Редагувати

Поділитися через


Identify devices as corporate-owned

Applies to: Android, iOS/iPadOS, Windows 10, Windows 11

Ensure that corporate devices are marked as corporate-owned as soon as they enroll by adding their corporate identifiers ahead of time in the Microsoft Intune admin center. The benefit of managing corporate devices is that they enable more device management capabilities than personal devices. For example, Microsoft Intune can collect full phone number and app inventory from a corporate device, but can only collect partial phone number and app inventory for personal devices. To add corporate identifiers to Microsoft Intune, you can upload a file of corporate identifiers in the admin center or enter each identifier separately.

It isn't necessary to add corporate identifiers for all deployments. During enrollment, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:

Microsoft Intune marks devices that register with Microsoft Entra as personal.

Role-based access control

To add corporate identifiers in Microsoft Intune, you must be assigned one of these roles:

  • Policy and Profile Manager, a Microsoft Intune built-in role
  • Intune Administrator, a Microsoft Entra built-in role

These roles can read, delete, create, and update corporate device identifiers.

Permission Description
Read View the IMEI or serial numbers used as corporate device identifiers.
Delete Delete IMEI or serial numbers used as corporate device identifiers.
Create Create new corporate device identifiers or import a CSV file containing a list of corporate device identifiers.
Update Change IMEI or serial numbers used as corporate device identifiers.

You can also create a custom Intune role for people managing corporate identifiers and assign corporate device identifier permissions. For more information about built-in roles and custom roles, see RBAC with Microsoft Intune.

Supported corporate identifiers

Before you begin, determine the type of corporate identifiers you want to add. You can add one type of corporate identifier per CSV file. Devices that enroll without corporate identifiers are marked as personal. Intune supports the following identifiers:

  • IMEI
  • Serial number
  • Serial number, manufacturer, and model (Windows only)

Support by platform

The following table shows the identifiers supported for each platform. When a device with a matching identifier enrolls, Intune marks it as corporate.

Platform IMEI number Serial number Serial number, model, manufacturer
Windows 11 Not supported Not supported ✔️

Supported with Windows 11, version 22H2 and later with KB5035942 (OS Builds 22621.3374 and 22631.3374).
Windows 10 Not supported Not supported ✔️

Supported with Windows 10, version 22H2 and later with KB5039299 (OS Build 19045.4598).
iOS/iPadOS ✔️

Supported in some cases. For more information, see Add Android, iOS corporate identifiers.
✔️

We recommend using a serial number for iOS/iPadOS identification when possible.
Not supported
macOS Not supported ✔️ Not supported
Android device administrator ✔️

Supported with Android 9 and earlier.
✔️

Supported with Android 9 and earlier.
Not supported
Android Enterprise, personally owned work profile ✔️

Supported with Android 11 and earlier.
✔️

Supported with Android 11 and earlier.
Not supported

Step 1: Create CSV file

Create a list of corporate identifiers and save it as a CSV file. You can add up to 5,000 rows or 5 MB of data per file, whichever comes first. Don't add headers.

Important

Remember, only add one type of corporate identifier per CSV file.

Add Android, iOS corporate identifiers

To add corporate identifiers for Android and iOS/iPadOS platforms, list one IMEI or serial number per line as shown in the following example.

01234567890123,device details  
02234567890123,device details  

Remove all periods, if applicable, from the serial number before you add it to the file. You can add device details after each corporate identifier. Details are limited to 128 characters and are for administrative use only. They don't appear on the device.

Android and iOS/iPadOS devices can have multiple IMEI numbers. Intune reads and records one IMEI per enrolled device. If you import an IMEI that's different from the one already in Intune, Intune will mark the device as personal. If you import multiple IMEI numbers for the same device, the identifiers that haven't been inventoried appear with an unknown enrollment status.

Android serial numbers aren't guaranteed to be unique or present. Check with your device supplier to find out if the serial number is a reliable device ID. Serial numbers reported by the device to Intune might not match the ID shown on the device in Android settings or Android device information. Verify the type of serial number reported by the device manufacturer.

Add Windows corporate identifiers

Important

Corporate identifiers are supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature.

To add corporate identifiers for corporate devices running Windows 11, list the manufacturer, model, and serial number for each device as shown in the following example.

Microsoft,surface 5,01234567890123   
Lenovo,thinkpad t14,02234567890123  

Remove all periods, if applicable, from the serial number before you add it to the file.

After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal. To change the ownership type after enrollment, you have to manually adjust it in the admin center.

Screenshot of selecting and adding corporate identifiers.

The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers.

Windows enrollment types Without corporate identifiers With corporate identifiers
The device enrolls through Windows Autopilot Corporate Corporate
The device enrolls through GPO, or automatic enrollment from Configuration Manager for co-management Corporate Corporate
The device enrolls through a bulk provisioning package Corporate Corporate
The enrolling user is using a device enrollment manager account Corporate Corporate
The device enrolls through Azure Virtual desktop (non-hybrid) Corporate Corporate
Automatic MDM enrollment with Microsoft Entra join during Windows setup Corporate, but will be blocked by personal enrollment restriction Personal, unless defined by corporate identifiers
Automatic MDM enrollment with Microsoft Entra join from Windows Settings Corporate, but will be blocked by personal enrollment restriction Personal, unless defined by corporate identifiers
Automatic MDM enrollment with Microsoft Entra join or hybrid Entra join via Windows Autopilot for existing devices Corporate, but will be blocked by personal enrollment restriction Personal, unless defined by corporate identifiers
Autopilot device preparation profile Corporate, but will be blocked by personal enrollment restriction Personal, unless defined by corporate identifiers
Automatic MDM enrollment with Add Work Account from Windows Settings Personal Personal, unless defined by corporate identifiers
MDM enrollment only option from Windows Settings Personal Personal, unless defined by corporate identifiers
Enrollment using the Intune Company Portal app Personal Personal, unless defined by corporate identifiers
Enrollment via a Microsoft 365 app, which occurs when users select the Allow my organization to manage my device option during app sign-in Personal Personal, unless defined by corporate identifiers

Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned. This includes devices enrolled via automatic MDM enrollment with:

Step 2: Add corporate identifiers in admin center

You can upload a CSV file of corporate identifiers, or manually enter the corporate identifiers in the Microsoft Intune admin center. Manual entry isn't available for Windows corporate identifiers.

Upload CSV file

Upload the CSV file you created in Step 1: Create CSV file to add corporate identifiers.

  1. Sign in to the Microsoft Intune admin center.

  2. Go to Devices > Enrollment.

  3. Select the Corporate device identifiers tab.

  4. Choose Add > Upload CSV file.

  5. Select the identifier type. Your options:

    • IMEI
    • Serial
    • Manufacturer, model, and serial number (Windows only)
  6. Under Import identifiers, find and select the CSV file.

  7. Wait while Intune validates the CSV file. When the total device identifiers count appears onscreen, validation is complete.

    Tip

    If your import fails, check that the CSV file meets formatting requirements.

  8. Select Add, and then look for the success notification at the top of the admin center to confirm that the file is imported.

    Note

    A pop-up window prompting you to review duplicate identifiers appears if the CSV file contains corporate identifiers that are already in Intune but have different device details. To resolve the duplicates, select the identifiers that you want to overwrite in Intune. Then select Ok to add the identifiers. Intune only compares the first duplicate of each identifier.

Manually enter corporate identifiers

Applies to Android and iOS/iPadOS

Manually add corporate identifiers in the Microsoft Intune admin center.

  1. In the admin center, go to Devices > Enrollment.

  2. Select the Corporate device identifiers tab.

  3. Choose Add > Enter manually.

  4. Select the identifier type. Your options:

    • IMEI
    • Serial
  5. Enter the corporate identifier and details. When you're done entering identifiers, select Add.

  6. Select Refresh to reload your list. The corporate identifiers you added should now be visible.

    Note

    A pop-up window prompting you to review duplicate identifiers appears if your entries contain corporate identifiers that are already in Intune but have different device details. To resolve the duplicates, select the identifiers that you want to overwrite. Then select Ok to add the identifiers. Intune only compares the first duplicate of each identifier.

Check enrollment status

Follow up on imported devices to ensure that they enroll in Intune. After you add corporate identifiers, you can see the status of the devices in the admin center:

  • Enrolled: The device completed enrollment.
  • Not contacted: The device hasn't made contact with the Microsoft Intune service.
  • Not applicable
  • Failed: The device didn't complete enrollment.

Delete corporate identifiers

  1. In the admin center, go to Devices > Enrollment.
  2. Select the Corporate device identifiers tab.
  3. Select the device identifiers you want to delete, and choose Delete.
  4. Confirm the deletion.

Deleting a corporate identifier for an enrolled device does not change the device's ownership.

Change device ownership

To edit a device's identification after enrollment, change its ownership setting in the admin center. An ownership property appears for each device record in Microsoft Intune.

  1. Go to Devices > All devices.

  2. Select a device.

  3. Choose Properties.

  4. For Device ownership, select Personal or Corporate.

    Screenshot of the Managed device properties showing Device category and Device ownership options.

When you change a device's ownership type from corporate to personal, Intune deletes all app information previously collected from that device within seven days. If applicable, Intune also deletes the phone number on record. Intune still collects the inventory of apps installed by the IT admin on the device, and a partial phone number.

When you change the ownership of an iOS/iPad or Android device from personal to corporate, a push notification is sent through the Company Portal app to inform the device user of the change. To configure push notifications, go to Tenant administration > Customization. For more information, see Company Portal - Configuration.

Block personal devices

To prevent all personal devices from enrolling, configure an enrollment platform restriction for personal devices.

To confirm the reason for an enrollment failure, go to Devices > Enrollment failures and look in the table under Failure reason. In this case, the reason is Enrollment restriction not met. Select the reason to open failure details.

Known issues and limitations

  • Windows corporate device identifiers are only supported for devices running:

    • Windows 10 version 22H2 (OS build 19045.4598) or later.

    • Windows 11 version 22H2 (OS build 22621.3374) or later.

    • Windows 11 version 23H2 (OS build 22631.3374) or later.

    Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as Unknown.

  • You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers.

  • Windows currently doesn't support device details in CSV files.

Resources

For details about International Mobile Equipment Identifiers, see 3GGPP TS 23.003.

You can use the following script to get the device details required for Windows corporate identifiers:

(Get-WmiObject -Class Win32_ComputerSystem | ForEach-Object {$_.Manufacturer, $_.Model, (Get-WmiObject -Class Win32_BIOS).SerialNumber -join ',' })

To request the device details remotely, use the following script:

Get-CimInstance -ClassName Win32_ComputerSystem | ForEach-Object {$_.Manufacturer, $_.Model, (Get-CimInstance -ClassName Win32_BIOS).SerialNumber -join ','}

For more information about locating a serial number, see Find Surface serial number.