Device Enrollment with Microsoft Endpoint Manager (MEM)


As the global workforce changed its working habits, meaning where people worked and what they worked from (such as corporate owned devices or personally owned devices), organizations have had to adapt and possibly even encourage the flexibility which comes with a remote or hybrid workforce. With it came the many risks of a remote workforce. For example, it was challenging to manage devices without GPOs and organizations commonly faced difficulty accessing on-premises resources like file servers and local application servers unless there was an established VPN in place. Most organizations have internal patching systems, so devices weren’t receiving security updates because they weren’t connecting to their update services. The risk is a byproduct of having unmanaged devices accessing your data, which was required to keep business processes operational.

The changes we all experienced in 2020 lead many organizations to jump into the deep end of Intune so they could rapidly secure users’ access to company data, such as email and files. Typically, the first of the Microsoft 365 journey is by migrating to Exchange Online. Those organizations soon realized they had not fully integrated other M365 services on a scale to support a fully remote workforce.


The concept of device enrollment has come to include not only corporate-owned mobile devices and workstations but also personally owned/bring your own devices (BYOD). With this comes the need to ensure full protection of corporate data. Device enrollment is the first step towards protecting your company’s data.

Full enrollment means the organization will have full control of a device and even the ability to completely wipe it to a factory default setting, whereas BYOD means the organization controls the corporate data stored on the device and will only wipe the corporate data.

Intune supports both full enrollment and BYOD and a hybrid of both models based on business requirements.

Quite simply, device enrollment means your device needs to be “registered” while meeting certain criteria and requirements before you can access your company data from the device.

With enrollment we have two basic types of devices, your mobile devices, Android and Apple and your desktop and laptop platform devices (Windows and Apple).

In the Microsoft Device Manager (MDM) world, there are two basic terms you should become familiar with:

  • Personally owned – also known as Bring Your Own Device (BYOD), these are devices not owned by the company, corporate data is protected, but personal data is not controlled
  • Corporate owned – devices which are owned by the company and provided to the users, the entire device is protected and controlled by the organization

In order to get started with Intune, you need to have the following in place

  • Intune is setup in your M365 portal
  • Intune licenses are ready to be assigned
  • A user with Global Administrator or Intune Service Administrator rights
  • An understanding of the device platform requirements for device enrollment, and ensuring those devices are supported by Microsoft Endpoint Manager (MEM)

Now let’s dive into the different mobile enrollment options for Android and iOS/iPadOS.


In this section we will be covering off some of the basics of device enrollment in MEM as it pertains to mobile devices.

When a device is enrolled with Intune, your organization will have the ability to control access to applications and company data, while also ensuring security requirements are maintained, such as password/PIN requirements and device encryption.

Intune provides both MDM and mobile application management (MAM) capabilities. MAM allows secure access to corporate data and enterprise applications on the mobile device, while separating the data from the user’s personal data via work profiles, and you can even use MAM with enrolled devices.

Intune also allows you to enable MAM with enrolled devices, since many organizations allow their users to use corporate owned devices for personal use as well.

Android Enrollment

Intune currently has the following methods of enrolling Android devices:

  • BYOD – Android Enterprise personally owned devices with a work profile

With a work profile, the company cannot see or manage your personal data and cannot wipe your device but manages company data and can wipe this data at any point.

Devices are personally owned and can be given access to your organizational data. This option can be used for small and large numbers of devices (bulk enrollment) and can be setup to use device enrollment manager (DEM). DEM is an Intune permission in Azure Active Directory (AAD). DEM accounts can enroll up to 1000 devices and Intune allows up to 150 DEM accounts within a single tenant.

When a user enrolls their device with BYOD – Android Enterprise, they go to the Google Play store and install the Company Portal app from Microsoft Intune. Once they sign into the Company Portal app with their work username and password, their device is enrolled.

  • Android Enterprise – Corporate owned dedicated devices

The only reason for this type of enrollment is for devices used for kiosk-type activities. These devices are owned by the organization but are user-less, rather than assigned to a user. Android Enterprise – corporate owned dedicated devices can be enrolled individually or through bulk enrollment. DEM is not supported in this instance.

  • Android Enterprise – Corporate owned fully managed

These are devices which are owned by the organization and assigned to one user. This type of enrollment is used only for organizational work and not for personal usage. Devices can be individually and bulk enrolled. DEM is not supported in this instance.

  • Android Enterprise – Corporate owned work profile

Devices are owned by the organization and assigned to one user. Unlike Android Enterprise – Corporate owned dedicated devices, these devices can also be used for personal usage. Individual and bulk enrollment is supported. DEM is not supported.

  • Android Device Administrator (ADA)

Let’s go ahead and eliminate the fifth option. Android Device Administrator (ADA). It’s not advised to use this option as Google will soon be taking away support for ADA, and instead, use Android Enterprise personally owned with a work profile. However, if you have Android 5.0, you can’t use Android Enterprise and must use Android Device Administrator for enrollment. Hopefully you won’t see too many of those older Androids.

There you have it. Four main options for Android enrollment (unless you have some older Android devices to manage).

Apple iOS/iPadOS Enrollment

Intune currently offers three enrollment options for iOS/iPadOS:

  • Automated Device Enrollment (ADE)

ADE was previously known as Apple Device Enrollment Program (DEP). ADE is used for corporate owned devices. After purchasing the devices from Apple, an enrollment profile is pushed to the devices. With this option, you as the administrator have no need to touch the device, since the settings are preconfigured via Apple Business Manager (ABM). These devices are assigned to one user or can be assigned to a user-less device, such as kiosks.

  • Apple Configurator

Requires a macOS device to enroll devices using this option. You connect the device to the Mac via USB and then perform the enrollment by following the instructions in this link. This type of enrollment can be used for individual and bulk enrollment and can be used for devices assigned to users or to user-less devices, such as kiosks.

  • BYOD: User and Device Enrollment

This type of enrollment is used for personally owned iOS and iPadOS devices that are allowed to access organizational data, such as email, OneDrive, etc. In this case, devices are assigned to a single user. Individual and bulk enrollment is supported. When the administrator first creates the enrollment profile, they are prompted to select either “Device enrollment, “Determine based on user choice”, or “Device enrollment.” 

To further break down those three options available within BYOD: User and Device Enrollment:

  • Device enrollment – Commonly used for personal devices. The device is fully managed in this instance
  • Determine based on user choice – Users have a choice when enrolling, User enrollment or Device enrollment
  • User enrollment – Requires iOS 13 or later. This instance will enable feature sets, such as company apps, password requirements, etc. Microsoft recommends using app protection policies if using User enrollment to help secure your organizational apps and data

Next up we will be reviewing enrollment options for both Windows and MacOS devices.


Windows Information Protection (WIP) can be used to protect information and sensitive data on Windows devices, like MAM. WIP provides a wall of separation between corporate and personal data. WIP can be used with Intune, Microsoft Endpoint Configuration Manager, or supported 3rd party MDM solutions.

To review, Bring Your Own Device (BYOD) means a user owns the device but wants to gain access to company data and apps. The user will download the Company Portal App, and once installed, is registered within Azure Active Directory.

MacOS Enrollment

To enroll a MacOS device in Intune, the Intune Company Portal app is installed first. The user then signs into the Company Portal app using their work credentials, which enrolls the Mac into Intune. Once enrolled, the user is granted access to email, company files and the corporate network. The administrator then has the ability to reset the Mac to factory default settings, remove all managed data and company apps, enable security features such as passwords or PINs, as well as many other security features and settings.

Intune has two options for enrolling Mac devices:

  • BYOD: Device enrollment

Uses an app configuration profile to manage apps on the device, devices aren’t technically enrolled, instead devices are managed via app configuration profiles. Used for devices which are personally owned. Devices are assigned to a single user. DEM is used for enrollment.

  • Automated Device enrollment (ADE)

This had previously been called Apple Device Enrollment Program (DEP). This is used for devices owned by the company and like ADE for iOS/iPadOS, you never have to directly touch the device. The devices are purchased from Apple and preconfigured with settings to help automate enrollment.

For more information about enrolling your Mac devices, click here.

Windows Enrollment

When a Windows device is enrolled, users are granted the ability to access emails, company files and the corporate network. Windows enrollment allows administrators to deploy software to their managed Windows devices, centralized virus and malware protection via Intune Endpoint Protection, as well as software and OS updates, to ensure all managed Windows devices are current with patches.

At a high level, you are offered the following options for enrolling Windows

  • Windows 10 Automatic Enrollment

Used for BYOD and corporate owned devices for enrollment. Requires Windows 10 version 1803 and requires Azure AD Premium. You can individually and bulk enroll devices with this option. Devices can be associated with users and with user-less devices, such as kiosks or shared devices.

  • Windows Autopilot

Used for devices which are owned by the organization. With Windows Autopilot, the OEM version of Windows 10 preinstalled on the device is used there is no need to wipe and reimage. It does require Automatic Enrollment to work and Automatic Enrollment means once your user signs in, the device is enrolled. Any applications and settings are automatically deployed to the device without any manual administrator actions.

  • Group Policy

This enrollment option can be used for domain-joined machines which are also Hybrid Azure AD joined. Hybrid Azure AD joined devices are Windows devices joined to an on-premises Active Directory domain, synced to and registered in Azure Active Directory. Using a group policy object to begin the process of enrollment, and once the device is registered in Azure AD it is considered enrolled. For more information about enrolling a Windows 10 device automatically using group policy, see this link.

Group Policy can be used to auto-enroll these AD joined domain machines so that once the device is registered, enrollment is automatically initiated in the background.

  • Co-management

If you are using Configuration Manager, you may want to consider co-management enrollment in your organization. This will enable you to use both Configuration Manager and Intune to manage your devices. Devices are hybrid AAD joined and you have AAD Premium. For more information about Co-management enrollment of Windows 10, click here.


So, we have reviewed the various enrollment options currently available in Microsoft Intune/Endpoint Management. If you are interested in learning more about MEM enrollment and how Insentra can help your organization plan out your device enrollment strategy, please feel free reach out.

Want more acronyms? Try this blog from my colleague and Head of Advisory, Lee Foster.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

Secure Jump Box in Azure

The announcement, Login to Windows virtual machine in Azure using Azure Active Directory authentication, has opened up some very interesting use cases for secure management

Read More »