Corporate & BYOD Device Enrollment in Microsoft Intune

ℹ️

Corporate Device Enrollment gives IT full management control over company-owned devices. Devices are enrolled via Autopilot (Windows), Apple Business Manager / DEP (iOS/macOS), or Android Enterprise (Android) — all without requiring end-user involvement in the IT setup process.

Before You Start

Prerequisites — Corporate

📋

Required Before Enrolling Corporate Devices

→ Microsoft Intune license assigned to each user
→ Azure Active Directory configured
→ Devices should be factory reset (required for Autopilot / DEP)
→ Admin permissions to configure Intune (Intune Administrator or Global Administrator role)

Windows 10 / 11

Autopilot + Azure AD Join

Zero-touch provisioning for corporate Windows devices — devices set themselves up on first boot.

Enable Auto Enrollment in Azure AD

In the Azure Portal → Azure Active Directory → Mobility (MDM and MAM) → Microsoft Intune.
Set MDM user scope to All (or a specific group). This allows devices that join Azure AD to auto-enroll into Intune.

Import Device Hardware Hash into Intune

Obtain the hardware hash from each device (either via OEM export or by running the script below on the device before setup). Upload the generated CSV to Intune → Devices → Windows → Windows Enrollment → Autopilot → Devices → Import.

Install-Script -Name Get-WindowsAutopilotInfo Get-WindowsAutopilotInfo -OutputFile C:\HWID\DeviceID.csv

Create and Assign a Windows Autopilot Deployment Profile

Intune → Devices → Windows → Windows Enrollment → Deployment Profiles → Create Profile.

→ Platform: Windows PC · Type: User-Driven
→ Convert all targeted devices to Autopilot: Yes
→ Optionally skip privacy settings, EULA, and rename device on OOBE

Assign the profile to your Autopilot device group.

Device Auto-Enrolls on First Boot

Ship the device to the end user. On first power-on with internet access, the device detects the Autopilot profile, joins Azure AD, auto-enrolls into Intune, and applies all assigned apps and policies — with no IT involvement needed on-site.

iOS & macOS

Apple Business Manager / DEP

Automated Device Enrollment via Apple Business Manager — devices enroll silently on first setup.

Set Up Apple MDM Push Certificate in Intune

Intune → Devices → iOS/iPadOS → iOS/iPadOS enrollment → Apple MDM Push certificate.
Download the CSR, upload to Apple Push Certificates Portal, download the resulting .pem, then upload back to Intune. This certificate is required for all Apple device management and must be renewed annually.

Connect Apple Business Manager to Intune

In Apple Business Manager (business.apple.com) → Settings → MDM Servers → Add MDM Server → enter your Intune MDM server URL.
In Intune → Devices → iOS/iPadOS → Enrollment program tokens → Add token → download and upload the Apple token file.

Assign Devices to the MDM Server in ABM

In Apple Business Manager → Devices → select target devices → Assign to MDM → choose your Intune MDM server. Devices purchased through Apple or authorised resellers can be auto-assigned using your ABM organisation ID.

Create iOS/macOS Enrollment Profile in Intune

Intune → Devices → iOS/iPadOS → Enrollment program tokens → select your token → Profiles → Create profile.

Configure: department name, support phone, supervision mode (Supervised recommended for corporate), lock enrollment to prevent removal, and set the setup assistant steps to skip.

Device Auto-Enrolls on Setup

Factory-reset the device (or unbox a new one). During the iOS/macOS Setup Assistant, the device checks in with Apple, receives the DEP profile from Intune, and silently enrolls — applying all assigned configuration profiles, restrictions, and apps.

Android

Android Enterprise — Corporate

Fully managed or dedicated device enrollment using Android Enterprise and Managed Google Play.

Connect Managed Google Play to Intune

Intune → Devices → Android → Android enrollment → Managed Google Play → Connect.
Sign in with a corporate Google account and approve the connection. This links your Intune tenant to Google's enterprise management infrastructure.

Choose Enrollment Type

Select the appropriate management mode for your use case:

→ Fully Managed — Single-user corporate device. IT has full control. Best for office or field workers with dedicated company phones.
→ Dedicated Device — Single-purpose kiosk device (e.g. warehouse scanner, digital signage). No user account required.

Create an Enrollment Profile with Security Settings

Intune → Devices → Android → Android enrollment → Corporate-owned, fully managed user devices → Create profile.
Configure token name, device name template, Wi-Fi settings, and security requirements. Intune generates a QR code and an enrollment token.

Factory Reset Device and Scan QR Code

Factory reset the Android device. On the Welcome screen, tap 6 times to enter provisioning mode, connect to Wi-Fi, then scan the QR code generated by Intune.
The device downloads the management agent, enrolls into Intune, and applies all assigned apps and policies automatically.

💡

Best Practices — Corporate Enrollment:
→ Use Dynamic Groups in Azure AD for automatic policy assignment (e.g. all Autopilot devices, all iOS supervised)
→ Combine Compliance Policies with Conditional Access — non-compliant devices lose access to corporate resources automatically
→ Configure Company Branding in Azure AD for a professional OOBE experience that shows your company logo and name during enrollment

ℹ️

BYOD (Bring Your Own Device) Enrollment allows employees to enroll their personal devices to access corporate resources while keeping personal data completely separate. IT applies policies only to the work profile or managed apps — personal data is never touched.

Before You Start

Prerequisites — BYOD

📋

Required Before Enrolling Personal Devices

→ Microsoft Intune license assigned to the user
→ Azure Active Directory configured with MDM auto-enrollment enabled
→ User must install the Company Portal app on their personal device
→ Clear communication sent to end users explaining what IT can and cannot see on their personal device (privacy and data separation)

Windows 10 / 11

Windows BYOD Enrollment

User-initiated enrollment via Windows Settings — registers the device without full MDM control.

Open Work or School Account Settings

On the personal Windows device: Settings → Accounts → Access work or school → Connect.
Enter the work email address when prompted.

Sign in with the user's corporate credentials (Azure AD account). Windows will Azure AD Register the device (not fully Azure AD Joined — personal ownership is preserved). Complete any MFA prompts.

Install Company Portal and Complete Enrollment

Download and install the Microsoft Company Portal app from the Microsoft Store. Open it, sign in with work credentials, and follow the prompts to complete enrollment. The device will appear in Intune for app and policy management.

Device Appears in Intune

The device shows up in Intune → Devices. IT can now deploy corporate apps (e.g. Microsoft 365), apply conditional access policies, and enforce compliance — without affecting personal files, apps, or settings.

iOS / iPhone

iOS BYOD Enrollment

MDM profile installed on personal iPhone — corporate apps and policies applied without accessing personal data.

Install Microsoft Company Portal from the App Store

Open the App Store on the personal iPhone. Search for Microsoft Company Portal and install it. This is the enrollment agent for iOS BYOD.

Open Company Portal → Sign in → enter the corporate email and password (Azure AD credentials). Complete any MFA challenge if required.

Grant Required Permissions

Follow the prompts to grant device management permissions. iOS will ask to install an MDM profile — go to Settings → General → VPN & Device Management and trust the profile. Also grant any app install permissions when prompted.

Corporate Apps and Policies Applied

The device enrolls with limited management — only the MDM profile and App Protection Policies are applied. Corporate apps (Outlook, Teams, etc.) are pushed via Company Portal. IT cannot access personal photos, messages, or apps.

Android

Android BYOD — Work Profile

Android Enterprise Work Profile creates a secure, isolated container for corporate apps on a personal device.

Install Microsoft Company Portal from Google Play

Open Google Play Store on the personal Android device. Search for Microsoft Company Portal and install it.

Open Company Portal → Sign in with the corporate Azure AD account. Complete any MFA prompt.

Set Up the Android Work Profile

Follow the on-screen prompts to create an Android Work Profile. This creates a completely separate, encrypted container on the device that is isolated from personal apps and data.

Work apps appear with a briefcase badge icon to visually distinguish them from personal apps. The user can toggle between personal and work contexts at any time.

Work Apps and Policies Applied — Personal Data Untouched

IT can deploy corporate apps, enforce password policies, and remotely wipe only the Work Profile if needed — the personal side of the device is never accessible to IT. Personal photos, messages, contacts, and apps remain completely private.

💡

Best Practices — BYOD Enrollment:
→ Configure App Protection Policies (MAM) to control copy/paste, screenshots, and data sharing between corporate and personal apps — even on unenrolled devices
→ Enable Conditional Access to restrict non-compliant devices from accessing Exchange Online, SharePoint, and Teams
→ Send users a clear privacy notice explaining exactly what IT can and cannot see (device name, OS version, compliance status — not personal apps, messages, or location)
→ Scope compliance checks only to the Work Profile or managed apps — not the full device — to respect user privacy