Choose an enrollment strategy
In this section, we explore the foundational pillars of Microsoft Intune: Enrollment Strategies. Choosing between a Bring Your Own Device (BYOD) model and a Corporate-Owned model is more than a budget decision. It defines the boundary between organizational control and user privacy. By understanding the four stages of the Device Management Lifecycle, administrators can ensure that every endpoint remains secure, compliant, and performant from the initial 'Out-of-Box Experience' to final decommissioning.
Bring your own device (BYOD)
In a Bring Your Own Device (BYOD) model, employees use their personal smartphones, tablets, or laptops to access work resources like corporate email, files, and internal applications.
The guiding philosophy of BYOD is to protect the organization's data while strictly respecting the user's personal privacy. IT administrators manage and secure the corporate apps and data, but they don't manage the device's underlying operating system or personal contents.
Corporate device
In a corporate-owned model, the organization purchases, provisions, and legally owns the hardware. Because the company owns the asset, IT administrators have full authority to manage the entire device lifecycle, from the initial out-of-the-box setup to final retirement and hardware wiping.
Device management lifecycle
Like most IT management activities, managing mobile devices follows a lifecycle. The mobile device management lifecycle contains four phases:
- Enroll: In the Enroll phase, devices register with the mobile device management solution. With Intune, you can enroll both mobile devices, such as phones, and Windows devices
- Configure: In the Configure phase, you help to ensure that the enrolled devices are secure and that they comply with any configuration or security policies. You can also automate common administrative tasks, such as configuring Wi-Fi.
- Protect: In the Protect phase, the mobile device management solution provides ongoing monitoring of the settings established in the Configure phase. During this phase, you also use the mobile device management solution to help keep devices compliant through the monitoring and deployment of software updates.
- Retire: When a device is no longer needed, when it's lost, or when it's stolen, you should help to protect the data on the device. You can remove data by resetting the device, performing a full wipe, or performing a selective wipe that removes only corporation-owned data from the device.
In the table below, we compare the different types of enrollment architectures and illustrate how they dictate the ongoing management and offboarding capabilities for both personally owned and corporate-owned devices across all major operating systems
Scenario-Driven device lifecycle matrix
| Business scenario | Platform & enrollment method | Configuration capabilities | Retire / wipe action |
|---|---|---|---|
| Bring your own device (BYOD) (User-owned, requires access to work data) |
Android: Personally owned with a work profile iOS: Apple User Enrollment Win/Mac: Company Portal |
Provisions network access, basic security, and app protection. Mathematically isolates work data from personal data. | Retire: Deletes only the isolated corporate data/work profile. Personal apps and photos remain strictly untouched. |
| Corporate-Owned, Single User (Fully managed, strict business use) |
Android: Fully managed iOS/Mac: Automated Device Enrollment (ADE) Win: Windows Autopilot |
Full device control. Enforces strict security baselines, disables hardware features (e.g., cameras), and blocks unapproved apps. | Wipe: Full factory reset. Erases all data and prepares the physical hardware for the next user. |
| Corporate-Owned, Personally Enabled (COPE) (Business-owned, personal use allowed) |
Android: Corporate-owned work profile iOS/Mac/Win: Standard corporate enrollment |
Balances full device management (IT can enforce device-wide Wi-Fi/VPN) with a separated secure profile to protect user privacy. | Wipe / Retire: IT can choose to factory reset the entire device or selectively retire just the corporate data. |
| Dedicated, Kiosk, or Shared (User-less, task-specific devices) |
Android: Dedicated devices iOS: ADE (Supervised) Win: Autopilot Self-Deploying mode |
Locks down the interface. Enforces single-app/kiosk mode, deploys Managed Home Screen, and restricts standard OS features. | Wipe: Factory reset to clear shared caches and securely repurpose the hardware. |
| Specialized Frontline Devices (Devices lacking Google Mobile Services) |
Android: Android Open Source Project (AOSP) | Applies custom settings and basic network profiles without relying on the Google Play Store or Google services. | Wipe / Retire: Factory reset or removal of the management profile. |
At the point selecting the right device enrollment strategy is rarely a one-size-fits-all decision. Most modern organizations operate in a hybrid environment, requiring a tailored mix of both Bring your own device and corporate-owned architectures to meet the diverse technical and cultural needs of their workforce.
By aligning your enrollment methods with device ownership and using automated out‑of‑the‑box experiences like Windows Autopilot or Apple ADE for corporate devices, combined with secure and containerized work profiles for personal devices, you create a strong foundation of trust and control. This strategic approach ensures that corporate data remains fiercely protected, regulatory compliance standards are met. End users get a privacy-respecting, frictionless experience from their very first login to the day the device is finally retired.