Intune Enrollment Methods
In this post, we will come to know all possible ways by which we can enroll Windows OS devices. we will discuss every methods in indvidual posts so that we could get good knowledge about all available methods and eventually we can then decide which method would be appropriate for our environment.
Intune (Overview)
Microsoft Intune is a part of Microsoft Endpoint Manager, cloud-based management tool for mobile devices. Intune provide unified endpoint management of both corporate & BYOD device in a way that protects corporate data.
Intune lets us manage devices, apps, policies, protect company resources. To leverge mobile device management (MDM), the devices must first be enrolled in the Intune service.
When a device is enrolled, Intune issue an MDM certificate. This certificate is used to communicate with the Intune service. If you are complete new to Intune and interested to learn more about Intune and start from scratch, please refer to this URL and this link.
Windows enrollment methods
These are several methods to enroll windows 10 or windows 11 devices :
Method | Owner | UI? | URL |
---|---|---|---|
Comp. Portal | personal | Yes | Reference1 |
Auto enroll | Any | Yes | Reference2 |
Manual | personal | Yes | Reference3 |
Deep Link | personal | Yes | Reference4 |
GPO | corporate | No | Reference5 |
DEM | corporate | No | Reference6 |
Autopilot | corporate | Yes | Reference7 |
Bulk enroll | corporate | No | Reference8 |
Co-mgmt | corporate | No | Reference9 |
In addition, let’s undertand everthing about hot 🔥 topic i.e. Bring Your Own Device (BYOD).
What is BYOD ?
It’s a Intune enrollment method where users can self-enroll their Windows or mobile device. Users can enroll their personally owned devices by downloading and installing the Company Portal app from app store.
What’s the need ?
BYOD has become more popular and demanding these days ofcourse in WFH scenerio in Pandemic. Reason being, all company including IT & non IT company want their corporate data to be secured and protected from hackers. So to protect company data, neither company won’t want to invest big capital to provide smartphones to every employee nor employee will want to always keep two big smartphones in their pocket.
What happens in background ?
To register your device automatically When you sign in to company portal using corporate credential or Azure AD credential, Intune admin has to configure auto enrollment in Intune portal. Post sign in to company portal, 2 things happen in backend-
- Intune registers your device with Azure Active Directory to gain access to corporate resource like email.
- Intune enrolls your device in Intune as a personal owned device.
Note: If auto enrollment option is not configured, user will have to enroll their windows device separately through Enroll only in device management option in settings app and enter their credentials.
BYOD VS COD
Bring your own devices (BYOD) are mainly personally-owned Windows PC, laptop and tablets. BYOD type enrollment will register the device to Azure AD. However, user will not be able to login using Azure AD account. So, basically device can be logged in using their personal account only but device will be partially managed by Intune which means Only some features of Intune can be enforced to these devices like Conditional access policies, apps can be made available to company portal.
Corporate-owned devices (COD) are mainly corporate-owned phones, tablets and PCs. COD type enrollment join the device to Azure AD. With this, user will be able to login to device using Azure AD account. Device will be fully managed by Intune which means all features of Intune can be enforced to these devices like apps can be pushed without user interaction etc etc.
References
- What is device enrollment by Microsoft
- Different enrollment methods by Microsoft
- How to set up enrollment by Microsoft
- Intune enrollment method capabilities by Microsoft
- Comparision of Intune enrollment methods by Microsoft