Enrollment guide: Microsoft Intune enrollment
Microsoft Intune, together with Microsoft Entra ID, facilitates a secure, streamlined process for registering and enrolling devices that want access to your internal resources. Once users and devices are registered within your Microsoft Entra ID (also called a tenant), then you can utilize Intune for its endpoint management capabilities. The process that enables device management for a device is called device enrollment.
During enrollment, Intune installs an MDM certificate on the enrolling device. The MDM certificate communicates with the Intune service, and enables Intune to start enforcing your organization's policies, such as:
- Enrollment policies that limit the number or type of devices someone can enroll.
- Compliance policies that help users and devices meet your rules.
- Configuration profiles that configure work-appropriate features and settings on devices.
Typically, policies are deployed during enrollment. Some groups, depending on their roles in your organization, can require stricter policies than others. Many organizations start by creating a baseline of required policies for users and devices, and build them out as needed for different groups and use cases.
You can enroll devices running on the following platforms. For a list of supported versions, see Supported operating systems.
Enrollment is enabled for all platforms by default, but you can restrict specific platforms from enrolling by using an Intune enrollment restriction policy.
This article describes the supported device scenarios and enrollment prerequisites, has information about using other MDM providers, and includes links to platform-specific enrollment guidance.
This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.
Supported device scenarios
Microsoft Intune enables mobile device management for:
- Personal devices, including personally owned phones, tablets, and PCs.
- Corporate-owned devices, including phones, tablets, and PCs owned by your organization and distributed to employees and students for use at work or school.
Devices in bring-your-own-device (BYOD) scenarios can be enrolled in Intune. The supported enrollment methods enable employees and students to use their personal devices for work or school things. As the admin, you're required to add device users in the Microsoft Intune admin center, configure their enrollment experience, and set up Intune policies. In the Intune Company Portal app, the device user starts and completes the enrollment.
Intune marks devices that are Microsoft Entra registered as personally-owned devices.
Microsoft Intune offers more granular settings and policies for devices classified as corporate-owned. For example, there are more password policies to choose from in Intune for corporate-owned devices, so you can enforce stricter password requirements. Microsoft Intune automatically marks devices that meet certain criteria as corporate-owned. For more information, see Identify devices as corporate-owned.
Intune is set up, and ready to enroll users and devices. Be sure:
- The MDM Authority is set to Intune, even when using co-management with Intune + Configuration Manager.
- Intune licenses are assigned.
For more information, see the Intune setup deployment guide.
Your devices are supported. This requirement includes devices that are co-managed, or Microsoft Entra hybrid joined devices.
Sign in as a member of the Global Administrator or Intune Service Administrator Microsoft Entra roles. Role-based access control (RBAC) with Intune has more information. If you created an Intune trial subscription, then the account that created the subscription is the Global administrator.
Different platforms can have other requirements. For example, iOS/iPadOS and macOS devices require an MDM push certificate from Apple. Any other platform requirements are listed.
Platform Other requirements Android none Android Enterprise none iOS/iPadOS MDM push certificate
Linux none macOS MDM push certificate Windows none
Have your user groups and device groups ready to receive your enrollment policies. If you haven't reviewed or created your group structure, and want some guidance, then see Planning Guide: Step 4 - Review existing policies and infrastructure.
If you're bulk enrolling devices, consider creating the Device enrollment manager (DEM) account. The DEM account can enroll up to 1,000 mobile devices. Use this account to enroll and configure the devices before giving them to users. The DEM account is an Intune permission that's applied to a Microsoft Entra user account. This type of account isn't compatible with all enrollment methods, such as Apple automated device enrollment.
For more information, see Enroll devices using a DEM account.
Unenroll from existing MDM and factory reset
If devices are currently enrolled in another MDM provider, then unenroll the devices from the existing MDM provider. Typically, unenrolling doesn't remove existing features and settings you configured. Most MDM providers have remote actions that remove organization-specific data from devices. Before enrolling in Intune, you can remove organization-specific data from these devices. But, it's not required.
Depending on the platform, a factory reset might be required before enrolling in Intune.
|Factory reset required?
|Android Enterprise personally owned devices with a work profile (BYOD)
|Android Enterprise corporate-owned work profile (COPE)
|Android Enterprise fully managed (COBO)
|Android Enterprise dedicated devices (COSU)
|Android device administrator (DA)
On the platforms that don't require a factory reset, when these devices enroll in Intune, they'll start receiving your Intune policies. If you don't configure a setting in Intune, then Intune doesn't change or update that setting. So, it's possible previously configured settings remain configured on devices.
Choose your platform enrollment guide
There's an enrollment guide for every platform. Choose your scenario, and get started:
Download the visual enrollment guide
There's also a visual guide of the different enrollment options for each platform:
When assigning your profiles, start small, and use a staged approach. Assign the enrollment profile to a pilot or test group. After initial testing, add more users to the pilot group. Then, assign the enrollment profile to more pilot groups.
For more information and suggestions, see the Planning guide: Step 5 - Create a rollout plan.
Mobile device record cleanup
The MDM certificate renews automatically as long as enrolled devices are communicating with the Microsoft Intune service. The MDM certificate doesn't renew for devices that have been wiped, or devices that fail to sync with Microsoft Intune for an extended period of time. Microsoft Intune deletes idle devices from record 180 days after the MDM certificate expires.
Reporting and troubleshooting
- Set up Microsoft Intune
- Add, configure, and protect apps
- Plan for compliance policies
- Configure device features
- 🡺 Enroll devices (You are here)
For platform-specific enrollment guidance, see: