Key Takeaways
- Users and devices must be registered in Entra ID before accessing internal resources.
- Enrolled devices get a Mobile Device Management (MDM) certificate, allowing Intune to communicate with the device.
- Enrollment policies: Control the number or type of devices a user can enroll.
- Compliance policies: Ensure devices meet company security and usage rules.
- Configuration profiles: Apply work-appropriate settings and features to devices.
Microsoft Intune enables organizations to manage both personal and corporate-owned devices for work or school purposes. Personal devices can be enrolled in BYOD scenarios using the Intune Company Portal. The corporate-owned devices benefit from stricter security and configuration policies. Admins set up device enrollment, configure policies, and assign licenses, ensuring that devices meet organizational standards. Prerequisites include supported devices, proper MDM authority, assigned licenses, and appropriate admin roles, with some platforms requiring additional steps such as Apple MDM certificates.
Table of Content
Table of Contents
What are the Different Enrollment Options?
Different enrollment options include Autopilot, Zero Touch, Company portal, Hybrid Azure AD/Azure AD join, ABM, and co-management. The most popular Intune enrollment option is Autopilot because most corporate devices are Windows devices, and most are moving into modern management.
What is Device Enrollment in Intune?
Device Enrollment is the process of getting the devices into Intune management.
In this post, you will see Personal Vs. Corporate Devices and you will also see the User Driven Vs.—IT Driven scenarios.
Intune Supported Enrollment Methods Windows iOS Android MacOS Linux ChromeOS – Video
The Intune Design Decision video explains the important choices you need to make when planning and configuring Intune. It focuses on key Intune settings and parameters that affect how devices are enrolled, managed, and secured. By watching the video, you will understand the different options available and how to choose the best configuration for effective device management and security in your organization.
Intune Supported Enrollment Methods for Windows iOS Android MacOS Linux ChromeOS
Intune offers a variety of enrollment options for managing devices across multiple platforms, including Windows, iOS, iPadOS, macOS, Linux, ChromeOS, and Android. Understanding these options is a key part of the Intune Design Decisions process, specifically as the third part of the design decisions.
The Intune Design Decisions training comprises 13 informative videos, all conveniently bundled in the Intune Design Decisions Free Training Version 1 Starter Kit Basic post. You can explore the full training package via the provided hyperlink to gain deeper insights into the topic.
- List of Supported Intune Application Types
- Intune Integration Scenarios 1st 2nd 3rd Party Integration Experiences
Prerequisites for Intune Device Enrollment
Before enrolling devices in Microsoft Intune, ensure your environment and accounts are properly prepared. This includes setting up Intune, assigning licenses, confirming device compatibility, and ensuring the right admin roles and groups are in place.
- Prerequisites
- Intune Setup
- MDM Authority must be set to Intune
- Intune licenses must be assigned.
- Devices must be supported
- Admin Roles
- Sign in as a member of the Policy and Profile Manager built-in Intune role.
- Some platforms may require higher privileges, such as the Intune Administrator built-in role.
- Intune Setup
- Group Preparation
- Have user groups and device groups ready to receive enrollment policies.
- Review or create your group structure if needed
- Bulk Enrollment
- Use a Device Enrollment Manager (DEM) account to enroll up to 1,000 devices.
- DEM accounts are Intune permissions linked to Microsoft Entra user accounts.
- Not compatible with all enrollment methods (e.g., Apple automated device enrollment).
| Platform | Requirements |
|---|---|
| Android | None |
| Android Enterprise | None |
| iOS/iPadOS | MDM push certificate, Apple ID |
| macOS | MDM push certificate |
| Linux | None |
| Windows | None |
Windows Enrollment
Microsoft Intune provides multiple configuration options to control and simplify Windows device enrollment, provisioning, and post-enrollment experiences. These settings help administrators automate onboarding, enforce security controls, integrate with on-premises environments, and improve user experience during device setup.
| Enrollment options | Details |
|---|---|
| Automatic Enrollment | Configure Windows devices to enroll when they join or register with Azure Active Directory |
| CNAME Validation | Test company domain CNAME registration for Windows enrollment |
| Co-management Settings | Configure co-management settings for Configuration Manager integration |
| Device platform restriction | Configure which platform versions can enroll |
| Device limit restriction | Define how many devices each user can enroll |
| Enrollment notifications | Send email or push notifications to devices after they enroll |
| Windows Hello for Business | Replace passwords with strong two-factor authentication |
| Windows Backup and Restore | Configure whether a user sees a page where they can choose to restore from a backup the first time they start their device |
Windows Autopilot device preparation
Windows Autopilot device preparation helps simplify the initial setup of new devices by streamlining configuration, improving reporting visibility, and enhancing troubleshooting capabilities. It ensures that devices are properly configured and ready for users from the first boot experience.
| Windows Autopilot device preparation | Details |
|---|---|
| Device preparation policies | Configure devices for initial provisioning |
Windows Autopilot
Windows Autopilot is a tool in Intune that helps IT teams set up new Windows laptops or desktops automatically. When a user turns on a new device for the first time, everything (apps, settings, policies) gets installed automatically without IT touching the device.
| Windows Autopilot | Details |
|---|---|
| Devices | Manage Windows Autopilot devices |
| Deployment profiles | Customize the Windows Autopilot provisioning experience |
| Enrollment Status Page | Show app and profile installation statuses to users during device setup |
| Intune Connector for Active Directory | Configure hybrid Azure AD joined devices |
iOS/iPadOS Enrollment
To manage Apple devices such as iPhone, iPad, and Mac using Intune, you must first configure the Apple MDM Push Certificate. This certificate establishes a secure communication channel between Microsoft Intune and Apple’s Push Notification service (APNs).
Bulk Enrollment Methods
For organizations that need to enroll multiple Apple devices at once, Intune provides bulk enrollment options to simplify large-scale deployments. These methods help IT administrators pre-configure devices before they are handed over to users, ensuring they are automatically enrolled and managed from the first startup.
| Bulk Enrollment Methods | Details |
|---|---|
| Apple Configurator | Manage Apple Configurator enrollment |
| Enrollment program tokens | Manage Automated Device Enrollment with Apple Business Manager and Apple School Manager |
Enrollment Options
Enrollment options in Intune help administrators control how devices are enrolled and managed within the organization. Enrollment types allow administrators to manage both user enrollment and device enrollment options based on organizational needs.
| Enrollment Options | Details |
|---|---|
| Enrollment types | Manage User Enrollment and Device Enrollment options |
| Device platform restrictions | Configure which platform versions and management types can enroll |
| Device limit restrictions | Define how many devices each user can enroll |
| Enrollment notifications | Send email or push notifications to devices after they enroll |
Android Enrollment
To manage Android devices using Android Enterprise in Microsoft Intune, certain prerequisites must be completed. The most important requirement is setting up and linking a Managed Google Play account with Intune. Managed Google Play acts as the official app store for Android Enterprise devices, allowing organizations to approve, manage, and deploy applications securely.
Bulk Enrollment Methods
Bulk enrollment methods allow organizations to deploy multiple devices efficiently without manual setup for each one. One of the most effective approaches for Android corporate-owned devices is Zero-touch enrollment.
| Bulk Enrollment Methods | Details |
|---|---|
| Zero-touch enrollment | Link your zero-touch account to Intune and manage zero-touch enrollment |
Enrollment Profiles
Enrollment profiles in Android Enterprise define how devices are enrolled and managed in Microsoft Intune based on ownership type and usage scenario. These profiles help organizations apply the correct management model for personal devices, corporate-owned devices, kiosk devices, or fully managed user devices.
| Enrollment Profiles | Details |
|---|---|
| Personally owned devices with work profile | Manage personal enrollments with work profiles |
| Corporate-owned dedicated devices | Manage device owner enrollments for kiosk and task devices |
| Corporate-owned, fully managed user devices | Manage device owner enrollments for user devices |
| Corporate-owned devices with work profile | Manage enrollments for corporate devices with work profiles |
Android Open Source Project (AOSP)
The Android Open Source Project (AOSP) enrollment option in Microsoft Intune is designed for managing Android devices that are built using the open-source Android code but do not include Google Mobile Services (GMS).
| Android Open Source Project (AOSP) | Details |
|---|---|
| Corporate-owned, user-associated devices | Manage corporate-owned user devices that were built from the Android open source code (AOSP) without Managed Google Services (GMS) |
| Corporate-owned, userless devices | Manage corporate-owned userless devices that were built from the Android open source code (AOSP) without Managed Google Services (GMS) |
Android Device Administrator
Android Device Administrator is a legacy management method in Microsoft Intune used to manage Android devices with device administrator privileges. This method supports both personally owned and corporate-owned devices, allowing IT administrators to apply basic management policies such as password requirements, device restrictions, and remote actions.
| Android Device Administrator | Details |
|---|---|
| Device platform restriction | Configure which platform versions and management types can enroll |
| Device limit restriction | Define how many devices each user can enroll |
| Enrollment notifications | Send email or push notifications to devices after they enroll |
macOS Enrollment
To manage macOS devices in Microsoft Intune, an Apple MDM Push Certificate is required. Without this certificate, Intune cannot send management commands, policies, or app installations to enrolled Apple devices. The certificate must be created in the Apple portal and uploaded to Intune before enrolling any iOS, iPadOS, or macOS devices.
Bulk Enrollment Methods
Apple Configurator is used to manually prepare and enroll Apple devices, usually through a USB connection, making it suitable for smaller deployments or adding devices to management after purchase. In contrast, enrollment program tokens enable Automated Device Enrollment (ADE) by integrating Intune with Apple Business Manager or Apple School Manager, allowing corporate-owned devices to enroll automatically during initial setup.
| Bulk Enrollment Methods | Details |
|---|---|
| Apple Configurator | Manage Apple Configurator enrollment |
| Enrollment program tokens | Manage Automated Device Enrollment with Apple Business Manager and Apple School Manager |
Enrollment Options
To maintain control and security, Intune also allows configuration of device platform restrictions, where administrators can define which operating system versions and management types are permitted to enroll. Additionally, device limit restrictions can be set to control how many devices each user is allowed to enroll, preventing misuse or over-enrollment.
| Enrollment Options | Details |
|---|---|
| Enrollment types | Manage User Enrollment and Device Enrollment options |
| Device platform restrictions | Configure which platform versions and management types can enroll |
| Device limit restrictions | Define how many devices each user can enroll |
| Enrollment notifications | Send email or push notifications to devices after they enroll |
Linux devices
Microsoft Intune supports management of Linux devices to help organizations secure and monitor endpoints outside of Windows and macOS environments. Linux device management in Intune is focused mainly on compliance, security monitoring, and integration with Microsoft security solutions.
Windows Automatic Enrollment
Windows Automatic Enrollment allows both personal and corporate-owned Windows devices to automatically enroll into Intune. Some automatic enrollment options require Microsoft Entra ID P1 or P2 licenses.
| Feature | Use this enrollment option when |
|---|---|
| You use Windows client. | Configuration Manager supports Windows Server. |
| You have Microsoft Entra ID P1 or P2 | |
| You’ll use Conditional Access (CA) on devices enrolled using bulk enrollment with a provisioning package. | On Windows, CA is available for Windows devices enrolled using bulk enrollment. |
| You have remote workers. | |
| Devices are personal or BYOD. | If you use Group Policy, then bulk enrollment and automatic enrollment are for corporate-owned devices, not personal or BYOD. |
| Devices are owned by the organization or school. | |
| You have new or existing devices. | |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | Bulk enrollment is for organization-owned devices, not personal or BYOD. |
| Devices are associated with a single user. | |
| Devices are user-less, like kiosk, dedicated, or shared device. | These devices are organization-owned. This enrollment method requires users to sign in with their organization account. An organization admin can sign in, and automatically enroll. When the device is enrolled, create a kiosk profile, and assign this profile to this device. You can also create a profile for devices shared with many users. |
| You use the optional device enrollment manager (DEM) account. | DEM accounts don’t work with Group Policy |
| Devices are managed by another MDM provider. | To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. |
Enroll macOS devices in Microsoft Intune
When enrolling macOS devices in Microsoft Intune, there are 3 main ways, depending on whether the device is personal or company-owned. The below list helps you to show more details.
- BYOD: Device enrollment
- Automated device enrollment (ADE)
- Direct enrollment
Linux Enrollment in Intune
Linux enrollment in Microsoft Intune supports both personal (BYOD) and organization-owned devices running supported Linux distributions. Users enroll their Linux devices through the Microsoft Intune app and authenticate using their organizational credentials managed by Microsoft Entra ID.
| Feature | Use this enrollment option when |
|---|---|
| You use Ubuntu Desktop (24.04 LTS or 22.04 LTS on x86/64). | Yes |
| You use Ubuntu Server. | No |
| You use RedHat Enterprise Linux 8 or 9. | Yes |
| Devices are owned by the organization or school. | Yes |
| Devices are personal or BYOD. | Yes |
| You have new or existing devices. | Yes |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | No Bulk enrollment isn’t supported. Each device needs to be enrolled using the Microsoft Intune App. |
| Devices are associated with a single user. | Yes |
| Devices are user-less, such as kiosk or dedicated device. | No The enrollment requires a user to sign in with an organization account. |
| Devices are managed by another MDM provider. | No It might be possible to enroll Linux devices in Intune that are already enrolled in another MDM provider. This scenario hasn’t been tested by Microsoft. |
| You use the device enrollment manager (DEM) account. | No DEM accounts don’t apply to Linux. |
Android Enterprise Personally Owned Devices with Work Profile
In Microsoft Intune, Android Enterprise personally owned devices with a work profile are designed for BYOD (Bring Your Own Device) scenarios. These are personal Android devices that employees use to access organization email, apps, and corporate data.
| Feature | Use this enrollment option when |
|---|---|
| Use Google Mobile Services (GMS). | Yes |
| Devices are personal or BYOD. | Yes You can mark these devices as corporate or personal. |
| You have new or existing devices. | Yes |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | Yes |
| Devices are associated with a single user. | Yes |
| You use the optional device enrollment manager (DEM) account. | Yes |
| Devices are managed by another MDM provider. | No When a device enrolls, MDM providers install certificates and other files. These files must be removed. The quickest way might be to unenroll, or factory reset the devices. If you don’t want to factory reset, then contact the other MDM provider for guidance. |
| Devices are owned by the organization or school. | No Not recommended for organization-owned devices. Organization-owned devices should be enrolled using Android Enterprise fully managed (in this article), or using Android Enterprise corporate owned work profile (in this article). |
| Devices are user-less, such as kiosk, dedicated, or shared. | No User-less or shared devices should be organization-owned. These devices should be enrolled using Android Enterprise dedicated devices. |
Windows User-Driven Enrollment Options
In the Windows User Driven Enrollment Options, we are talking about the Windows platform. The Windows user-driven enrollment options are Autopilot, Install company portal, MDM-only enrollment, and Azure AD join. The below table shows the User-driven enrollment options. If your organization is fine with user-driven enrollments or sales self-service enrollments to empower the users, then you can look into these 4 enrollment options in Intune.
- Windows Autopilot & Enrollment – Recent Updates
- Autopilot Self-Deploying Mode (GA)
- Fully automated Autopilot mode with little to no user interaction. Device joins Azure AD and enrolls into Intune automatically, displaying ESP until completion.
- Enterprise App Catalog Integration During Enrollment
- Enterprise App Catalog apps can now be included as required apps in the Enrollment Status Page (ESP).
- Intune Connector for Active Directory Updates
- Connector now supports low-privileged account configuration for hybrid join flows.
- Windows Updates During OOBE
- MDM-enrolled devices (including Autopilot) can automatically apply quality updates during Out-of-Box Experience before reaching the desktop.
- OOBE Improvements (Rollout Update)
- Microsoft delayed the update rollout to gather feedback and refine the experience.
- Blocking Personal Windows Home Device Enrollment
- New preview setting prevents accidental enrollment of personal Windows Home devices through add-account flows. Not a complete block Company Portal enrollment still allowed.
- Autopilot Self-Deploying Mode (GA)
| Device Platform | Enrollment Options | User Driven | User Interaction | IT Driven |
|---|---|---|---|---|
| Windows | Autopilot | Yes | Yes | No |
| Windows | Install company portal | Yes | Yes | No |
| Windows | MDM-only enrollment | Yes | Yes | No |
| Windows | Azure AD join | Yes | Yes | No |
Windows IT Admin-Driven Enrollment Options
The Windows IT Admin-driven enrollment options such as Hybrid Azure AD Join – GPO Settings, SCCM Co-Management Options, Device Enrollment Manager (DEM), Bulk Enroll using WCD, Enrolling Windows IoT Core devices with WCD and USB. The below table shows the Windows IT Admin-Driven Enrollment Options.
| Device Platform | Enrollment Options | User-Driven | User Interaction | IT Driven |
|---|---|---|---|---|
| Windows | Hybrid Azure AD Join – GPO Settings, | No | No | Yes |
| Windows | SCCM Co-Management Options | No | No | Yes |
| Windows | Device Enrollment Manager (DEM) | No | No | Yes |
| Windows | Bulk Enroll using WCD | No | No | Yes |
| Windows | Enrolling Windows IoT Core devices with WCD and USB | No | No | Yes |
Supported Windows Intune Enrollment Methods
Let’s see User-driven and IT–driven enrollment methods. The list below shows all the supported enrollment methods for the Windows platform. This includes different supported scenarios, such as whether Reset of Windows Devices is required or not, whether User Affinity will be there or not if you use a particular Windows Enrollment method, MDM Profile Removable option would be available for Windows Enrollment methods.
The Windows Intune Enrollment method includes the following.
- Bring-your-own-device (BYOD)
- Device enrollment manager
- Automatic enrollment via MDM
- Automatic enrollment via Group Policy
- Windows Autopilot
- Bulk enrollment
- Co-management with Microsoft Intune and Configuration Manager
| Method | Reset Required | User Affinity | MDM Profile Removable |
|---|---|---|---|
| Bring-your-own-device (BYOD) | No | Yes | Yes |
| Device enrollment manager | No | No | Yes |
| Automatic enrollment via MDM | No | Yes | Yes |
| Automatic enrollment via Group Policy | No | Yes | Yes |
| Windows Autopilot | Yes | Yes | Yes |
| Bulk enrollment | No | No | Yes |
| Co-management with Microsoft Intune and Configuration Manager | No | Yes | Yes |
Supported iOS/iPadOS Intune Enrollment Methods
Let’s check the Supported iOS/iPadOS Intune Enrollment Methods. Bring-your-own-device (BYOD) is a very popular option in iOS. Setup Assistant enrollment via USB is another important method.
- Bring-your-own-device (BYOD)
- Device enrollment manager
- Apple Automated Device Enrollment
- Setup Assistant enrollment via USB
- Direct enrollment via USB
| Method | Reset Required | Use Affinity | MDM Profile Removable |
|---|---|---|---|
| Bring-your-own-device (BYOD) | No | Yes | Yes |
| Device enrollment manager | No | No | Yes |
| Apple Automated Device Enrollment | Yes | Optional | Optional |
| Setup Assistant enrollment via USB | Yes | Optional | Yes |
| Direct enrollment via USB | No | No | Yes |
Advantages of using iOS/iPadOS – Automatic Enrollment using ABM and ASM
Let’s discuss the Advantages of using iOS/iPadOS – Automatic Enrollment using Apple Business Manager (ABM) Enrollment and Apple School Manager (ASM) Enrollment. Before deciding on personal and corporate types of devices, you want to know the differences between personally managed devices and corporate devices or supervised mode vs. personal mode.
The window below will help you with this and provide the correct details.
Shared iPadOS/iOS device Intune Enrollment Methods
Another important design decision you want to make is with shared iOS and iPad OS devices and their enrollment. The screenshot below gives you many details about the shared iPad shared device mode and different scenarios. The Shared iPadOS/iOS device Intune Enrollment methods such as supported device types, minimum device requirements, etc.
The Temporary session without signing in is not applicable in Shared Device Mode. Shared iPad shows that the “Temporary sessions that do not require a managed Apple ID or password are allowed by default. Temporary sessions can be allowed or blocked by Intune policy.”
Intune Supported macOS Intune Enrollment Methods
Let’s get into Intune Supported macOS Intune Enrollment methods. Intune Supported macOS Intune Enrollment methods such as Bring-your-own-device (BYOD), Device enrollment manager, and Apple Automated Device Enrollment. The theme of the enrollment method is similar to iOS and iPad OS. Personal enrollment is supported.
| Method | Reset required | User Affinity | MDM Profile Removable |
|---|---|---|---|
| Bring-your-own-device (BYOD) | No | Yes | Yes |
| Device enrollment manager | No | No | Yes |
| Apple Automated Device Enrollment | Yes | Optional | Optional |
Intune Enrollment Android Devices with Different Management Options
Android devises Intune enrollment options are a bit more complex because they have different scenarios. The management of Android devices is also more complex, and the enrollment options are wider.
The Android Enterprise includes the options such as Android Enterprise personally owned with a work profile, Android Enterprise dedicated CYO, Android Enterprise fully managed CYO, and Android Enterprise corporate-owned with a work profile BYO/CYO.
Android device administrator – Android Enterprise or Google Mobile Services (GMS) is unavailable. Android device administrator includes Samsung Knox Standard devices and Zebra devices.
Android Intune Enrollment
These are the actual enrollment options for Android devices. Intune enrollment options for Android devices. You can use a QR code to enroll Android devices in Intune. The Android Intune Enrollment includes the following.
- QR code
- Device enrollment manager (DEM) with Company Portal
- User-initiated with Company Portal
- Near-field communication (NFC)
- Token entry
- Google zero-touch enrollment
Linux Intune Enrollment
Linux Intune Enrollment is the manual user enrollment method that is the only supported method by installing Intune app, which is similar to Intune company portal app. So Intune app installation will get supported Linux devices into Intune enrollment. The table below shows the options, such as the feature and the use of this enrollment option.
ChromeOS Intune Enrollment Options
The Chrome OS device management is done from the google workspace admin side of things. The devices are managed from that front, but Intune portal can get all the details of those devices and initiate remote actions on those Chrome OS devices.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the Whatsapp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About the Author: Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing about Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.