Chapter 3: Enrolling Devices in Intune – A Complete Guide for IT Administrators

What’s Device Enrollment in Microsoft Intune?

Simply put, device enrollment in Intune means registering your devices so IT can manage them remotely. This helps companies enforce security, distribute apps, and ensure devices comply with corporate policies. It’s a vital part of keeping both company and personal data safe, while still allowing secure access to the tools and resources employees need for work.

Which Devices Are Supported?

Microsoft Intune works with a wide range of devices across different platforms, giving you flexibility no matter what tech your business relies on:

• Windows Devices: Compatible with Windows 10 and 11, whether they’re corporate-owned or personal devices. You can use Windows Autopilot for a hands-free, automatic setup.

• macOS Devices: Supports macOS 10.12 (Sierra) and later. Devices can be enrolled through Apple’s Automated Device Enrollment (ADE) or manually.

• iOS/iPadOS Devices: Works with iPhones and iPads running iOS 10 or later. Options for enrollment include Apple Configurator, ADE, or BYOD setups.

• Android Devices: Supports Android 5.0 (Lollipop) or newer, offering options like Android Enterprise Work Profile, Fully Managed, Dedicated, or COPE (Corporate-Owned Personally Enabled).

Key Enrollment Options for Microsoft Intune

Intune offers several ways to enroll devices, depending on what works best for your business:

Automatic Enrollment

If you’re managing corporate devices, automatic enrollment is a hassle-free way to get devices into Intune without needing any action from the user. This works especially well for new or existing devices that are already connected to Azure Active Directory (Azure AD) or Hybrid Azure AD.

Why Use It:

• It’s hands-free—no manual setup needed.

• Saves time by automating the process.

• Ensures consistent security policies across all devices.

Steps to Set Up:

1. Open Microsoft Endpoint Manager Admin Center.

2. Go to Devices > Enroll devices > Automatic enrollment.

3. Enable MDM user scope for the users who need automatic enrollment.

4. Assign users or groups to the MDM user scope.

Here’s a handy PowerShell command to enable automatic enrollment:

powershell

Set-MsolDeviceManagementSettings -EnableAutomaticMDMEnrollment $true

BYOD Enrollment

BYOD enrollment lets employees use their personal devices while still protecting company data. Intune manages the work-related data and apps, but personal information stays private.

Why Use It:

• Gives employees flexibility by letting them use their personal devices.

• Keeps company data secure without interfering with personal content.

• Cuts down costs on corporate-issued devices.

Steps to Set Up:

1. In the Endpoint Manager Admin Center, go to Devices > Enroll devices > Enrollment restrictions.

2. Set up restrictions for which devices and OS versions are allowed.

3. Apply Mobile Application Management (MAM) policies to protect company data on personal devices.

Apple Automated Device Enrollment (ADE)

For large-scale Apple device deployments, Apple ADE offers a simple, zero-touch enrollment experience. It connects with Apple Business Manager or Apple School Manager, making it easy to manage multiple devices without manual setup.

Why Use It:

• Streamlines device setup for new Apple devices.

• Lets you pre-configure devices before handing them over to employees.

• Saves time and reduces manual work.

Steps to Set Up:

1. In Endpoint Manager Admin Center, go to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens.

2. Upload an Apple MDM Push Certificate.

3. Create ADE profiles and set preferences like supervision mode and user settings.

You can also bulk import devices with this PowerShell command:

powershell

Import-Csv "DeviceList.csv" | ForEach-Object { Add-DeviceEnrollmentProgramToken -SerialNumber $_.SerialNumber -TokenId "Token123" }

Setting Up Enrollment Profiles

Enrollment profiles determine how devices are set up during enrollment. They ensure that every device meets your organization’s security standards and configurations.

How to Set Up:

1. In Endpoint Manager Admin Center, go to Devices > Enroll devices > Enrollment Profiles.

2. Select the platform (Windows, iOS, macOS) and click Create Profile.

3. Configure profile settings such as device naming, management server URLs, and any specific deployment configurations.

Troubleshooting Enrollment Issues

Even with a smooth process, issues can pop up. Here are a few common problems and tips to fix them:

• MDM Authority Not Set: Make sure the MDM authority is configured correctly in the Endpoint Manager Admin Center.

• Invalid Profiles or Tokens: Double-check that your enrollment profiles or tokens (like Apple ADE tokens) are set up correctly.

• Device Not Joined to Azure AD: Make sure the device is properly connected to Azure AD.

To gather device logs for troubleshooting, use this PowerShell command:

powershell

Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin