-owned Windows 10/11 devices utilizing co-management options. Users on these devices authenticate by signing in to the device using their Azure AD work account.
Prepare devices for enrollment by configuring enrollment features, such as enrollment restrictions, device categorization, and device enrollment managers. These configurations help improve and simplify the enrollment experience for you and device users, and help you stay organized in the admin center. Configure them before you create the enrollment profile.
Setting availability varies by OS platform.
Unenroll and reset existing devices
If devices are currently enrolled in another MDM provider, unenroll the devices from the existing MDM provider before enrolling them in Intune. The following table shows the devices that require a factory reset before enrolling in Intune.
|Platform||Factory reset required?|
|Android Enterprise personally owned devices with a work profile (BYOD)||No|
|Android Enterprise corporate-owned work profile (COPE)||Yes|
|Android Enterprise fully managed (COBO)||Yes|
|Android Enterprise dedicated devices (COSU)||Yes|
|Android device administrator (DA)||No|
Devices that don't require a reset begin installing Intune profiles as soon as they enroll. Previously configured settings may remain on devices if you don't change them in Intune prior to enrollment.
Add device enrollment managers
We recommend utilizing device enrollment managers when you need to enroll and prepare a large number of devices for distribution. A device enrollment manager account can enroll and manage up to 1,000 devices, while a standard non-admin account can only enroll 15 devices. A device enrollment manager is a non-administrator Azure AD user who can:
- Enroll up to 1000 corporate-owned devices in Intune
- Sign in to Intune Company Portal to get company apps
- Configure access to corporate data by deploying role-specific apps to devices
Some enrollment methods, such as Apple automated device enrollment, aren't compatible with the device enrollment manager account, so be sure that the method you choose is supported before you begin setup.
For more information and limitations, see Add device enrollment managers.
Create device enrollment restrictions
Use this feature in the Microsoft Intune admin center to restrict certain devices from enrolling in Intune. There are two types of device enrollment restrictions you can configure in Microsoft Intune:
- Device platform restrictions: Restrict devices based on device platform, version, manufacturer, or ownership type.
- Device limit restrictions: Restrict the number of devices a user can enroll in Intune.
Enrollment restrictions aren't available for Linux and some Windows enrollment scenarios. When you're setting up restrictions for Android Enterprise personal devices, we recommend leveraging our Android security configuration framework. It includes the device restrictions needed for basic security (level 1), which is the minimum security configuration we recommend having on personal devices, and high security (level 3), which is for devices used by specific users or groups who are uniquely high risk.
For more information, see:
Create terms and conditions policy
Use an Intune terms and conditions policy to disclose legal disclaimers and compliance requirements to device users before enrollment. This policy requires the devices user to accept your org's terms and conditions before they enroll their device or access protected resources. The terms and conditions are shown to targeted users in the Intune Company Portal app.
For more information, see Terms and conditions for user access.
Require multifactor authentication
Require users to authenticate via multi-factor authentication (MFA) during enrollment. If you require MFA, people wanting to enroll devices must authenticate with a second device and two forms of credentials before they can enroll their device. This is a one-time conditional step, and ensures that the person on the device is who they say they are. You can enable this behavior for all platforms except Linux by using a conditional access policy with an MFA policy. Azure AD Premium is required.
For more information, see Require multifactor authentication for Intune device enrollments.
Categorize devices into groups
Create a device category in Intune, such as nursing or marketing, and Intune will automatically add all devices that fall within that category to the corresponding device group in Intune.
This feature is available for all platforms except Linux. For more information, see Categorize devices into groups.
Enrollment for Android devices
You can enroll personal or corporate-owned Android devices in Intune. We recommend Android Enterprise enrollment solutions for personal and corporate-owned devices that use Google Mobile Services. For corporate-owned devices that don't have Google Mobile Services and are built from the Android Open Source Project (AOSP), use the AOSP enrollment methods.
Connect Intune to your managed Google Play account. The connection is required for all Android Enterprise management options, including:
- Android Enterprise personally owned work profile
- Android Enterprise corporate-owned work profile
- Android Enterprise fully managed
- Android Enterprise dedicated
Android enrollment methods
The following tabs describe the Intune-supported Android and AOSP enrollment options.
Corporate-owned devices with a work profile: Enroll corporate-owned devices that are also approved for personal use. This method creates a separate work profile on the device so that the user can switch between their personal apps and work apps easily and securely. The device user enrolls the device through the Microsoft Intune app. As an admin, you can manage the apps and data in the work profile. This method aligns with the Android Enterprise corporate-owned work profile management solution.
Fully managed: Enroll corporate-owned devices exclusively for work and not personal use. There's one user associated with the enrolled device. You can manage the entire device and enforce policy controls not available with the Android Enterprise work profile method. This method aligns with the Android Enterprise fully managed management solution.
Dedicated device: Enroll corporate-owned, single use or kiosk devices used for things like digital signage, ticket printing, or inventory management. With this method, you can limit the apps and web links available on the device, and prevent people from using the device outside of the intended scope. This method aligns with the Android Enterprise dedicated devices management solution.
Corporate-owned, userless devices: Enroll devices that are built from the Android Open Source Project (AOSP) and absent of Google Mobile services as corporate-owned, userless devices. These devices don't have a user associated with them and are intended to be shared, like in a library or lab.
Corporate-owned, user associated devices: Enroll devices that are built from AOSP and absent of Google Mobile services as corporate-owned, user-associated devices. These devices are associated with a single user and intended to be exclusively for work use.
Zero-touch enrollment: We recommend using zero-touch enrollment for bulk enrollments and to simplify enrollment for remote workers. This method lets you prepare corporate-owned devices ahead of time so that they automatically provision and enroll as fully manged devices when users turn them on.
Android Enterprise device management capabilities supersede Android device administrator capabilities so we recommend using Android Enterprise management solutions when possible. We still recommend the Android device administrator management solution for these scenarios:
- For Microsoft Teams certified Android devices.
- When the device is in an area where Android Enterprise is unavailable.
- When devices are incapable of integrating with Google Mobile Services, and the AOSP enrollment options won't work with them. For more information about using Android device administrator when Google Mobile Services is unavailable, see How to use Intune in environments without Google Mobile Services.
Enrollment for Apple devices
This section describes the enrollment options available for iOS/iPadOS and Mac devices in Intune.
Complete the following prerequisites before you create the enrollment profile for Apple devices:
- Upload an Apple MDM push certificate to Intune. For more information, see Get MDM push certificate.
- Get an Apple enrollment program token if you plan to enroll devices via Apple automated device enrollment. For more information, see:
Apple enrollment solutions
The following table describes the enrollment solutions for devices running iOS/iPadOS and macOS.
Automated device enrollment for iOS/iPadOS and for Mac devices: Enroll new or wiped devices purchased from Apple Business Manager or Apple School Manager with automated device enrollment. This automated enrollment method for corporate-owned devices applies your organization's settings from Apple Business Manager and Apple School Manager, supports supervision mode, and enrolls devices without you needing to touch them. When people turn on their devices, Apple Setup Assistant guides them through setup and enrollment.
Apple Configurator for iOS/iPadOS and for Mac devices: Manually enroll new or existing corporate-owned devices via Apple Configurator. This option is ideal for bulk enrollments and when you don't have access to Apple School Manager, Apple Business Manager, or when you require a wired network connection. You must have physical access to the devices because you have to connect to and configure devices on a Mac. There are two different paths you can take:
- Setup Assistant enrollment: This method wipes the device and prepares it for enrollment in Apple Configurator. When users turn on their devices, Setup Assistant begins, and then devices enroll in Intune. You must have access to the device serial numbers, because you need to input them into the admin center.
- Direct enrollment: This method lets you enroll the device prior to distribution, and doesn't wipe the device. Devices enrolled this way aren't associated with a user so we recommend this option for shared or kiosk devices. The instructions are different for macOS and iOS devices, so be sure to use the correct how-to documentation for devices.
Enrollment for Linux
Employees and students in BYOD scenarios can enroll personal Linux devices in Microsoft Intune. Enrollment enables them to access work resources in Microsoft Edge.
As an Intune admin, you don't need to do anything to enable Linux enrollment in the admin center. It's automatically enabled. When users enroll their Linux devices, you'll see them in the admin center. For more information, see Enroll Linux desktop devices in Microsoft Intune.
Enrollment for Windows
This section describes the enrollment solutions available for personal and corporate-owned devices running Windows 10 or Windows 11.
Microsoft Intune enrollment is supported on devices in cloud environments. Co-management with Configuration Manager is supported in on-premises environments.
Windows enrollment methods
The following table describes the supported enrollment methods for devices running Windows 10 and Windows 11.
Make enrollment in Intune easier for employees and students by enabling automatic enrollment for Windows. For more information, see Enable automatic enrollment.
Azure Active Directory Join with automatic enrollment: This option is supported on devices that are procured by you or the device user for work use. Enrollment occurs during the out-of-box-experience, after the user signs in with their work account and joins Azure AD. This solution is for when you don't have access to the device, such as in remote work environments. When these devices enroll, their device ownership changes to corporate-owned, and you get access to management features that aren't available on devices marked as personal-owned.
Windows Autopilot out-of-box-experience: Automatic enrollment is supported with the user-driven or self-deploying Windows Autopilot out-of-box-experience (OOBE), and is best for corporate-owned desktops, laptops, and kiosks. Device users get desktop access after required software and policies are installed. An Azure AD Premium license is required.
Windows Autopilot for Hybrid Azure AD join: Automatic enrollment is supported with Windows Autopilot for hybrid Azure AD-joined devices. During the Windows Autopilot out-of-box-experience, the Intune connector for Active Directory enables devices in Active Directory domain services to join to Azure AD, and then automatically enroll in Intune. You have to install the Intune connector for Active Directory on an on-premises server and register devices in Windows Autopilot. We recommend this enrollment solution for on-premises environments that use Active Directory domain services and can't currently move their identities to Azure AD.
Co-management with Configuration Manager: Co-management is best for environments that already manage devices with Configuration Manager, and want to integrate Microsoft Intune workloads. Co-management is the act of moving workloads from Configuration Manager to Intune and telling the Windows client who the management authority is for that particular workload. For example, you can manage devices with compliance policies and device configuration workloads in Intune, and utilize Configuration Manager for all other features, like app deployment and security policies.
More Windows enrollment features
There are other Windows enrollment options in Intune to help improve or simplify the device management experience for you and your employees:
- Co-management settings: Enable co-management settings to integrate Configuration Manager workloads with Intune. Co-management enables you to use both Intune and Configuration Manager features to manage devices.
- CNAME validation: Validate a domain name server (DNS) alias (CNAME record type) you created to redirect enrollment requests to Intune servers. The alias simplifies enrollment for users in the absence of Azure AD Premium and automatic enrollment.
- Enrollment Status Page: Enable the Enrollment Status Page so that people going through device setup can view and track installation progress.
Report and troubleshoot
Track incomplete and abandoned user enrollments. This Microsoft Intune report tells you where in the Company Portal users failed to complete the enrollment process.
For troubleshooting docs, see Troubleshoot device enrollment.
Additional enrollment guides are available throughout the Microsoft Intune documentation. These guides include visual comparisons, how-to steps, tips, and enrollment best practices for each supported platform.
- Android enrollment guide
- iOS/iPadOS enrollment guide
- Linux enrollment guide
- macOS enrollment guide
- Windows enrollment guide
- Set up Microsoft Intune
- Add, configure, and protect apps
- Plan for compliance policies
- Create device configuration profiles
- 🡺 Enroll devices (You are here)
Submit and view feedback for