Intune Device Enrollment Guide
Intune Device Enrollment Guide
Intune lets you manage your workforce's devices and apps and how they access your company data. To use this
mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is
enrolled, it's issued an MDM certificate. This certificate is used to communicate with the Intune service.
As you can see in the following tables, there are several methods to enroll your workforce's devices. Each method
depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management
requirements (resets, affinity, locking).
By default, devices for all platforms are allowed to enroll in Intune. However, you can restrict devices by platform.
EN RO L L M EN T
C O RP O RAT E M ET H O DS RESET REQ UIRED USER A F F IN IT Y LO C K ED DETA IL S
Corporate-owned device
Corporate-owned devices (COD) include phones, tablets, and PCs owned by the organization and distributed to the
workforce. COD enrollment supports scenarios like automatic enrollment, shared devices, or pre-authorized
enrollment requirements. A common way to enroll CODs is for an administrator or manager to use the device
enrollment manager (DEM). iOS/iPadOS devices can be enrolled directly through the ADE tools that are provided
by Apple. Devices with an IMEI number can also be identified and tagged as corporate-owned.
Device enrollment manager
Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-
owned devices. Managers can install the Company Portal and enroll many user-less devices. These types of devices
are good for point-of-sale or utility apps, for example, but not for users who need to access email or company
resources. Learn more about DEM.
Apple Automated Device Enrollment
Apple Automated Device Enrollment (ADE) management lets you create and deploy policy "over the air" to
iOS/iPadOS and macOS devices that are purchased and managed with ADE. The device is enrolled when users turn
on the device for the first time and run Setup Assistant. This method supports iOS/iPadOS supervised mode, which
enables a device to be configured with specific functionality.
Learn more about iOS/iPadOS ADE enrollment:
Choose how to enroll iOS/iPadOS devices
Enroll iOS/iPadOS devices using Device Enrollment Program
USB -SA
IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment
using Setup Assistant. The IT admin creates an enrollment profile and exports it to Apple Configurator. When users
receive their devices, they're then prompted to run Setup Assistant to enroll their device. This method supports iOS
super vised mode, which in turn enables the following features:
Locked enrollment
Kiosk mode and other advanced configurations and restrictions
Learn more about iOS/iPadOS Apple Configurator enrollment with Setup Assistant:
Decide how to enroll iOS/iPadOS devices
Enroll iOS/iPadOS devices with Configurator and Setup Assistant
USB -Direct
For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting
it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly and don't require a wipe.
Devices are managed as user-less devices. They're not locked or supervised and can't support Conditional Access,
jailbreak detection, or mobile application management.
To learn more about iOS/iPadOS enrollment, see:
Decide how to enroll iOS/iPadOS devices
Enroll iOS/iPadOS devices with Configurator and direct enrollment
Microsoft Intune lets you manage a range of devices by enrolling them into the service. You can enroll some device
types yourself, or users can enroll using the company portal app. Enrolling lets them browse and install apps, make
sure that their devices are compliant with company policies, and contact their IT support.
This article gives a full list of the capabilities that you get after devices are enrolled.
Management, inventory, app deployment, provisioning, and retirement are all handled through Intune in the Azure
portal.
Users gain access to the company portal, which enables them to install apps, enroll and remove devices, and
contact their IT department or helpdesk.
Configuration policies Lets you manage many settings and Manage settings and features on your
features on mobile devices in your devices with Microsoft Intune policies
Custom policies organization. For example, you can
require a password, limit the number of
failed attempts, limit the amount of
time before the screen locks, set
password expiration, and prevent
previously used passwords. You can also
control the use of hardware and
software features such as the device
camera or the web browser.
Remote Wipe, Remote Lock, and Erases sensitive data when a device is Help protect your devices with remote
Passcode Reset lost or stolen. For example, you can lock and passcode reset
remotely lock the device, restore it to
factory settings, or wipe only corporate
data.
Kiosk mode Lets you lock down certain features of iOS configuration policy settings in
mobile devices such as screen captures Microsoft Intune
and power switches. Also lets you
restrict devices to run a single app that
you specify.
Autopilot Reset Sends a task to the device to start the Remote Windows Autopilot Reset
reset process remotely, avoiding the
need for IT staff or other administrators
to visit each machine to start the
process. When Autopilot reset is used
on a device, the device's primary user
will be removed. The next user who
signs in after the reset will be set as the
primary user.
App management
C A PA B IL IT Y DETA IL S M O RE IN F O RM AT IO N
App deployment and management Provides a range of tools to help you Deploy apps in Microsoft Intune
manage mobile apps through their
lifecycle, including app deployment from
installation files and app stores, detailed
monitoring of app status, and app
removal.
Compliant and noncompliant apps Lets you specify lists of compliant apps iOS policy settings in Microsoft Intune
(that users are allowed to install) and
noncompliant apps (that users aren't
allowed to install).
Mobile application management Configures restrictions for apps by Configure and deploy mobile
using mobile application management application management policies in the
for all devices that are both managed Microsoft Intune console
with Intune and not managed with
Intune. YOu can increase the security of
your company data by restricting
operations such as copy and paste,
external backup of data, and the
transfer of data between apps.
iOS mobile app configuration Uses mobile app configuration policies Configure iOS/iPadOS apps with mobile
to supply settings for iOS/iPadOS apps app configuration policies in Microsoft
that might be required when the user Intune
runs the app. For example, an app
might require the user to specify a port
number or logon information. You can
streamline app configuration and
reduce the number of support calls.
iOS/iPadOS mobile app provisioning Helps you deploy provisioning profiles Use iOS/iPadOS mobile provisioning
profiles to iOS/iPadOS apps that are nearing profile policies to prevent your apps
expiration. from expiring
C A PA B IL IT Y DETA IL S M O RE IN F O RM AT IO N
Managed browser Configures managed browser policies to Manage Internet access using managed
control the websites that device users browser policies with Microsoft Intune
can visit. In addition, you can also apply
mobile application management policies
to the managed browser.
Windows Hello for Business Lets you integrate with Windows Hello Control Windows Hello for Business
for Business, which is an alternative settings on devices with Microsoft
sign-in method for Windows 10 that Intune
uses on-premises Active Directory or
Azure Active Directory to replace
passwords, smart cards, or virtual smart
cards.
Volume purchased apps Helps you manage apps that you Manage volume-purchased apps using
purchased through a volume-purchase Microsoft Intune
program by importing the license
information from the app store, tracking
how many of the licenses you have
used, and preventing you from
installing more copies of the app than
you own.
Certificate profiles Creates and deploys trusted certificate Secure resource access with certificate
profiles and Simple Certificate profiles in Microsoft Intune
Enrollment Protocol (SCEP) certificates,
which can be used to secure and
authenticate Wi-Fi, VPN, and email
profiles.
Wi-Fi profiles Deploys wireless network settings to Wi-Fi connections in Microsoft Intune
your users. By deploying these settings,
you minimize the user effort that's
required to connect to the corporate
network.
Email profiles Creates and deploys email settings to Configure access to corporate email
devices so that users can access using email profiles with Microsoft
corporate email on their personal Intune
devices without any required setup on
their part.
VPN profiles Deploys VPN settings to users and VPN connections in Microsoft Intune
devices in your organization. By
deploying these settings, you minimize
the user effort that's required to
connect to resources on the company
network.
C A PA B IL IT Y DETA IL S M O RE IN F O RM AT IO N
Conditional Access policies Manages access to Microsoft Exchange Restrict access to email and SharePoint
email and SharePoint Online from with Microsoft Intune
devices that are not managed by
Intune.
Next steps
See a list of devices that you can manage.
Enrollment options for devices managed by Intune
9/4/2020 • 2 minutes to read • Edit Online
As an Intune admin, you can configure device enrollment to help users and enable Intune capabilities. Intune
includes the following enrollment options:
Enrollment restrictions
You can choose to restrict device enrollment by:
Device platform
Number of devices per user
Block personal devices
Learn more about enrollment restrictions.
Corporate identifiers
You can list international mobile equipment identifier (IMEI) numbers and serial numbers to identify corporate-
owned devices. Learn more about corporate identifiers.
Multi-factor authentication
You can require users to use an additional verification method, such as a phone, PIN or biometric data, when they
enroll a device. Learn more about multi-factor authentication.
Device categories
You can use device categories to automatically add devices to groups based on categories that you define.
Organizing devices into groups makes it easier for you to manage those devices. Learn more about device
categories.
Quickstart: Set up automatic enrollment for Windows
10 devices
9/4/2020 • 2 minutes to read • Edit Online
In this quickstart, you'll set up Microsoft Intune to automatically enroll devices when specific users sign in to
Windows 10 devices.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Microsoft Intune subscription - sign up for a free trial account.
To complete this quickstart, you must first create a user and create a group.
NOTE
It may take a minute to activate.
6. Select Some from the MDM user scope to use MDM auto-enrollment to manage enterprise data on your
employees' Windows devices. MDM auto-enrollment will be configured for AAD joined devices and bring
your own device scenarios.
7. Click Select groups > Contoso Testers > Select as the assigned group.
8. Select Some from the MAM Users scope to manage data on your workforce's devices.
9. Choose Select groups > Contoso Testers > Select as the assigned group.
10. Use the default values for the remaining configuration values.
11. Choose Save .
Clean up resources
To reconfigure Intune automatic enrollment, check out Set up enrollment for Windows devices.
Next steps
In this quickstart, you learned how to set up auto-enrollment for Windows 10 devices. For more information about
device enrollment, see What is device enrollment?
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Enroll your Windows 10 device
Quickstart: Enroll your Windows 10 device
3/26/2020 • 2 minutes to read • Edit Online
In this quickstart, you'll first take the role of an Intune user and enroll your Windows 10 device into Microsoft
Intune. Then, you'll return to Intune and confirm the device enrolled.
Enrolling your devices into Microsoft Intune allows your Windows 10 devices to get access to your organization's
secure data, including email, files, and other resources. This is true for both Windows 10 desktop and Windows 10
Mobile devices. Enrolling your devices helps secure this access for both you and your organization, and helps keep
your work data separate from your personal data.
TIP
Find out what happens when you enroll your device in Intune and what that means for the information on your device.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Microsoft Intune subscription - sign up for a free trial account
To complete this quickstart, you must complete the steps to setup automatic enrollment in Intune.
3. In the Settings window you will see a list of Windows specifications for your PC. Within this list, locate
the Version .
4. Confirm that the Windows 10 Version is 1607 or higher .
IMPORTANT
The steps presented in this quickstart are for Windows 10 version 1607 or higher , if your version is 1511 or less ,
continue with these steps.
NOTE
If you setting up an ".onmicrosoft.com", the user account will have .onmicrosoft.com as part of the account
address.
You'll see a message indicating that your company or school is registering your device.
4. When you see the You're all set! screen, select Done . You're done.
5. You will now see the added account as part of the Access work or school settings on your Windows
Desktop.
If you followed the previous steps, but still can't access your work or school email account and files, follow
the steps in Troubleshooting steps to follow if you see Access work or school.
Clean up resources
To unenroll your Windows device, see Remove your Windows device from management.
Next steps
In this quickstart, you learned how to enroll a Windows 10 device into Intune. You can learn about other ways to
enroll devices across all platforms. For more information about using devices with Intune, see Use managed
devices to get work done.
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Set a required password length for Android devices
Tutorial: Use Autopilot to enroll Windows devices in
Intune
9/4/2020 • 3 minutes to read • Edit Online
Windows Autopilot simplifies enrolling devices. With Microsoft Intune and Autopilot, you can give new devices to
your end users without the need to build, maintain, and apply custom operating system images.
In this tutorial, you'll learn how to:
Add devices to Intune
Create an Autopilot device group
Create an Autopilot deployment profile
Assign the Autopilot deployment profile to the device group
Distribute Windows devices to users
If you don't have an Intune subscription, sign up for a free trial account.
For an overview of Autopilot benefits, scenarios, and prerequisites, see Overview of Windows Autopilot.
Prerequisites
Set up Windows automatic enrollment
Azure Active Directory Premium subscription
Add devices
The first step in setting up Windows Autopilot is to add the Windows devices to Intune. All you have to do is create
a CSV file and import it into Intune.
1. In any text editor, create a list of comma-separated values (CSV) that identify the Windows devices. Use the
following format:
serial-number, windows-product-id, hardware-hash, optional-Group-Tag
The first three items are required, but the Group Tag (previously known "order ID") is optional.
2. Save the CSV file.
3. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Devices (under
Windows Autopilot Deployment Program > Impor t .
4. Under Add Windows Autopilot devices , browse to the CSV file you saved.
5. Choose Impor t to start importing the device information. Importing can take several minutes.
6. After import is complete, choose Devices > Windows > Windows enrollment > Devices (under
Windows Autopilot Deployment Program > Sync . A message displays that the synchronization is in
progress. The process might take a few minutes to complete, depending on how many devices you're
synchronizing.
7. Refresh the view to see the new devices.
Clean up resources
If you don't want to use Autopilot devices anymore, you can delete them.
1. If the devices are enrolled in Intune, you must first delete them from the Azure Active Directory portal.
2. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment >
Devices (under Windows Autopilot Deployment Program ).
3. Choose the devices you want to delete, and then choose Delete .
4. Confirm the deletion by choosing Yes . It can take a few minutes to delete.
Next steps
You can find more information about other options available for Windows Autopilot.
In-depth Autopilot enrollment article
Tutorial: Use Apple's Corporate Device Enrollment
features in Apple Business Manager (ABM) to enroll
iOS/iPadOS devices in Intune
9/4/2020 • 7 minutes to read • Edit Online
The Device Enrollment features in Apple Business Manager simplifies enrolling devices. Intune also supports
Apple's older Device Enrollment Program (DEP) portal, but we encourage you to start fresh with Apple Business
Manager. With Microsoft Intune and Apple Corporate Device Enrollment, devices are automatically securely
enrolled the first time the user turns on the device. You can therefore ship devices to many users without having to
set up each device individually.
In this tutorial, you'll learn how to:
Get an Apple Device Enrollment token
Sync managed devices to Intune
Create an Enrollment profile
Assign the Enrollment profile to devices
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Devices purchased in Apple Business Manager or Apple's Device Enrollment Program
Set the mobile device management authority
Get an Apple MDM Push certificate
13. In the Apple token box, browse to the certificate (.pem) file, choose Open , and then choose Create .
14. If you want to apply Scope Tags to limit which admins have access to this token, select scopes.
Next steps
You can find more information about other options available for enrolling iOS/iPadOS devices.
In-depth iOS/iPadOS ADE enrollment article
Terms and conditions for user access
9/4/2020 • 3 minutes to read • Edit Online
As an Intune admin, you can require that users accept your company's terms and conditions before using the
Company Portal to:
enroll devices
access resources like company apps and email.
Configuration of terms and conditions is optional.
You can create multiple sets of terms and assign them to different groups, such as to support different languages.
There are two ways to create your company terms and conditions:
by using Intune as described in this article.
by using the Azure Active Directory terms of use feature
To learn which method is best for you, check out the Choosing the right Terms solution for your organization blog
post.
4. Choose Next to go to the Terms page and provide the following information:
Title : The name for your terms that users see in the Company Portal above the Summar y .
Terms and Conditions : The terms and conditions that users see and must either accept or reject.
Summar y of Terms : Text that explains what it means when users accept the terms. For example, "By
enrolling your device, you're agreeing to the terms of use set out by Contoso. Read the terms carefully
before proceeding."
5. Choose Next to go to the Scope tags page.
6. Choose Select scope tags , select the scope tags that you want to assign to these terms and conditions, and
then choose Select .
7. Choose Next to go to the Assignments page and choose one of the following options for Assign to :
All users : Choose this option to assign these terms and conditions to all users.
Select groups : Choose this option to assign these terms and conditions to everyone in the groups that
you identify by choosing Select groups to include .
8. Choose Next > Create .
The following example shows the terms and conditions in the admin console and the Company Portal.
Monitor terms and conditions
1. Sign in to the Microsoft Endpoint Manager admin center, choose Tenant administration > Terms and
Conditions .
2. In the list of terms and conditions, choose the terms you want to view acceptance for > Acceptance
Repor ting .
As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll
into management with Intune, including the:
Number of devices.
Operating systems and versions.
You can create multiple restrictions and apply them to different user groups. You can set the priority order for your
different restrictions.
NOTE
Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions
are a best-effort barrier for non-malicious users.
Default restrictions
Default restrictions are automatically provided for both device type and device limit enrollment restrictions. You
can change the options for the defaults. Default restrictions apply to all user and userless enrollments. You can
override these defaults by creating new restrictions with higher priorities.
IMPORTANT
Android Enterprise (work profile) and Android device administrator platforms have the following behavior:
If both platforms are allowed for the same group, then users will be enrolled with a work profile if their device
supports it, otherwise they will enroll as DA.
If both platforms are allowed for the group and refined for specific and non-overlapping versions, then users will
receive the enrollment flow defined for their OS version.
If both platforms are allowed, but blocked for the same versions, then users on devices with the blocked versions
will be taken down the Android device administrator enrollment flow and then get blocked from enrollment and
prompted to sign out.
Worth noting that neither work profile or device administrator enrollment will work unless the appropriate
prequisites have been completed in Android Enrollment.
NOTE
Windows 10 does not provide the rev number during enrollment so for instance if you enter in 10.0.17134.100 and
the device is 10.0.17134.174 it will be blocked during enrollment.
6. Under Personally owned , choose Allow for the platforms that you want to permit as personally owned
devices.
7. Under Device manufacturer , enter a comma-separated list of the manufacturers that you want to block.
8. Choose Next to go to the Scope tags page.
9. On the Scope tags page, optionally add the scope tags you want to apply to this restriction. For more
information about scope tags, see Use role-based access control and scope tags for distributed IT. When
using scope tags with enrollment restrictions, users can only re-order policies for which they have scope.
Also, they can only reorder for the policy positions for which they have scope. Users see the true policy
priority number on each policy. A scoped user can tell the relative priority of their policies even if they can't
see all the other policies.
10. Choose Next to go to the Assignments page.
11. Choose Select groups to include and then use the search box to find groups that you want to include in
this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction
to at least one group, it won't have any effect. Then choose Select .
NOTE
Enrollment restrictions are applied to users. In enrollment scenarios that are not user-driven (e.g. Windows Autopilot self-
deploying mode or white glove provisioning), only the Default priority restrictions (targeted to "All Users") will be enforced.
You can change the priority of any non-default restriction.
1. Sign in to the Azure portal.
2. Select More Ser vices , search for Intune , and then choose Intune .
3. Select Device enrollment > Enrollment restrictions .
4. Hover over the restriction in the priority list.
5. Using the three vertical dots, drag the priority to the desired position in the list.
Understand Intune and Azure AD's device limit
restrictions
9/4/2020 • 3 minutes to read • Edit Online
Windows devices
Intune device limit restrictions don't apply for the following Windows enrollment types:
Co-managed enrollments
Group policy object (GPO) enrollments
Azure AD joined enrollments
Bulk Azure AD joined enrollments
Autopilot enrollments
Device enrollment manager enrollments
You can't enforce device limit restrictions for these enrollment types because they're considered shared device
scenarios. You can set hard limits for these enrollment types in Azure Active Directory.
For the device limit restriction in Azure, the Maximum number of devices per user setting applies to devices
that are either Azure AD joined or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined
devices.
Windows 10 example 1
The Azure Maximum number of devices per user setting is set to 5.
The Intune Device limit setting is set to 3.
The devices are hybrid Azure AD joined and enrolled automatically (GPO configured).
Outcome: Because the enrollment is pushed through GPO, the Azure device registration limit doesn't apply. The
Intune device limit restriction also doesn't apply.
Windows 10 example 2
The Azure Maximum number of devices per user setting is set to 5.
The Intune Device limit setting is set to 2.
The devices are local domain joined and enrolled by using Settings > Access Work or School > Connect .
Outcome: You can only enroll two devices before they're blocked. You can register up to five devices.
Next steps
Create a device limit restriction in Azure.
Configure device settings in Azure.
Learn more about registration and domain joined.
Get an Apple MDM push certificate
9/4/2020 • 3 minutes to read • Edit Online
An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. After you add
the certificate to Intune, your users can enroll their devices using:
The Company Portal app.
Apple's bulk enrollment methods like the Device Enrollment Program, Apple School Manager, or Apple
Configurator.
For more information about enrollment options, see Choose how to enroll iOS/iPadOS devices.
When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you
used when you first created the push certificate.
NOTE
The certificate is associated with the Apple ID used to create it. As a best practice, use a company Apple ID for
management tasks and make sure the mailbox is monitored by more than one person like a distribution list. Never use a
personal Apple ID.
Step 4. Enter the Apple ID used to create your Apple MDM push certificate
Record this ID as a reminder for when you need to renew this certificate.
Step 5. Browse to your Apple MDM push certificate to upload
Go to the certificate (.pem) file, choose Open , and then choose Upload . With the push certificate, Intune can
enroll and manage Apple devices.
TIP
A Certificate can be identified by its UID. Examine the Subject ID in the certificate details to find the GUID portion
of the UID. Or, on an enrolled iOS/iPadOS device, go to Settings > General > Device Management >
Management Profile > More Details > Management Profile . The second line item, Topic, contains the
unique GUID that you can match up to the certificate in the Apple Push Certificates portal.
5. On the Confirmation screen, select Download and save the .pem file locally.
6. In Intune, select the Apple MDM push cer tificate browse icon, select the .pem file downloaded from
Apple, and choose Upload .
Your Apple MDM push certificate appears Active and has 365 days until expiration.
Identify devices as corporate-owned
9/4/2020 • 5 minutes to read • Edit Online
As an Intune admin, you can identify devices as corporate-owned to refine management and identification. Intune
can perform additional management tasks and collect additional information such as the full phone number and
an inventory of apps from corporate-owned devices. You can also set device restrictions to block enrollment by
devices that aren't corporate-owned.
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are:
Enrolled with a device enrollment manager account (all platforms)
Enrolled with the Apple Device Enrollment Program, Apple School Manager, or Apple Configurator (iOS only)
Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI)
numbers (all platforms with IMEI numbers) or serial number (iOS and Android)
Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory
registered will be marked as personal.
Set as corporate in the device's properties list
After enrollment, you can change the ownership setting between Personal and Corporate .
01234567890123,device details
02234567890123,device details
IMPORTANT
Some Android and iOS/iPadOS devices have multiple IMEI numbers. Intune only reads one IMEI number per enrolled device.
If you import an IMEI number but it is not the IMEI inventoried by Intune, the device is classified as a personal device
instead of a corporate-owned device. If you import multiple IMEI numbers for a device, uninventoried numbers display
Unknown for enrollment status.
Also note: Serial Numbers are the recommended form of identification for iOS/iPadOSOS devices. Android Serial numbers
are not guaranteed to be unique or present. Check with your device supplier to understand if serial number is a reliable
device ID. Serial numbers reported by the device to Intune might not match the displayed ID in the Android Settings/About
menus on the device. Verify the type of serial number reported by the device manufacturer. Attempting to upload a file with
serial numbers containing dots (.) will cause the upload to fail. Serial numbers with dots are not supported.
IMEI specifications
For detailed specifications about International Mobile Equipment Identifiers, see 3GGPP TS 23.003.
You can configure a push notification to send to both your Android and iOS Company Portal users when their
device ownership type has been changed from Personal to Corporate as a privacy courtesy.
When a device's ownership type is changed from Corporate to Personal, Intune deletes all app information
previously collected from that device within 7 days. If applicable, Intune will also delete the phone number on
record. Intune will still collect an inventory of apps installed by the IT admin on the device and will still collect a
partial phone number for the device after it is marked as personal.
This setting can be found in the Microsoft Endpoint Manager by selecting Tenant administration >
Customization . For more information, see Company Portal - Configuration.
Require multi-factor authentication for Intune device
enrollments
9/4/2020 • 2 minutes to read • Edit Online
Intune can use Azure Active Directory (AD) multi-factor authentication (MFA) for device enrollment to help you
secure your corporate resources.
MFA works by requiring any two or more of the following verification methods:
Something you know (typically a password or PIN).
Something you have (a trusted device that is not easily duplicated, like a phone).
Something you are (biometrics, like a fingerprint).
MFA is supported for iOS/iPadOS, Android, Windows 8.1 or later devices.
When you enable MFA, end users must supply two forms of credentials to enroll a device.
IMPORTANT
You must have an Azure Active Directory Premium P1 or above assigned to your users to implement this policy.
IMPORTANT
Do not configure Device based access rules for Microsoft Intune enrollment.
1. Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Conditional Access . The
Conditional Access node accessed from Intune is the same node as accessed from Azure AD.
2. Choose New policy .
3. In New policy, type a descriptive name for the policy.
4. In the Assignments section, choose Users and groups .
5. In Users and groups , choose Select users or groups , and check Users and groups . Then select the users
and /or groups that will receive this policy, then choose Done .
6. In the Assignments section, choose Cloud apps .
7. On the Include tab of Cloud apps , choose Select apps , then choose Select > Microsoft Intune
Enrollment , and then choose Done . By choosing Microsoft Intune Enrollment , conditional access MFA is
applied only to the enrollment of the device (one-time MFA prompt).
8. In the Assignments section, for Conditions you do not need to configure any settings for MFA.
9. In the Access controls section, choose Grant .
10. In Grant , choose Grant access , and then select Require multi-factor authentication . Do not select Require
device to be marked as compliant because a device cannot be evaluated for compliance until it is enrolled.
Then choose Select .
11. In New policy , choose Enable policy > On , and then choose Create .
Next steps
When end users enroll their device, they now must authenticate with a second form of identification, like a PIN, a
phone, or biometrics.
Enroll devices in Intune by using a device
enrollment manager account
9/4/2020 • 2 minutes to read • Edit Online
You can enroll up to 1,000 mobile devices with a single Azure Active Directory account by using a device
enrollment manager (DEM) account. DEM is an Intune permission that can be applied to an AAD user account
and lets the user enroll up to 1,000 devices. A DEM account is useful for scenarios where devices are enrolled
and prepared before handing them out to the users of the devices. By design, there's a limit of 150 Device
Enrollment Manager (DEM) accounts in Microsoft Intune.
To make managing devices easier, you can use Microsoft Intune device categories to automatically add devices to
groups based on categories that you define.
Device categories use the following workflow:
1. Create categories that users can choose from when they enroll their device.
2. When users of iOS/iPadOS and Android devices enroll a device, they must choose a category from the list of
categories you configured. To assign a category to a Windows device, users must use the Company Portal
website.
3. You can then deploy policies and apps to these groups.
You can create any device categories you want. For example:
Point-of-sale device
Demonstration device
Sales
Accounting
Manager
Further information
You can edit a device category in the Azure portal, but you must manually update any Azure AD security
groups that reference this category.
If you delete a category, devices assigned to it display the category name Unassigned .
Intune enrollment methods for Windows devices
9/4/2020 • 3 minutes to read • Edit Online
To manage devices in Intune, devices must first be enrolled in the Intune service. Both personally owned and
corporate-owned devices can be enrolled for Intune management.
There are two ways to get devices enrolled in Intune:
Users can self-enroll their Windows PCs
Admins can configure policies to force automatic enrollment without any user involvement
Next steps
Learn the capabilities of the Windows enrollment methods
Intune enrollment method capabilities for Windows
devices
9/4/2020 • 2 minutes to read • Edit Online
There are several methods to enroll your workforce's devices in Intune. Each method has different best practices
and capabilities, as shown in the tables below.
Commonl
y used in
EDU
Devices
can be
used as
shared
devices
Personal
devices
must
access
company
resources
Self-
servicing
of apps
Condition **
al Access
A Z URE A D A Z URE A D
JO IN ED JO IN ED
W IT H W IT H
A UTO P ILO A UTO P ILO
T ( USER T ( SEL F C O-
C A PA B IL I A Z URE A D DRIVEN DEP LO Y IN M A N A GE
T IES JO IN ED M O DE) G M O DE) B UL K DEM BYOD GP O M EN T
User gets
associated
with the
device
Requires
Azure AD
Premium
Device
can assess
resources
protected
by CA
Users
must not
be admins
on their
devices
Ability to
configure
the device
setup
experienc
e
Ability to
enroll
devices
without
user
interactio
n
Ability to *
run
PowerShel
l scripts
Supports
automatic
enrollmen
t after AD
domain
join
A Z URE A D A Z URE A D
JO IN ED JO IN ED
W IT H W IT H
A UTO P ILO A UTO P ILO
T ( USER T ( SEL F C O-
C A PA B IL I A Z URE A D DRIVEN DEP LO Y IN M A N A GE
T IES JO IN ED M O DE) G M O DE) B UL K DEM BYOD GP O M EN T
Supports
automatic
enrollmen
t after
Hybrid
Azure AD
join
Supports
automatic
enrollmen
t after
Azure AD
join
* Client apps workloads in Configuration Manager must be moved to Intune Pilot or Intune.
** Devices are blocked for Conditional Access with the exception of Windows 10 1803+.
Next steps
Set up enrollment for Windows
Set up enrollment for Windows devices
9/4/2020 • 6 minutes to read • Edit Online
This article helps IT administrators simplify Windows enrollment for their users. Once you've set up Intune, users
enroll Windows devices by signing in with their work or school account.
As an Intune admin, you can simplify enrollment in the following ways:
Enable automatic enrollment (Azure AD Premium required)
CNAME registration
Enable bulk enrollment (Azure AD Premium and Windows Configuration Designer required)
Two factors determine how you can simplify Windows device enrollment:
Do you use Azure Active Director y Premium?
Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
What versions of Windows clients will users enroll?
Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll
using the Company Portal app.
Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows
Configuration Designer app.
Multi-user support
Intune supports multiple users on devices that both:
run the Windows 10 Creator's update
are Azure Active Directory domain-joined.
When standard users sign in with their Azure AD credentials, they receive apps and policies assigned to their user
name. Only the device's Primary user can use the Company Portal for self-service scenarios like installing apps and
performing device actions (Remove, Reset). For shared Windows 10 devices that do not have a primary user
assigned, the Company Portal can still be used to install Available apps.
IMPORTANT
For Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the
MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The
device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you
have configured them.
If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM: configure the MDM
user scope to All (or Some , and specify a group) and configure the MAM user scope to None (or Some ,
and specify a group – ensuring that users are not members of a group targeted by both MDM and MAM
user scopes).
For corporate devices, the MDM user scope takes precedence if both MDM and MAM user scopes are
enabled. The device will get automatically enrolled in the configured MDM.
NOTE
MDM user scope must be set to an Azure AD group that contains user objects.
5. Use the default values for the following URLs:
MDM Terms of use URL
MDM Discover y URL
MDM Compliance URL
6. Select Save .
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is
recommended when registering a device. To enable two-factor authentication, configure a two-factor
authentication provider in Azure AD and configure your user accounts for multi-factor authentication. See Getting
started with the Azure Multi-Factor Authentication Server.
TYPE H O ST N A M E P O IN T S TO TTL
TYPE H O ST N A M E P O IN T S TO TTL
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point
each one to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use the following
formats as their email/UPN:
name@contoso.com
name@us.contoso.com
name@eu.contoso.com
The Contoso DNS admin should create the following CNAMEs:
TYPE H O ST N A M E P O IN T S TO TTL
NOTE
End users must access the Company Portal website through Microsoft Edge to view Windows apps that you've assigned for
specific versions of Windows. Other browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer do not
support this type of filtering.
For end-user enrollment instructions, see Enroll your Windows device in Intune. You can also tell users to review
What can my IT admin see on my device.
IMPORTANT
If you do not have Auto-MDM enrollment enabled, but you have Windows 10 devices that have been joined to Azure AD,
two records will be visible in the Intune console after enrollment. You can stop this by making sure that users with Azure AD
joined devices go to Accounts > Access work or school and Connect using the same account.
For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.
TYPE H O ST N A M E P O IN T S TO TTL
For more information about device registration, see Manage device identities using the Azure portal
TYPE H O ST N A M E P O IN T S TO TTL
As an administrator, you can join large numbers of new Windows devices to Azure Active Directory and Intune. To
bulk enroll devices for your Azure AD tenant, you create a provisioning package with the Windows Configuration
Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the devices to your
Azure AD tenant and enrolls them for Intune management. Once the package is applied, it's ready for your Azure
AD users to sign in.
Azure AD users are standard users on these devices and receive assigned Intune policies and required apps.
Windows devices that are enrolled into Intune using Windows bulk enrollment can use the Company Portal app
to install available apps.
2. Open the Windows Configuration Designer app and select Provision desktop devices .
3. A New project window opens where you specify the following information:
Name - A name for your project
Project folder - Save location for the project
Description - An optional description of the project
4. Enter a unique name for your devices. Names can include a serial number (%SERIAL%) or a random set of
characters. Optionally, you can also enter a product key if you are upgrading the edition of Windows,
configure the device for shared use, and remove pre-installed software.
5. Optionally, you can configure the Wi-Fi network devices connect to when they first start. If the network
devices aren't configured, a wired network connection is required when the device is first started.
6. Select Enroll in Azure AD , enter a Bulk Token Expir y date, and then select Get Bulk Token .
Provision devices
1. Access the provisioning package in the location specified in Project folder specified in the app.
2. Choose how you're going to apply the provisioning package to the device. A provisioning package can be
applied to a device one of the following ways:
Place the provisioning package on a USB drive, insert the USB drive into the device you'd like to bulk
enroll, and apply it during initial setup
Place the provisioning package on a network folder, and apply it after initial setup
For step-by-step instruction on applying a provisioning package, see Apply a provisioning package.
3. After you apply the package, the device will automatically restart in one minute.
4. When the device restarts, it connects to the Azure Active Directory and enrolls in Microsoft Intune.
The Enrollment Status Page (ESP) displays provisioning progress after a new device is enrolled, as well as when new
users sign into the device. This enables IT administrators to optionally prevent (block) access to the device until it
has been fully provisioned, while at the same time giving users information about the tasks remaining in the
provisioning process.
The ESP can be used as part of any Windows Autopilot provisioning scenario, and can also be used separately from
Windows Autopilot as part of the default out-of-box experience (OOBE) for Azure AD Join, as well as for any new
users signing into the device for the first time.
You can create multiple Enrollment Status Page profiles with different configurations that specify:
Showing installation progress
Blocking access until the provisioning process is completed
Time limits
Allowed troubleshooting operations
These profiles are specified in a priority order; the highest priority that is applicable will be used. Each ESP profile
can be targeted to groups containing devices or users. When determining which profile to use, the following criteria
will be followed:
The highest-priority profile targeted to the device will be used first.
If there are no profiles targeted to the device, the highest priority profile targeted to the current user will be
used. (This only applies in scenarios where there is a user. In white glove and self-deploying scenarios, only
device targeting can be used.)
If there are no profiles targeted to specific groups, then the default ESP profile will be used.
Available settings
The following settings can be configured to customize behavior of the Enrollment Status page:
SET T IN G Y ES NO
Show app and profile installation The enrollment status page is displayed. The enrollment status page isn't
progress displayed.
Block device use until all apps and The settings in this table are made The enrollment status page is displayed
profiles are installed available to customize behavior of the with no additional options to address
enrollment status page, so that the user installation failures.
can address potential installation issues.
Allow users to reset device if installation A Reset device button is displayed if The Reset device button isn't
error occurs there's an installation failure. displayed if there's an installation failure.
Allow users to use device if installation A Continue anyway button is The Continue anyway button isn't
error occurs displayed if there's an installation failure. displayed if there's an installation failure.
Show timeout error when installation Specify the number of minutes to wait for installation to complete. A default value of
takes longer than specified number of 60 minutes is entered.
minutes
Show custom message when an error A text box is provided where you can The default message is displayed:
occurs specify a custom message to display if Installation exceeded the time
an installation error occurs. limit set by your organization. Tr y
again or contact your IT suppor t
person for help.
Allow users to collect logs about If there's an installation error, a Collect The Collect logs button isn't displayed
installation errors logs button is displayed. if there's an installation error.
If the user clicks this button, they're
asked to choose a location to save the
log file MDMDiagRepor t.cab
Known issues
The following are known issues related to the Enrollment Status Page.
Disabling the ESP profile doesn't remove ESP policy from devices and users still get ESP when they log in to
device for first time. The policy isn't removed when the ESP profile is disabled. You must deploy OMA-URI to
disable the ESP. See above for instructions on how to disable ESP using OMA-URI.
A reboot during Device setup will force the user to enter their credentials before transitioning to Account setup
phase. User credentials aren't preserved during reboot. Have the user enter their credentials then the Enrollment
Status Page can continue.
Enrollment Status Page will always time out during an Add work and school account enrollment on Windows 10
versions less than 1903. The Enrollment Status Page waits for Azure AD registration to complete. The issue is
fixed in Windows 10 version 1903 and newer.
Hybrid Azure AD Autopilot deployment with ESP takes longer than the timeout duration defined in the ESP
profile. On Hybrid Azure AD Autopilot deployments, the ESP will take 40 minutes longer than the value set in the
ESP profile. This delay gives time for the on-prem AD connector to create the new device record to Azure AD.
Windows logon page isn't pre-populated with the username in Autopilot User Driven Mode. If there's a reboot
during the Device Setup phase of ESP:
the user credentials aren't preserved
the user must enter the credentials again before proceeding from Device Setup phase to the Account
setup phase
ESP is stuck for a long time or never completes the "Identifying" phase. Intune computes the ESP policies during
the identifying phase. A device may never complete computing ESP policies if the current user doesn't have an
Intune licensed assigned.
Configuring Microsoft Defender Application Control causes a prompt to reboot during Autopilot. Configuring
Microsoft Defender Application (AppLocker CSP) requires a reboot. When this policy is configured, it may cause
a device to reboot during Autopilot. Currently, there's no way to suppress or postpone the reboot.
When the DeviceLock policy (https://docs.microsoft.com/windows/client-management/mdm/policy-csp-
devicelock) is enabled as part of an ESP profile, the OOBE or user desktop autologon could fail unexpectantly for
two reasons.
If the device didn't reboot before exiting the ESP Device setup phase, the user may be prompted to enter
their Azure AD credentials. This prompt occurs instead of a successful autologon where the user sees the
Windows first login animation.
The autologon will fail if the device rebooted after the user entered their Azure AD credentials but before
exiting the ESP Device setup phase. This failure occurs because the ESP Device setup phase never
completed. The workaround is to reset the device.
Next steps
After you set up Windows enrollment pages, learn how to manage Windows devices. For more information, see
What is Microsoft Intune device management?
Work with existing on-premises proxy servers
9/4/2020 • 2 minutes to read • Edit Online
This article explains how to configure the Intune Connector for Active Directory to work with outbound proxy
servers. It is intended for customers with network environments that have existing proxies.
By default, the Intune Connector for Active Directory will attempt to automatically locate a proxy server on the
network using Web Proxy Auto-Discovery (WPAD). If this has been configured on your network, additional
configuration may not be required. If changes are needed, the following sections describe how to override the
default settings, leveraging the standard .NET Framework capabilities for configuring proxy settings. Additional
options are described in that documentation.
For more information about how connectors work, see Understand Azure AD Application Proxy connectors.
To ensure that the Connector Updater service also bypasses the proxy, make a similar change to C:\Program
Files\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<defaultProxy>
<defaultProxy enabled="False" />
</defaultProxy>
</system.net>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />
</startup>
<appSettings>
<add key="BaseServiceAddress" value="https://manage.microsoft.com/" />
</appSettings>
</configuration>
Be sure to make copies of the original files, in case you need to revert to the default .config files.
Once the configuration files have been modified, you will need to restart the Intune Connector service.
1. Open ser vices.msc .
2. Find and select the Intune ODJConnector Ser vice .
3. Select Restar t .
To ensure that the Connector Updater service also bypasses the proxy, make a similar change to C:\Program
Files\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config.
Be sure to make copies of the original files, in case you need to revert to the default .config files.
Once the configuration files have been modified, you will need to restart the Intune Connector service.
1. Open ser vices.msc .
2. Find and select the Intune ODJConnector Ser vice .
3. Select Restar t .
Next steps
Manage your devices
Enroll Android devices
9/4/2020 • 2 minutes to read • Edit Online
As an Intune administrator, you can enroll Android devices in the following ways:
Android Enterprise (offering a set of enrollment options that provide users with the most up-to-date and secure
features):
Android Enterprise work profile : For personal devices granted permission to access corporate data.
Admins can manage work accounts, apps, and data. Personal data on the device is kept separate from
work data and admins don't control personal settings or data.
Android Enterprise dedicated : For corporate-owned, single use devices, such as digital signage, ticket
printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and
web links. It also prevents users from adding other apps or taking other actions on the device.
Android Enterprise fully managed : For corporate-owned, single user devices used exclusively for
work and not personal use. Admins can manage the entire device and enforce policy controls unavailable
to work profiles.
Android Enterprise corporate-owned with work profile : For corporate-owned, single user devices
intended for corporate and personal use.
Android device administrator , including Samsung Knox Standard devices and Zebra devices.
Prerequisites
To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft
Intune . See Set the MDM authority for instructions. You set this item only once, when you are first setting up
Intune for mobile device management.
For Android Enterprise, refer to the following support article from Google to ensure that Android Enterprise is
available in your country or region: https://support.google.com/work/android/answer/6270910
For devices manufactured by Zebra Technologies, you may need to grant the Company Portal additional
permissions depending on the capabilities of the specific device. Mobility Extensions on Zebra devices has more
details.
For Samsung Knox Standard devices, there are more prerequisites.
Next steps
Set up Android Enterprise work profile enrollments
Set up Android Enterprise dedicated device enrollments
Set up Android Enterprise fully managed enrollments
Set up Android device administrator enrollment
Connect your Intune account to your Managed
Google Play account
9/4/2020 • 2 minutes to read • Edit Online
To support Android Enterprise work profile, Android Enterprise fully managed, and Android Enterprise dedicated
devices, you must connect your Intune tenant account to your Managed Google Play account.
Refer to the following support article from Google to ensure that Android Enterprise is available in your country or
region: https://support.google.com/work/android/answer/6270910
To make it easier for you to configure and use Android Enterprise management, upon connecting to Google Play,
Intune will automatically add four common Android Enterprise related apps to the Intune admin console. The four
Android Enterprise apps are the following:
Microsoft Intune - Used for Android Enterprise fully managed scenarios.
Microsoft Authenticator - Helps you sign-in to your accounts if you use two-factor verification.
Intune Company Por tal - Used for App Protection Policies (APP) and Android Enterprise work profile
scenarios.
Managed Home Screen - Used for Android Enterprise dedicated/kiosk scenarios.
NOTE
Due to interaction between Google and Microsoft domains, this step may require that you adjust your browser settings.
Make sure that "portal.azure.com" and "play.google.com" are in the same security zone in your browser.
1. If you haven't already, prepare for mobile device management by setting the mobile device management
authority as Microsoft Intune .
2. Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Android > Android
enrollment > Managed Google Play . If you are using a custom Intune admin role, access to this requires
Organization Read and Update permissions.
3. Choose I agree to grant Microsoft permission to send user and device information to Google.
4. Choose Launch Google to connect now to open the Managed Google Play website. The website opens
on a new tab in your browser.
5. On Google's sign in page, enter the Google account that will be associated with all Android Enterprise
management tasks for this tenant. This is the Google account that your company's IT admins share to
manage and publish apps in the Google Play console. You can use an existing Google account or create a
new one. The account you choose must not be associated with a G-Suite domain.
NOTE
If you are using the Microsoft Edge browser, click Sign-In in the upper right corner to sign-in to your Google
account.
6. Provide your company's name for Organization name . For Enterprise mobility management (EMM)
provider , Microsoft Intune should be displayed.
7. Agree to the Android agreement, and then choose Confirm . Your request will be processed.
Next steps
After connecting to the Managed Google Play account, you can set up Android Enterprise work profile devices, set
up Android Enterprise dedicated devices and set up Android Enterprise fully managed devices
Set up enrollment of Android Enterprise work profile
devices
9/4/2020 • 2 minutes to read • Edit Online
Intune helps you deploy apps and settings to Android Enterprise work profile devices to make sure work and
personal information are separate. For specific details about Android Enterprise, see Android Enterprise
requirements.
To set up Android Enterprise work profile management, follow these steps:
1. Connect your Intune tenant account to your Android Enterprise account.
2. Specify Android Enterprise work profile enrollment settings. Android Enterprise work profiles are supported
on only certain Android devices. Any device that supports Android Enterprise work profiles also supports
Android device administrator management. Intune lets you specify how devices that support Android
Enterprise work profiles should be managed from within Enrollment Restrictions.
Block : All Android devices, including devices that support Android Enterprise work profiles, will be
enrolled as Android device administrator devices, unless Android device administrator enrollment is
also blocked.
Allow (set by default) : All devices that support Android Enterprise work profiles are enrolled as
Android Enterprise work profile devices. Any Android device that does not support Android Enterprise
work profiles is enrolled as an Android device administrator device, unless Android device
administrator enrollment is blocked.
NOTE
The default set to Allow is true for new tenants as of July 2019. All previous tenants will experience no change to their
Enrollment Restrictions, and will see whatever policies they have set in Enrollment Restrictions. For previous tenants that
never had Enrollment Restrictions changes, Block will still be the default for Android Enterprise work profiles.
NOTE
As an administrator, you can accomplish this remotely using the Retire function. This function can be found in the actions
menu after selecting the device from the All Devices blade.
If you're enrolling Android Enterprise work profile devices by using a Device Enrollment Manager account, there
is a limit of 10 devices that can be enrolled per account.
For more information, see Data Intune sends to Google.
Android Enterprise supports corporate-owned, single-use, kiosk-style devices with its dedicated devices solution
set. Such devices are used for a single purpose, such as digital signage, ticket printing, or inventory management,
to name just a few. Admins lock down the usage of a device for a limited set of apps and web links. It also
prevents users from adding other apps or taking other actions on the device.
Intune helps you deploy apps and settings to Android Enterprise dedicated devices. For specific details about
Android Enterprise, see Android enterprise requirements.
Devices that you manage in this way are enrolled in Intune without a user account and aren't associated with any
end user. They're not intended for personal use applications or apps that have a strong requirement for user-
specific account data such as Outlook or Gmail.
Device requirements
Devices must meet these requirements to be managed as an Android Enterprise dedicated device:
Android OS version 6.0 and above.
Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must
have GMS available and must be able to connect to GMS.
NOTE
If a token has expired, the profile associated with it will not be displayed in Device enrollment > Android enrollment >
Corporate-owned dedicated devices . To see all profiles associated with both active and inactive tokens, click on Filter
and check the boxes for both "Active" and "Inactive" policy states.
You must create an enrollment profile so that you can enroll your dedicated devices. When the profile is created, it
provides you with an enrollment token (random string) and a QR code. Depending on the Android OS and
version of the device, you can use either the token or QR code to enroll the dedicated device.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned dedicated devices .
2. Choose Create and fill out the required fields.
Name : Type a name that you'll use when assigning the profile to the dynamic device group.
Token expiration date : The date when the token expires. Google enforces a maximum of 90 days.
3. Choose Create to save the profile.
Create a device group
You can target apps and policies to either assigned or dynamic device groups. You can configure dynamic AAD
device groups to automatically populate devices that are enrolled with a particular enrollment profile by following
these steps:
1. Sign in to the Microsoft Endpoint Manager admin center and choose Groups > All groups > New group .
2. In the Group blade, fill out the required fields as follows:
Group type : Security
Group name : Type an intuitive name (like Factory 1 devices)
Membership type : Dynamic device
3. Choose Add dynamic quer y .
4. In the Dynamic membership rules blade, fill out the fields as follows:
Add dynamic membership rule : Simple rule
Add devices where : enrollmentProfileName
In the middle box, choose Equals .
In the last field, enter the enrollment profile name that you created earlier. For more information about
dynamic membership rules, see Dynamic membership rules for groups in AAD.
5. Choose Add quer y > Create .
Replace or remove tokens
Replace token : You can generate a new token/QR code when one nears expiration by using Replace Token.
Revoke token : You can immediately expire the token/QR code. From this point on, the token/QR code is no
longer usable. You might use this option if you:
accidentally share the token/QR code with an unauthorized party
complete all enrollments and no longer need the token/QR code
Replacing or revoking a token/QR code won't have any effect on devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned dedicated devices .
2. Choose the profile that you want to work with.
3. Choose Token .
4. To replace the token, choose Replace token .
5. To revoke the token, choose Revoke token .
NOTE
The Microsoft Intune app will be automatically installed during enrollment of a dedicated device. This app is required for
enrollment and cannot be uninstalled.
Next steps
Deploy Android apps
Add Android configuration policies
Set up Intune enrollment of Android Enterprise fully
managed devices
9/4/2020 • 2 minutes to read • Edit Online
Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used
exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls
unavailable to work profiles, such as:
Allow app installation only from Managed Google Play.
Block uninstallation of managed apps.
Prevent users from factory resetting devices, and so on.
Intune helps you deploy apps and settings to Android Enterprise devices, including Android Enterprise fully
managed devices. For specific details about Android Enterprise, see Android Enterprise requirements.
Technical requirements
You must have an Intune standalone tenant to manage Android Enterprise fully managed devices. Fully managed
device management isn't available in the legacy Silverlight management console.
Devices must meet these requirements to be managed as an Android Enterprise fully managed device:
Android OS version 6.0 and above.
Devices must run a build of Android that has Google Mobile Services (GMS) connectivity. Devices must have
GMS available and must be able to connect to GMS.
There is no restriction on device manufacturer/OEM if the above requirements are met.
When this setting is set to Yes , it provides you with an enrollment token (a random string) and a QR code for your
Intune tenant. This single enrollment token is valid for all your users and won't expire. Depending on the Android
OS and version of the device, you can use either the token or QR code to enroll the device.
Next steps
Add Android Enterprise fully managed device configuration policies
Configure app configuration policies for Android Enterprise fully managed devices
Enroll your Android Enterprise dedicated, fully
managed, or corporate-owned with work profile
devices
9/4/2020 • 2 minutes to read • Edit Online
After you've set up your Android Enterprise dedicated devices, fully managed devices, or corporate-owned work
profile devices in Intune, you can enroll the devices. Intune enrollment for both dedicated devices and fully
managed devices start with a factory reset. How you enroll your Android Enterprise devices depends on the
operating system.
QR code 7.0
On participating manufacturers.
NOTE
Browser zoom can cause devices to not be able to scan QR code. Increasing the browser zoom resolves the issue.
1. To launch a QR read on the Android device, tap multiple times on the first screen you see after a wipe.
2. For Android 7 and 8 devices, you'll be prompted to install a QR reader. Android 9 and later devices already have
a QR reader installed.
3. Use the QR reader to scan the enrollment profile QR code and then follow the on-screen prompts to enroll.
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken"
}
}
4. Choose Apply .
Next steps
Deploy Android apps
Add Android configuration policies
Android device administrator enrollment
9/4/2020 • 2 minutes to read • Edit Online
Android device administrator (sometimes referred to "legacy" Android management and released with Android
2.2) is a way to manage Android devices. However, improved management functionality is now available with
Android Enterprise (released with Android 5.0). In an effort to move to modern, richer, and more secure device
management, Google is decreasing device administrator support in new Android releases.
Therefore, to avoid such reduced functionality, we advise against enrolling new devices using the device
administrator process described below.
For the same reasons, we also recommend that you migrate devices off of device administrator management if the
devices are going to update to Android 10.
If you still decide to have users enroll their Android devices with device administrator management, continue to
the next section.
For more information about Google's Android Enterprise features, see these articles:
Google's guidance for migration from device administrator to Android Enterprise
Google's documentation on the plan to deprecate the device administrator API
Next steps
Assign compliance policies
Managing apps
Manage Android work profile devices with Intune
9/4/2020 • 5 minutes to read • Edit Online
Android Enterprise offers a set of enrollment options that provide users with the most up-to-date and secure
features. Enrolling with Android Enterprise work profile allows a set of features and services that separate personal
apps and data from work apps and data. It also provides additional management capabilities and privacy when
people use their personal Android devices for work.
Supported devices
Android Enterprise management capabilities rely upon features that are part of more recent Android operating
systems. For devices that do not support Android Enterprise, conventional Android management remains available.
For more information, see Android Enterprise requirements.
Onboarding
Before enrolling Android Enterprise work profile devices, you must complete some onboarding steps. These steps
establish a connection between your Intune tenant and Managed Google Play. For more information, see Enable
enrollment of Android Enterprise work profile devices.
App configuration
Android Enterprise provides infrastructure for deploying app configuration values to apps that support them. By
specifying configuration values for work apps, you ensure they are properly set when users launch the app for the
first time. Support for app configuration requires that app developers create their Android apps specifically to
support managed configuration values. If they do, then you can use Intune to specify and apply these configuration
settings. For more information, see Add app configuration policies for managed Android devices.
Email configuration
Android Enterprise doesn't provide a default email app or native email profile object like those provided by
iOS/iPadOS. Instead, email configurations can be set by applying app configuration settings to email apps that
support them. Gmail and Nine Work are two Exchange ActiveSync (EAS) client apps in the Play Store that support
configuration with Android Enterprise app configuration.
Intune provides configuration templates for Gmail and Nine Work apps when managed as work apps. Other email
apps that support app configuration profiles can be configured with mobile app configuration policies.
If you are using Exchange ActiveSync Conditional Access for an Android Enterprise work profile device, consider
using either the Gmail or Nine Work email app. The Microsoft Outlook for Android app, or any other email app that
uses modern authentication via ADAL, is also supported. For more information, see How to configure email
settings in Microsoft Intune.
VPN profiles
VPN support is similar to Android VPN profiles. The same VPN providers and basic configuration options are
available for Android Enterprise management with two differences:
Work profile-scoped VPN – VPN connections are limited to just the apps deployed to the work profile.
Only Android Enterpise-managed apps can use the VPN connection. Personal apps on the device cannot use
a managed VPN connection. For more information, see Android Enterprise VPN settings.
App-specific VPN – App-specific VPN can be configured in Intune if the VPN provider supports:
configuration for app-specific VPN
the capability to configure per-app VPN via the Android Enterprise app configuration profile. For more
information, see Use a Microsoft Intune custom profile to create a per-app VPN profile for Android
devices.
Certificate profiles
The same certificate profile configuration options that are available to Android management are available on
Android Enterprise work profile devices. Android Enterprise provides enhanced certificate management APIs.
Enhanced certificate management provides the following functionality:
Ensures that cert deployment is silent and seamless for the user.
Ensures that deployed certs are removed when a device is retired from Intune and the work profile is removed.
Provides improved messaging that informs users that the certificate was deployed and configured by their IT
department via their management service.
For more information, see Configure a certificate profile for your devices in Microsoft Intune.
Wi-Fi profiles
Wi-Fi profiles managed by Android Enterprise are removed when the device is retired from Intune and the work
profile is deleted. For more information, see How to configure Wi-Fi settings in Microsoft Intune.
Next steps
Enroll Android devices
Assign apps to Android Enterprise work profile devices with Intune
Set up Intune enrollment of Android Enterprise
corporate-owned devices with work profile
9/4/2020 • 4 minutes to read • Edit Online
Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate
and personal use.
End users can keep their work and personal data separate and are guaranteed that their personal data and
applications will remain private. Admins can control some settings and features for the entire device, including:
Setting requirements for the device password
Controlling Bluetooth and data roaming
Configuring factory reset protection
Intune helps you deploy apps and settings to Android Enterprise corporate-owned devices with work profile. For
specific details about Android Enterprise, see Android enterprise requirements.
Device requirements
Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile
devices:
Android OS version 8.0 and above.
Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must
have GMS available and must be able to connect to GMS.
NOTE
Tokens for corporate-owned devices with a work profile will not expire automatically. If an admin decides to revoke a token ,
the profile associated with it will not be displayed in Devices > Android > Android enrollment > Corporate-owned
devices with work profile (Preview) . To see all profiles associated with both active and inactive tokens, click on Filter
and check the boxes for both "Active" and "Inactive" policy states.
You must create an enrollment profile so that users can enroll corporate-owned work profile devices. When the
profile is created, it provides you with an enrollment token (random string) and a QR code. Depending on the
Android OS and version of the device, you can use either the token or QR code to enroll the dedicated device.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned devices with work profile (Preview) .
2. Choose Create profile and fill out the fields.
Name : Type a name that you'll use when assigning the profile to the dynamic device group.
Description : Add a profile description (optional).
3. Choose Next .
4. On the Review + create page, choose Create to create the policy.
Create a device group
You can target apps and policies to either assigned or dynamic device groups. You can configure dynamic Azure
AD device groups to automatically populate devices that are enrolled with a particular enrollment profile by
following these steps:
1. Sign in to the Microsoft Endpoint Manager admin center and choose Groups > All groups > New group .
2. In the Group blade, fill out the required fields as follows:
Group type : Security
Group name : Type an intuitive name (like Factory 1 devices)
Membership type : Dynamic device
3. Choose Add dynamic quer y .
4. In the Dynamic membership rules blade, fill out the fields as follows:
Add dynamic membership rule : Simple rule
Add devices where : enrollmentProfileName
In the middle box, choose Equals .
In the last field, enter the enrollment profile name that you created earlier. For more information about
dynamic membership rules, see Dynamic membership rules for groups in AAD.
5. Choose Add quer y > Create .
Revoke tokens
You can immediately expire the token/QR code. From this point on, the token/QR code is no longer usable. You
might use this option if you:
accidentally share the token/QR code with an unauthorized party
complete all enrollments and no longer need the token/QR code
Revoking a token/QR code won't have any effect on devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned devices with work profile (Preview) .
2. Choose the profile that you want to work with.
3. Choose Token .
4. To revoke the token, choose Revoke token > Yes .
NOTE
The Microsoft Intune app will be automatically installed during enrollment of a corporate-owned work profile device. This
app is required for enrollment and cannot be uninstalled.
Managing apps on Android Enterprise corporate-owned work profile
devices
Only apps that have Assignment type set to Required can be installed on Android Enterprise corporate-owned
work profile devices. Apps are installed from the Managed Google Play store in the same manner as Android
Enterprise work profile devices.
Apps are automatically updated on managed devices when the app developer publishes an update to Google Play.
To remove an app from Android Enterprise corporate-owned work profile devices, you can do either of the
following:
Delete the Required app deployment.
Create an uninstall deployment for the app.
Next steps
Deploy Android apps
Add Android configuration policies
Move Android devices from device administrator to
work profile management
9/4/2020 • 4 minutes to read • Edit Online
You can help users move their Android devices from device administrator to work profile management by using the
compliance setting to Block devices managed with device administrator . This setting lets you make devices
non-compliant if they're managed with device administrator.
When users see that they're out of compliance for this reason, they can tap Resolve . They'll be taken to a checklist
that will guide them through:
1. Unenrolling from device administrator management
2. Enrolling into work profile management
3. Resolving any compliance issues.
Prerequisites
Users must have Android device administrator enrolled devices with Android Company Portal version
5.0.4720.0 or later.
Set up Android work profile management by connecting your Intune tenant account to your Android Enterprise
account.
Set Android Enterprise work profile enrollment for the group of users who are moving to Android work profile.
Consider increasing your user device limits. When unenrolling devices from device administrator management,
device records might not be immediately removed. To provide cushion during this period, you might need to
increase device limit capacity so that the users can enroll into work profile management.
Configure Azure Active Directory device settings for Maximum number of devices per user.
Adjust the Intune device limit restrictions by setting the Device limit.
4. On the Compliance settings page, in the Device Health section, set Block devices managed with
device administrator to Yes > Next .
5. On the Locations page, you can add locations if you want > Next .
6. On the Actions for noncompliance tab, you can configure the available actions for noncompliance to
customize the end user experience for this flow.
These are some actions to consider:
Mark device noncompliant : By default, this action is set to zero (0) days, marking devices as
noncompliant immediately. Changing this to a greater number of days provides users with a grace
period in which they can see the flow to move to work profile management without yet being marked
noncompliant. For example, setting this to 14 days would give users two weeks to move from device
administrator to work profile management without the risk of losing access to resources.
Send push notification to end user : Configure this to send push notifications to the device
administrator devices. When a user selects the notification, it will launch the Android Company Portal
to the Update device settings page where they can start the flow to move to work profile
management.
Send email to end user : Configure this to send emails to users about the move from device
administrator to work profile management. In the email, you can include the URL below , which when
selected, will launch the Android Company Portal to the Update device settings page where they can
start the flow to move to work profile management.
https://portal.manage.microsoft.com/UpdateSettings.aspx .
For US government, you can use this link instead:
https://portal.manage.microsoft.us/UpdateSettings.aspx .
NOTE
Of course, you can use user-friendly hyper-text for the links in your communication with users. However,
don't use URL-shorteners because the links may not work if changed that way.
If the Android Company Portal is open and in the background, when a user taps the link they might go to
the last page they had open instead.
Users must tap the link on an Android device. If they instead paste it into a browser, it will not launch the
Android Company Portal.
Choose Next .
7. On the Scope tags page, select any scope tags you want to include.
8. On the Assignments page, assign the policy to a group that has devices enrolled with device administrator
management > Next .
9. On the Review + create page, confirm all your settings and then select Create .
Troubleshooting
The end user flow to move to new device management setup guides users through unenrolling from device
administrator management and getting set up with work profile management. Users must have Android device
administrator enrolled devices with Android Company Portal version 5.0.4720.0 or later.
User sees an error after tapping Resolve
If users see an error after tapping the Resolve button, it's likely because of one of these reasons:
Work profile enrollment isn't set up correctly (either an Android Enterprise account isn't connected or
enrollment restrictions are set to block work profile enrollment).
The device is running Android 4.4 or earlier, which doesn't support work profile enrollment.
The device manufacturer doesn't support work profile enrollment on the device model.
Resolve button doesn't appear on the user's device
The Resolve button won't appear on the user's device if the user enrolls into device administrator management
after they've been targeted with the device compliance policy explained above.
To get the Resolve button to appear, the user must postpone setup and restart the process from the notification.
To avoid this condition, use enrollment restrictions to block enrollment into device administrator management.
User sees an error after tapping URL to Update device settings page
Users might see an error page in the browser when they tap the URL to the Update device settings page of the
Android Company Portal. This error can be caused by one of the following:
The device isn't an Android.
The Android device doesn't have the Company Portal app.
The Android Company Portal version is earlier than 5.0.4720.0.
The Android device uses Android 6 or earlier.
Next steps
See the end user flow Manage Android work profile devices with Intune
Automatically enroll Android devices by using
Samsung's Knox Mobile Enrollment
9/4/2020 • 6 minutes to read • Edit Online
This topic helps you set up Intune for enrolling supported Android devices using Samsung Knox Mobile
Enrollment (KME). Using Intune with Samsung KME, you can enroll large numbers of company-owned Android
devices when end users turn on their devices for the first time and connect to a WiFi or cellular network. Also,
devices can be enrolled using Bluetooth or NFC when using the Knox Deployment App.
To enable Intune enrollment using Samsung KME, you use both the Intune and Samsung Knox portals in this
order:
1. In the Knox portal:
a. Create an MDM profile
b. Add devices
c. Assign an MDM profile to the devices
2. In the Knox portal, configure end user sign in.
3. Distribute the devices.
A list of device identifiers (serial numbers and IMEIs) is automatically added to the Knox Portal when purchasing
devices from authorized resellers participating in the Knox Deployment Program.
Prerequisites
To enroll into Intune using KME, you must first register your company on the Samsung Knox portal by following
these steps:
1. Make sure KME is available in your country/region: KME is available in over 55 countries/regions. Ensure
that your country/region of deployment is supported.
2. Supported devices: KME is available on all Samsung devices with a minimum of Knox 2.4 for Android
enrollment and a minimum of Knox 2.8 for Android enterprise enrollment.
3. Network requirements: Make sure that the necessary firewall and network access rules are permitted on
your network.
4. Register for a Samsung account: A Samsung account is needed to register and enable KME and manage all
Knox Enterprise entitlements in a single place.
5. Registration Review: After your profile is completed and submitted, Samsung reviews your application and
either approves it immediately or puts it in a pending review status for further follow-up. After your
account is approved, you can continue to further steps.
MDM Information Yes Choose Ser ver URI not required for
my MDM .
Allow End User to Cancel Enrollment No Choose this option to allow users to
cancel KME.
Associate a Knox license with this profile No Leave this option unselected. Enrolling
to Intune using KME doesn't require a
Knox license.
* This field is not required to complete profile creation in the Knox portal. However, Intune does require this field to
be filled in so that the profile can successfully enroll the device in Intune.
For Android device administrator
For step-by-step guidance, see the Samsung's Create Profile instructions.
Add devices
To assign MDM Profiles to devices, supported Samsung Knox devices must be added to the Knox Portal using one
of the following methods:
Using Samsung-Approved Reseller(s): Use this method if you're purchasing devices from one of the
Samsung-approved resellers. Resellers can auto-upload devices for you when approved. Visit the Samsung
Knox Enrollment User Guide to learn how to add resellers.
Using the Knox Deployment App (KDA): Use this method if you have existing devices that need to be
enrolled using KME. You can either use Bluetooth or NFC to add devices to the Knox Portal using this
method. Visit the Samsung Knox Enrollment User Guide to learn about using the KDA.
Distribute devices
After creating and assigning an MDM profile, associating a user name, and identifying the devices as corporate-
owned in Intune, you can distribute devices to users.
Still need help? Check out the complete KME User Guide.
Getting support
Learn more about how to get support for Samsung KME.
Android Enterprise security configuration framework
9/4/2020 • 2 minutes to read • Edit Online
The Android Enterprise security configuration framework is a series of recommendations for device compliance
and configuration policy settings. These recommendations help you tailor your organization's mobile device
security protection to your specific needs.
Security conscious organizations look at ways to ensure corporate data on mobile devices are protected. One
method used to protect that data is through device enrollment. Device enrollment helps organizations:
deploy compliance policies (like PIN strength, jailbreak/root validation, and so on).
deploy configuration policies (like WIFI, certificates, VPN).
manage the app lifecycle.
To help you set up a complete security scenario, Microsoft introduced a new taxonomy for security configurations
in Windows 10. Intune is using a similar taxonomy for its Android Enterprise security configuration framework.
They include recommended device compliance and device restriction settings for basic, enhanced, and high
security. This taxonomy is explained in the following articles:
1. Android Enterprise framework deployment methodology: A recommended methodology for deploying the
security configuration framework.
2. Android device enrollment restrictions: Pre-enrollment device restrictions for Android Enterprise devices.
3. Set app configuration policies for Android Enterprise devices: Configure apps on the devices to disallow
personal accounts.
4. Android Enterprise work profile security settings: Specific configuration settings for basic and high security on
work profile devices.
5. Android Enterprise fully managed security settings: Specific configuration settings for basic, enhanced, and high
security on fully managed devices.
Next steps
Android Enterprise framework deployment methodology
Android Enterprise framework deployment
methodology
9/4/2020 • 2 minutes to read • Edit Online
Before deploying the framework, Microsoft recommends using a ring methodology for testing validation. Defining
deployment rings is generally a one-time event (or at least infrequent). However, IT should revisit these groups to
ensure that the sequencing is still correct.
Microsoft recommends the following deployment ring approach for the framework:
Preview Production tenant Mobile capability End-user scenario 7-14 days, post
owners, UX validation, user facing Quality Assurance
documentation
All changes to the App Protection Policies should be first applied in a pre-production environment to understand
the policy setting implications. After testing is complete, move the changes into production and apply them to a
subset of production users, the IT department, and other applicable groups. Finally, the complete the rollout to the
rest of the mobile user community. Roll out to production may take longer depending on the changes' scale of
impact. If there's no user impact, the change should roll out quickly. If there is user impact, rollout may need to go
slower because of the need to communicate changes to the user population.
When testing changes to Android Enterprise devices, be aware of the delivery timing. The status of compliance
policies for devices can be monitored. For more information, see Monitor Intune device compliance policies and
Monitor device profiles in Microsoft Intune.
Next steps
Android Enterprise device enrollment restrictions
Android Enterprise device enrollment restrictions
9/4/2020 • 2 minutes to read • Edit Online
Before enrolling devices for the Android Enterprise security configuration framework, organizations must
configure the appropriate restrictions. These restrictions ensure that users can only enroll
approved devices.
a specified number of devices.
devices with specified platforms.
devices with specified operating systems.
devices from specified manufacturers.
For more information on device enrollment restrictions, see Set enrollment restrictions.
Next steps
Set app configuration policies
Android Enterprise security configuration framework
app configuration policies
9/4/2020 • 2 minutes to read • Edit Online
As part of the Android Enterprise security configuration framework, you must properly set app configuration
policies for Android Enterprise devices.
Android Enterprise work profile devices are designed to isolate work and personal data from one another. Android
Enterprise fully managed devices are designed work or school data only. So, Microsoft apps deployed on these
devices must be configured to disallow personal accounts.
K EY VA L UES
Next steps
Apply Android Enterprise work profile security settings or Android Enterprise fully managed security settings.
Android Enterprise work profile security
configurations
9/4/2020 • 9 minutes to read • Edit Online
As part of the Android Enterprise security configuration framework, apply the following settings for Android
Enterprise work profile mobile users. For more information on each policy setting, see Android Enterprise settings
to mark devices as compliant or not compliant using Intune and Android Enterprise device settings to allow or
restrict features using Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
For personally-owned work profile devices, there are two recommended security configuration frameworks:
Work profile basic security (level 1)
Work profile high security (level 3)
NOTE
Because of the settings available for Android Enterprise work profile devices, there is no enhanced security (level 2) offering.
The available settings don't justify a difference between level 1 and level 2.
Device Health SafetyNet device attestation Check basic integrity & This setting configures
certified devices Google's SafetyNet
Attestation on end-user
devices. Basic integrity
validates the integrity of the
device. Rooted devices,
emulators, virtual devices,
and devices with signs of
tampering fail basic integrity.
Basic integrity and
certified devices
validates the
compatibility of the
device with Google's
services. Only
unmodified devices that
have been certified by
Google can pass this
check.
System Security Required password type Numeric Complex Organizations may need to
update this setting to match
their password policy.
System Security Number of days until Not configured Organizations may need to
password expires update this setting to match
their password policy.
System Security Block USB debugging on Block While this setting blocks
device debugging using a USB
device, it also disables the
ability to gather logs which
may be useful in
troubleshooting purposes.
System Security Minimum security patch Not configured Android devices can receive
level monthly security patches,
but the release is dependent
on OEMs and/or carriers.
Organizations should ensure
that deployed Android
devices do receive security
updates before
implementing this setting.
For the latest patch releases,
see Android Security
Bulletins.
Actions for noncompliance Mark device noncompliant Immediately By default, the policy is
configured to mark the
device as noncompliant.
Additional actions are
available. For more
information, see Configure
actions for noncompliant
devices in Intune.
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Work profile settings Work profile Not configured Blocking this setting
notifications while ensures sensitive data
device locked is not exposed in
work profile
notifications, which
may impact usability.
Work profile settings Search work contacts Not configured Blocking users from
from personal profile accessing work
contacts from the
personal profile may
impact certain
usability scenarios like
text messaging and
dialer experiences
within the personal
profile. Organizations
should consider
balancing the usability
scenarios with data
protection concerns
when implementing
this setting.
Microsoft Defender ATP Require the device to be at Clear This setting requires
or under the machine risk Microsoft Defender ATP. For
score more information, see
Enforce compliance for
Microsoft Defender ATP with
Conditional Access in Intune.
Customers should
consider implementing
Microsoft Defender ATP
or a mobile threat
defense solution. It is
not necessary to deploy
both.
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Work profile settings Work profile notifications Block Blocking this setting ensures
while device locked sensitive data is not exposed
in work profile notifications,
which may impact usability.
Work profile settings Contact sharing via Not configured By default, access to work
Bluetooth contacts is not available on
other devices, like
automobiles via Bluetooth
integration. Enabling this
setting improves hands free
user experiences. However,
the Bluetooth device may
cache the contacts upon first
connection. Organizations
should consider balancing
the usability scenarios with
data protection concerns
when implementing this
setting.
SEC T IO N SET T IN G VA L UE N OT ES
Work profile settings Search work contacts from Block Blocking users from
personal profile accessing work contacts
from the personal profile
may impact certain usability
scenarios like text messaging
and dialer experiences within
the personal profile.
Organizations should
consider balancing the
usability scenarios with data
protection concerns when
implementing this setting.
Work profile settings Password expiration (days) 365 Organizations may need to
update this setting to match
their password policy.
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample Android Enterprise Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
Android Enterprise fully managed security
configurations
9/4/2020 • 8 minutes to read • Edit Online
As part of the Android Enterprise security configuration framework, apply the following settings for Android
Enterprise fully managed mobile users. For more information on each policy setting, see Android Enterprise device
owner settings to mark devices as compliant or not compliant using Intune and Android Enterprise device settings
to allow or restrict features using Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
For corporate owned fully-managed devices, there are three recommended security configuration frameworks:
Fully managed basic security (level 1)
Fully managed enhanced security (level 2)
Fully managed high security (level 3)
Device Health SafetyNet device attestation Check basic integrity & This setting configures
certified devices Google's SafetyNet
Attestation on end-user
devices. Basic integrity
validates the integrity of the
device. Rooted devices,
emulators, virtual devices,
and devices with signs of
tampering fail basic integrity.
Basic integrity and certified
devices validates the
compatibility of the device
with Google's services. Only
unmodified devices that
have been certified by
Google can pass this check.
Device Properties Minimum security patch Not configured Android devices can receive
level monthly security patches,
but the release is dependent
on OEMs and/or carriers.
Organizations should ensure
that deployed Android
devices do receive security
updates before
implementing this setting.
For the latest patch releases,
see Android Security
Bulletins.
System Security Required password type Numeric Complex Organizations may need to
update this setting to match
their password policy.
SEC T IO N SET T IN G VA L UE N OT ES
Actions for noncompliance Mark device noncompliant Immediately By default, the policy is
configured to mark the
device as noncompliant.
Additional actions are
available. For more
information, see Configure
actions for noncompliant
devices in Intune.
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Device experience Make Microsoft Launcher Not configured Organizations may choose
the default launcher to implement Microsoft
Launcher to ensure a
consistent home screen
experience on Fully managed
devices. For more
information, see How to
Setup Microsoft Launcher on
Android Enterprise Fully
Managed Devices with
Intune
Applications Allow access to all apps in Not configured By default, users cannot
Google Play store install personal apps from
the Google Play Store on
fully managed devices. If
organizations would like to
allow fully managed devices
to be utilized for personal
use, consider changing this
setting.
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Microsoft Defender ATP Require the device to be at Clear This setting requires
or under the machine risk Microsoft Defender ATP. For
score more information, see
Enforce compliance for
Microsoft Defender ATP with
Conditional Access in Intune.
Customers should
consider implementing
Microsoft Defender ATP
or a mobile threat
defense solution. It is
not necessary to deploy
both.
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample Android Enterprise Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
Enroll iOS/iPadOS devices in Intune
9/4/2020 • 4 minutes to read • Edit Online
Intune enables mobile device management (MDM) of iPads and iPhones to give users secure access to company
email, data, and apps.
As an Intune admin, you can set up enrollment for iOS/iPadOS and iPadOS devices to access company resources.
You can let users enroll personally-owned devices, known as "bring your own device" (BYOD) enrollment. You can
also set up enrollment of company-owned devices.
User enrollment
User Enrollment gives admins a subset of management options compared to other enrollment methods. For
more information, see User Enrollment supported actions, passwords, and other options and Set up iOS/iPadOS
and iPadOS User Enrollment.
Apple Configurator
You can enroll iOS/iPadOS devices with Apple Configurator running on a Mac computer. To prepare devices, you
USB-connect them and install an enrollment profile. You can enroll devices with Apple Configurator in two ways:
Setup Assistant enrollment - Wipes the device, prepares it to run Setup Assistant, and installs the company's
policies for the device's new user.
Direct enrollment - Doesn't wipe the device and enrolls the device with a predefined policy. This method is for
devices with no user affinity.
Learn more about Apple Configurator enrollment.
See also
Troubleshooting iOS/iPadOS device enrollment problems in Microsoft Intune
Automatically enroll iOS/iPadOS devices with Apple's
Automated Device Enrollment
9/4/2020 • 21 minutes to read • Edit Online
IMPORTANT
Apple recently changed from using the Apple Device Enrollment Program (DEP) to Apple Automated Device Enrollment
(ADE). Intune is in the process of updating the Intune user interface to reflect that. Until such changes are complete, you'll
continue to see Device Enrollment Program in the Intune portal. Wherever that is shown, it now uses Automated Device
Enrollment.
You can set up Intune to enroll iOS/iPadOS devices purchased through Apple's Automated Device Enrollment
(ADE). Automated Device Enrollment lets you enroll large numbers of devices without ever touching them.
Devices like iPhones, iPads, and MacBooks can be shipped directly to users. When the user turns on the device,
Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured
settings and the device enrolls into management.
To enable ADE, you use both the Intune and Apple Business Manager (ABM) or Apple School Manager (ASM)
portals. A list of serial numbers or a purchase order number is required so you can assign devices to Intune for
management in either Apple portal. You create ADE enrollment profiles in Intune containing settings that are
applied to devices during enrollment. ADE can't be used with a device enrollment manager account.
NOTE
ADE sets device configurations that can't necessarily be removed by the end user. Therefore, before migrating to ADE, the
device must be wiped to return it to an out-of-box (new) state.
Prerequisites
Devices purchased in Apple's ADE
Mobile Device Management (MDM) Authority
Apple MDM Push certificate
Supported volume
Maximum enrollment profiles per token: 1,000
Maximum Automated Device Enrollment devices per profile: no limit (within maximum number of devices per
token)
Maximum Automated Device Enrollment tokens per Intune account: 2,000
Maximum Automated Device Enrollment devices per token: The limit on the first sync is 75,000-80,000
devices. Intune will continue to sync with ABM or ASM with every 12 hour check-in to add more devices every
time. A manual sync (which can be triggered once every 15 minutes) will also add another device batch over to
Intune. Syncs will continue to occur and devices will keep getting synced from ABM/ASM over to Intune in
large quantities.
NOTE
If you delete the token from the Intune classic portal before migrating to Azure, Intune might restore a deleted Apple ADE
token. You can delete the ADE token again from the Azure portal.
Step 1. Download the Intune public key certificate required to create the token.
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS
enrollment .
2. Choose Enrollment Program Tokens > Add .
3. Grant permission to Microsoft to send user and device information to Apple by selecting I agree .
NOTE
Once you progress beyond step 2 to download the Intune public key certificate, do not close the wizard or navigate
away from this page. Doing so will invalidate the certificate you have downloaded, and you'll need to repeat this
process again. If you encounter this situation, you'll typically note that the Create button on the Review + create
tab is greyed out, and you can't complete the process.
4. Choose Download your public key to download and save the encryption key (.pem) file locally. The .pem
file is used to request a trust-relationship certificate from the Apple portal.
Step 2. Use your key to download a token from Apple.
1. Choose Create a token via Apple Business Manager to open Apple's Business portal, and sign in with
your company Apple ID. You can use this Apple ID to renew your ADE token.
2. In Apple's Business portal, choose Get Star ted for Device Enrollment Program .
3. On the Manage Ser vers page, choose Add MDM Ser ver .
4. Enter the MDM Ser ver Name , and then choose Next . The server name is for your reference to identify
the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server.
5. The Add <Ser verName> dialog box opens, stating Upload Your Public Key . Select Choose File… to
upload the .pem file, and then choose Next .
6. Go to Deployment Programs > Device Enrollment Program > Manage Devices .
7. Under Choose Devices By , specify how devices are identified:
Serial Number
Order Number
Upload CSV File .
8. For Choose Action , choose Assign to Ser ver , choose the <ServerName> specified for Microsoft Intune,
and then choose OK . The Apple portal assigns the specified devices to the Intune server for management
and then displays Assignment Complete .
In the Apple portal, go to Deployment Programs > Device Enrollment Program > View
Assignment Histor y to see a list of devices and their MDM server assignment.
Step 3. Save the Apple ID used to create this token.
In the Microsoft Endpoint Manager admin center, provide the Apple ID for future reference.
Step 4. Upload your token and choose scope tags.
1. In the Apple token box, browse to the certificate (.p7m) file, choose Open .
2. If you want to apply scope tags to this DEP token, choose Scope (tags) , and select the scope tags that you
want. Scope tags applied to a token will be inherited by profiles and devices added to this token.
3. Choose Create .
With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policy to enrolled mobile
devices. Intune automatically synchronizes with Apple to see your enrollment program account.
NOTE
Devices will be blocked if there aren't enough Company Portal licenses for a VPP token, or if the token has expired. Intune
will display an alert when a token is about to expire or licenses are running low.
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS
enrollment > Enrollment Program Tokens .
2. Select a token, choose Profiles > Create profile > iOS/iPadOS .
3. On the Basics page, enter a Name and Description for the profile for administrative purposes. Users
don't see these details.
7. If you chose Company Por tal for Select where users must authenticate , you can use a VPP token to
automatically install the Company Portal on the device. In this case, the user doesn't have to supply an
Apple ID. To install the Company Portal with a VPP token, choose a token under Install Company Por tal
with VPP . Requires that the Company Portal has already been added to the VPP token. To ensure that the
Company Portal app continue to be updated after enrollment, make sure that you have configured an app
deployment in Intune (Intune>Client Apps). So that user interaction isn't required, you'll most likely want to
have the Company Portal as a iOS/iPadOS VPP app, make it a required app, and use device licensing for the
assignment. Make sure that the token doesn't expire and that you have enough device licenses for the
Company Portal app. If the token expires or runs out of licenses, Intune installs the App Store Company
Portal instead and prompts for an Apple ID.
NOTE
When Select where users must authenticate is to Company Por tal, make sure that the device enrollment
process is performed within the first 24 hours of the company portal being downloaded to the ADE device.
Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.
8. If you chose Setup Assistant for Select where users must authenticate , but you also want to use
Conditional Access or deploy company apps on the devices, you must install the Company Portal on the
devices. To do so, choose Yes for Install Company Por tal . If you would like users to receive the Company
Portal without having to authenticate into the app store, choose to Install Company Por tal with VPP
and select a VPP token. Make sure that the token doesn't expire and that you have enough device licenses
for the Company Portal app to deploy correctly.
9. If you chose a token for Install Company Por tal with VPP , you can lock the device in Single App Mode
(specifically, the Company Portal app) right after the Setup Assistant completes. Choose Yes for Run
Company Por tal in Single App Mode until authentication to set this option. To use the device, the
user must first authenticate by signing in using the Company Portal.
Multi-factor authentication isn't supported on a single device locked in Single App Mode. This limitation
exists because the device can't switch to a different app to complete the second factor of authentication.
Therefore, if you want multifactor authentication on a Single App Mode device, the second factor must be
on a different device.
This feature is only supported for iOS/iPadOS 11.3.1 and later.
10. If you want devices using this profile to be supervised, choose Yes for Super vised .
Super vised devices give you more management options and disabled Activation Lock by default.
Microsoft recommends using ADE as the mechanism for enabling supervised mode, especially if you're
deploying large numbers of iOS/iPadOS devices. Apple Shared iPad for Business devices must be
supervised.
Users are notified that their devices are supervised in two ways:
The lock screen says: "This iPhone is managed by Contoso."
The Settings > General > About screen says: "This iPhone is supervised. Contoso can monitor your
Internet traffic and locate this device."
NOTE
A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the
device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. Learn more about this
on Apple Configurator docs.
11. Choose if you want locked enrollment for devices using this profile. Locked enrollment disables
iOS/iPadOS settings that allow the management profile to be removed from the Settings menu. After
device enrollment, you can't change this setting without wiping the device. Such devices must have the
Super vised Management Mode set to Yes.
NOTE
After the device is enrolled with Locked enrollment , users will not be able to use Remove Device or Factor y
Reset by in the Company Portal app. The options will be unavailable to the user. The user also won't be able to
remove the device in the Company Portal website (https://portal.manage.microsoft.com). Also, if a BYOD device is
convereted to an Apple Automated Device Enrollment device and enrolled with a Locked enrollment enabled
profile, the user will be allowed to use Remove Device and Factor y Reset for 30 days, and then the options will
be disabled or unavailable. Reference: https://help.apple.com/configurator/mac/2.8/#/cad99bc2a859.
12. If you chose Enroll without User Affinity and Super vised above, you must decide whether or not to
configure the devices to be Apple Shared iPad for Business devices. By choosing Yes for Shared iPad ,
multiple users will be able to sign into the same device. The users will authenticate with their Managed
Apple ID and federated authentication accounts or through a temporary session (i.e. Guest account). This
option requires iOS/iPadOS 13.4 or later.
If you chose to configure your devices to be Apple Shared iPad for Business devices, you must set
Maximum cached users . Set this value to the number of users that you expect to use the Shared iPad.
You can cache up to 24 users on a 32 GB or 64 GB device. If you choose a very low number, it may take a
while for your user’s data to come down to the device after sign-in. If you choose a very high number, your
users may not have enough disk space.
NOTE
If you want to set up Apple Shared iPad for Business, set the following:
User affinity = Enroll without User Affinity .
Super vised = Yes .
Shared iPad = **Yes **. Temporary sessions are enabled by default and allow your users to log into a Shared
iPad without a Managed Apple ID account. You can disable temporary sessions on Shared iPad by configuring
iOS/iPadOS Shared iPad device restriction settings.
13. Choose if you want the devices using this profile to be able to Sync with computers . If you choose Allow
Apple Configurator by cer tificate , you must choose a certificate under Apple Configurator
Cer tificates .
NOTE
If Sync with computers is set to Deny all, the port will be limited on iOS and iPadOS devices. The port can only
be used for charging and nothing else. The port will be blocked from using iTunes or Apple Configurator 2. If Sync
with computers is set to Allow Apple Configurator by cer tificate , make sure you have a local copy of the
certificate that you can access later. You won't be able to make changes to the uploaded copy and it is important to
retain this certificate to be accessible in the future. To connect to the iOS/iPadOS device from a macOS device or PC,
the same certificate must be installed on the device making the connection to the iOS/iPadOS device that was
enrolled with the Automated Device Enrollment profile with this configuration and certificate.
14. If you chose Allow Apple Configurator by cer tificate in the previous step, choose an Apple
Configurator Certificate to import.
15. You can specify a naming format for devices that is automatically applied when they enroll and upon each
successive checkin. To create a naming template, select Yes under Apply device name template . Then, in
the Device Name Template box, enter the template to use for the names using this profile. You can
specify a template format that includes the device type and serial number.
16. Choose Next: Setup Assistant Customization .
17. On the Setup Assistant customization page, configure the following profile settings:
DEPA RT M EN T SET T IN GS DESC RIP T IO N
Depar tment Name Appears when users tap About Configuration during
activation.
Depar tment Phone Appears when the user clicks the Need Help button
during activation.
You can choose to hide Setup Assistant screens on the device during user setup.
If you choose Hide , the screen won't be displayed during setup. After setting up the device, the user can
still go in to the Settings menu to set up the feature.
If you choose Show , the screen will be displayed during setup. The user can sometimes skip the screen
without taking action. But they can then later go into the device's Settings menu to set up the feature.
Location Ser vices Prompt the user for their location. For macOS 10.11 and
later and iOS/iPadOS 7.0 and later.
Restore Display the Apps & Data screen. This screen gives the
user the option to restore or transfer data from iCloud
Backup when they set up the device. For macOS 10.9 and
later, and iOS/iPadOS 7.0 and later.
iCloud and Apple ID Give the user the options to sign in with their Apple ID
and use iCloud. For macOS 10.9 and later, and
iOS/iPadOS 7.0 and later.
Terms and Conditions Require the user to accept Apple's terms and conditions.
For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
Apple Pay Give the user the option to set up Apple Pay on the
device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0
and later.
Zoom Give the user to the option to zoom the display when
they set up the device. For iOS/iPadOS 8.3 and later.
Siri Give the user the option to set up Siri. For macOS 10.12
and later, and iOS/iPadOS 7.0 and later.
Diagnostic Data Display the Diagnostics screen to the user. This screen
gives the user the option to send diagnostic data to
Apple. For macOS 10.9 and later, and iOS/iPadOS 7.0 and
later.
Display Tone Give the user the option to turn on Display Tone. For
macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later.
Privacy Display the Privacy screen to the user. For macOS 10.13.4
and later, and iOS/iPadOS 11.3 and later.
Android Migration Give the user the option to migrate date from an Android
device. For iOS/iPadOS 9.0 and later.
iMessage and FaceTime Give the user the option to set up iMessage and
FaceTime. For iOS/iPadOS 9.0 and later.
IF Y O U C H O O SE SH O W , DURIN G SET UP T H E DEVIC E
SET UP A SSISTA N T SC REEN SET T IN GS W IL L . . .
Watch Migration Give the user the option to migrate data from a watch
device. For iOS/iPadOS 11.0 and later.
Screen Time Display the Screen Time screen. For macOS 10.15 and
later, and iOS/iPadOS 12.0 and later.
SIM Setup Give the user the option to add a cellular plan. For
iOS/iPadOS 12.0 and later.
Preferred Language Give the user the option to choose their Preferred
Language .
Device to Device Migration Give the user the option to migrate data from their old
device to this device. For iOS/iPadOS 13.0 and later.
iCloud diagnostics Display the iCloud Analytics screen to the user. For macOS
10.12.4 and later.
iCloud Storage Display the iCloud Documents and Desktop screen to the
user. For macOS 10.13.4 and later.
To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following
restrictions:
A full sync can run no more than once every seven days. During a full sync, Intune fetches the complete
updated list of serial numbers assigned to the Apple MDM server connected to Intune. If an ADE device
is deleted from the Intune portal, it should be unassigned from the Apple MDM server in the ADE
portal. If it's not unassigned, it won't be reimported to Intune until the full sync is run.
A sync is run automatically every 12 hours. You can also sync by clicking the Sync button (no more than
once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is disabled
until a sync is completed. This sync will refresh existing device status and import new devices assigned
to the Apple MDM server.
NOTE
You can also assign serial numbers to profiles from the Apple Serial Numbers blade.
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS
enrollment > Enrollment Program Tokens > choose a token in the list.
2. Choose Devices > choose devices in the list > Assign profile .
3. Under Assign profile , choose a profile for the devices > Assign .
Assign a default profile
You can pick a default profile to be applied to all devices enrolling with a specific token.
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS
enrollment > Enrollment Program Tokens > choose a token in the list.
2. Choose Set Default Profile , choose a profile in the drop-down list, and then choose Save . This profile will be
applied to all devices that enroll with the token.
Distribute devices
You have enabled management and syncing between Apple and Intune, and assigned a profile to let your ADE
devices enroll. You can now distribute devices to users. Devices with user affinity require each user be assigned an
Intune license. Devices without user affinity require a device license. An activated device can't apply an enrollment
profile until the device is wiped.
See Enroll your iOS/iPadOS device in Intune with the Device Enrollment Program.
1. Go to business.apple.com.
2. Click on Settings (Bottom Left)
3. Under MDM Ser vers , choose your MDM server associated with the ADE/DEP token that you want to
renew.
4. Click on Download token .
NOTE
Do not click "Download ser ver token" if you do not intent to renew the token, as mentioned in the prompt, doing so will
invalidate the token currently being used by Intune (or any other MDM solution for that matter). If you already
downloaded the token, makes sure you continue with the next steps until the token is renewed.
6. Then after downloading the token, In the Microsoft Endpoint Manager admin center, choose Devices >
iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens > choose the token.
7. Choose Renew token and enter the Apple ID used to create the original token (if not automatically
populated).
You can set up Intune to enroll iOS/iPadOS and iPadOS devices using Apple's User Enrollment process. User
Enrollment gives admins a streamlined subset of management options compared to other enrollment methods.
For more information about the options available with User Enrollment, see User Enrollment supported actions,
passwords, and other options.
NOTE
Support for Apple's User Enrollment in Intune is currently in preview.
Prerequisites
Mobile Device Management (MDM) Authority
Apple MDM Push certificate
2. On the Basics page, enter a Name and Description for the profile for administrative purposes. Users don't
see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the
profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile.
Learn more about Azure Active Directory dynamic groups.
3. Select Next .
4. On the Settings page, select one of the following options for Enrollment type :
Device enrollment : All the users in this profile will use Device Enrollment.
User enrollment : All the users in this profile will use User Enrollment.
Determine based on user choice : All users in this group will be given the choice of which enrollment
type to use. When users enroll their devices, they'll see an option to choose between I own this device
and (Company) owns this device . If they choose the latter, the device will be enrolled by using Device
Enrollment. If the user chooses I own this device , they'll get another option to secure the entire device
or only secure work-related apps and data. The end user's selection of whether they own the device
determines which enrollment type is implemented on their device. This user choice is also reflected in the
Device Ownership attribute in Intune. To learn more about the user experience, see Set up iOS/iPadOS
device access to your company resources.
5. Select Next .
6. On the Assignments page, choose the user groups containing the users to which you want this profile
assigned. You can choose to assign the profile to all users or specific groups. All users in the selected groups
will use the enrollment type chosen above. Device groups aren't supported for User Enrollment scenarios
because the feature is based on user identities, rather than devices. You can choose to assign the profile to
all users or specific groups.
7. Select Next .
8. On the Review and Create page, review your choices, and then select Create to assign the profile to the
users.
Profile priority
After you've created more than one enrollment type profile, you can change the priority order in which they're
applied.
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment >
Enrollment types (preview) .
2. Drag and drop the profiles in the list in the order you want them applied.
In case of conflicts between profiles for any user, the higher priority profile is applied for the user.
Intune actions and options supported with Apple
User Enrollment
3/9/2020 • 3 minutes to read • Edit Online
User Enrollment supports a subset of device management options. If a pre-existing configuration profile is applied
to a User Enrollment device, only settings supported by User Enrollment will be applied to that device.
NOTE
Support for Apple's User Enrollment in Intune is currently in preview for iOS and iPadOS.
Password settings
On User Enrollment devices, if you configure any password setting, then the Simple passwords settings is
automatically set to Block , and a 6 digit PIN is enforced.
For example, you configure the Password expiration setting, and push this policy to user-enrolled devices. On
the devices, the following happens:
The Password expiration setting is ignored.
Simple passwords, such as 111111 or 123456 , aren't allowed.
A 6 digit pin is enforced.
End-user actions
On User Enrollment devices, end users can perform these actions on their devices from the Company Portal
application and website:
Rename. This action applies only to the user-facing name within the Company Portal. It won't fully rename the
device outside of that context.
Remove
Remote Lock
Check Status
Next steps
Set up iOS/iPadOS and iPadOS User Enrollment
Set up iOS/iPadOS device enrollment with Apple
School Manager
9/4/2020 • 9 minutes to read • Edit Online
You can set up Intune to enroll iOS/iPadOS devices purchased through the Apple School Manager program. Using
Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever touching
them. When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the
device enrolls into management.
To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. A list of
serial numbers or a purchase order number is required so you can assign devices to Intune for management. You
create Automated Device Enrollment (ADE) enrollment profiles containing settings that applied to devices during
enrollment.
Apple School Manager enrollment can't be used with Apple's Automated Device Enrollment or the device
enrollment manager.
Prerequisites
Apple Mobile Device Management (MDM) Push certificate
MDM Authority
If using ADFS, user affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.
Devices purchased from the Apple School Management program
4. Choose Upload File... in the Apple portal, browse to the .pem file, and choose Save MDM Ser ver (lower
right).
5. Choose Get Token and then download the server token (.p7m) file to your computer.
6. Go to Device Assignments , and Choose Device by manual entry of Serial Numbers , Order Number ,
or Upload CSV File .
7. Choose the action Assign to Ser ver , and choose the MDM Ser ver you created.
8. Specify how to Choose Devices , then provide device information and details.
9. Choose Assign to Ser ver and choose the <ServerName> specified for Microsoft Intune, and then choose
OK .
Step 3. Save the Apple ID used to create this token
In the Microsoft Endpoint Manager admin center, provide the Apple ID for future reference.
NOTE
If you want do any of the following, set Authenticate with Company Por tal instead of Apple Setup
Assistant to Yes .
use multifactor authentication
prompt users who need to change their password when they first sign in
prompt users to reset their expired passwords during enrollment
These aren't supported when authenticating with Apple Setup Assistant.
6. Choose Device Management Settings and choose if you want devices using this profile to be supervised.
Super vised devices give you more management options and disabled Activation Lock by default. Microsoft
recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for
organizations that are deploying large numbers of iOS/iPadOS devices.
Users are notified that their devices are supervised in two ways:
The lock screen says: "This iPhone is managed by Contoso."
The Settings > General > About screen says: "This iPhone is supervised. Contoso can monitor your
Internet traffic and locate this device."
NOTE
A device enrolled without supervision can only be reset to supervised by using the Apple Configurator.
Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable.
Learn more about this on Apple Configurator docs.
7. Choose if you want locked enrollment for devices using this profile. Locked enrollment disables
iOS/iPadOS settings that allow the management profile to be removed from the Settings menu. After
device enrollment, you can't change this setting without wiping the device. Such devices must have the
Super vised Management Mode set to Yes.
8. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose Yes
under Shared iPad (this option requires Enroll without User Affinity and Super vised mode set to Yes .)
Managed Apple IDs are created in the Apple School Manager portal. Learn more about shared iPad and
Apple's shared iPad requirements.
9. Choose if you want the devices using this profile to be able to Sync with computers . Deny All means that
all devices using this profile won't be able to sync with any data on any computer. If you choose Allow
Apple Configurator by cer tificate , you must choose a certificate under Apple Configurator
Cer tificates .
10. If you chose Allow Apple Configurator by cer tificate in the previous step, choose an Apple
Configurator Certificate to import.
11. You can specify a naming format for devices that is automatically applied when they enroll. To do so, select
Yes under Apply device name template . Then, in the Device Name Template box, enter the template to
use for the names using this profile. You can specify a template format that includes the device type and
serial number.
12. Choose OK .
13. Choose Setup Assistant Settings to configure the following profile settings:
SET T IN G DESC RIP T IO N
Depar tment Name Appears when users tap About Configuration during
activation.
Depar tment Phone Appears when the user clicks the Need Help button
during activation.
Setup Assistant Options The following optional settings can be set up later in the
iOS/iPadOS Settings menu.
SET T IN G DESC RIP T IO N
Location Ser vices If enabled, Setup Assistant prompts for the service during
activation.
iCloud and Apple ID If enabled, Setup Assistant prompts the user to sign in an
Apple ID and the Apps & Data screen will allow the device
to be restored from iCloud backup.
Apple Pay If enabled, Setup Assistant prompts for this service during
activation.
Diagnostic Data If enabled, Setup Assistant prompts for this service during
activation.
14. Choose OK .
15. To save the profile, choose Create .
To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions:
A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial
number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only
refreshes serial numbers that aren't already listed in Intune.
Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the Sync button
is disabled.
Intune syncs new and removed devices with Apple every 24 hours.
NOTE
You can also assign Apple School Manager serial numbers to profiles from the Enrollment Program Devices blade.
Intune supports the enrollment of iOS/iPadOS devices using Apple Configurator running on a Mac computer.
Enrolling with Apple Configurator requires that you USB-connect each iOS/iPadOS device to a Mac computer to
set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:
Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
Direct enrollment - Does not wipe the device and enrolls the device through iOS/iPadOS settings. This
method only supports devices with no user affinity .
Apple Configurator enrollment methods can't be used with the device enrollment manager.
Prerequisites
Physical access to iOS/iPadOS devices
Set MDM authority
An Apple MDM push certificate
Device serial numbers (Setup Assistant enrollment only)
USB connection cables
macOS computer running Apple Configurator 2.0
4. For User Affinity , choose whether devices with this profile must enroll with or without an assigned user.
Enroll with user affinity - Choose this option for devices that belong to users and that want to
use the company portal for services like installing apps. The device must be affiliated with a user
with Setup Assistant and can then access company data and email. Only supported for Setup
Assistant enrollment. User affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.
Enroll without User Affinity - Choose this option for devices unaffiliated with a single user. Use
this for devices that perform tasks without accessing local user data. Apps requiring user affiliation
(including the Company Portal app used for installing line-of-business apps) won't work. Required
for direct enrollment.
NOTE
When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup Assistant
within the first 24 hours of the device being enrolled. Otherwise enrollment might fail, and a factory reset will be
needed to enroll the device.
5. If you chose Enroll with User Affinity , you have the option to let users authenticate with Company
Portal instead of the Apple Setup Assistant.
NOTE
If you want do any of the following, set Authenticate with Company Por tal instead of Apple Setup
Assistant to Yes .
use multifactor authentication
prompt users who need to change their password when they first sign in
prompt users to reset their expired passwords during enrollment
These are not supported when authenticating with Apple Setup Assistant.
WARNING
Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and
turn it on. Devices should be at the Hello screen when you connect the device. If the device was already registered
with the Apple ID account, the device must be deleted from the Apple iCloud before starting the enrollment
process. The prompt error appears as "Unable to activate [Device name]".
2. In the preferences pane, select Ser vers and choose the plus symbol (+) to launch the MDM Server
wizard. Choose Next .
3. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant
enrollment for iOS/iPadOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment
profile URL exported from Intune. Choose Next .
You can safely disregard a warning stating "server URL is not verified." To continue, choose Next until the
wizard is finished.
4. Connect the iOS/iPadOS mobile devices to the Mac computer with a USB adapter.
5. Select the iOS/iPadOS devices you want to manage, and then choose Prepare . On the Prepare
iOS/iPadOS Device pane, select Manual , and then choose Next .
6. On the Enroll in MDM Ser ver pane, select the server name you created, and then choose Next .
7. On the Super vise Devices pane, select the level of supervision, and then choose Next .
8. On the Create an Organization pane, choose the Organization or create a new organization, and then
choose Next .
9. On the Configure iOS/iPadOS Setup Assistant pane, choose the steps to be presented to the user, and
then choose Prepare . If prompted, authenticate to update trust settings.
10. When the iOS/iPadOS device finishes preparing, disconnect the USB cable.
Distribute devices
The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When
users turn on their devices, Setup Assistant starts.
After users receive their devices, they must complete Setup Assistant. Devices configured with user affinity can
install and run the Company Portal app to download apps and manage devices.
Direct enrollment
When you directly enroll iOS/iPadOS devices with Apple Configurator, you can enroll a device without acquiring
the device's serial number. You can also name the device for identification purposes before Intune captures the
device name during enrollment. The Company Portal app is not supported for directly enrolled devices. This
method does not wipe the device.
Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps, cannot
be installed.
Export the profile as .mobileconfig to iOS/iPadOS devices
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS
enrollment > Apple Configurator > Profiles > choose the profile to export > Expor t Profile .
2. Under Direct enrollment , choose Download profile , and save the file. An enrollment profile file is only
valid for two weeks at which time you must re-create it.
3. Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile
to iOS/iPadOS devices.
4. Prepare the device with Apple Configurator by using the following steps:
a. On a Mac computer, open Apple Configurator 2.0.
b. Connect the iOS/iPadOS device to the Mac computer with a USB cord. Close Photos, iTunes, and
other apps that open for the device when the device is detected.
c. In Apple Configurator, choose the connected iOS/iPadOS device, and then choose the Add button.
Options that can be added to the device appear in the drop-down list. Choose Profiles .
d. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose
Add . The profile is added to the device. If the device is Unsupervised, the installation requires
acceptance on the device.
5. Use the following steps to install the profile on the iOS/iPadOS device. The device must have already
completed the Setup Assistant and be ready to use. If enrollment entails app deployments, the device
should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in
for the App Store.
a. Unlock the iOS/iPadOS device.
b. In the Install profile dialog box for Management profile , choose Install .
c. Provide the Device Passcode or Apple ID, if necessary.
d. Accept the Warning , and choose Install .
e. Accept the Remote Warning , and choose Trust .
f. When the Profile Installed box confirms the profile as Installed, choose Done .
6. On the iOS/iPadOS device, open Settings and go to General > Device Management > Management
Profile . Confirm that the profile installation is listed, and check the iOS/iPadOS policy restrictions and
installed apps. Policy restrictions and apps might take up to 10 minutes to appear on the device.
7. Distribute devices. The iOS/iPadOS device is now enrolled in Intune and managed.
Set up enrollment for macOS devices in Intune
9/4/2020 • 3 minutes to read • Edit Online
Intune lets you manage macOS devices to give users access to company email and apps.
As an Intune admin, you can set up enrollment for company-owned macOS devices and personally owned macOS
devices ("bring your own device" or BYOD).
Prerequisites
Complete the following prerequisites before setting up macOS device enrollment:
Make sure your device is eligible for Apple device enrollment.
Configure domains
Set the MDM Authority
Create groups
Configure the Company Portal
Assign user licenses in the Microsoft 365 admin center
Get an Apple MDM push certificate
You can enroll macOS virtual machines for testing using either Parallels Desktop or VMware Fusion.
For Parallels Desktop, you need to set the hardware type and the serial number for the virtual machines so that
Intune can recognize them. Follow Parallels' instructions for setting hardware type and serial number to set up the
necessary settings for testing. We recommend that you match the hardware type of the device running the virtual
machines to the hardware type of the virtual machines that you're creating. You can find this hardware type in
Apple menu > About this Mac > System Repor t > Model Identifier .
For VMware Fusion, you need to edit the .vmx file to set the virtual machine's hardware model and serial number.
We recommend that you match the hardware type of the device running the virtual machines to the hardware type
of the virtual machines that you're creating. You can find this hardware type in Apple menu > About this Mac >
System Repor t > Model Identifier .
Next steps
After macOS devices are enrolled, you can create custom settings for macOS devices.
Automatically enroll macOS devices with the Apple
Business Manager or Apple School Manager
9/4/2020 • 10 minutes to read • Edit Online
IMPORTANT
Apple recently changed from using the Apple Device Enrollment Program (DEP) to Apple Automated Device Enrollment
(ADE). Intune is in the process of updating the Intune user interface to reflect that. Until such changes are complete, you'll
continue to see Device Enrollment Program in the Intune portal. Wherever that is shown, it now uses Automated Device
Enrollment.
You can set up Intune enrollment for macOS devices purchased through Apple's Apple Business Manager or Apple
School Manager. You can use either of these enrollments for large numbers of devices without ever touching them.
You can ship macOS devices directly to users. When the user turns on the device, Setup Assistant runs with
preconfigured settings and the device enrolls into Intune management.
To set up enrollment, you use both the Intune and Apple portals. You create enrollment profiles containing settings
that applied to devices during enrollment.
Neither Apple Business Manager enrollment or Apple School Manager work with the device enrollment manager.
Prerequisites
Devices purchased in Apple School Manager or Apple's Automated Device Enrollment
A list of serial numbers or a purchase order number.
MDM Authority
Apple MDM Push certificate
NOTE
If you delete the token from the Intune classic portal before migrating to Azure, Intune might restore a deleted Apple token.
You can delete the token again from the Azure portal.
Step 1. Download the Intune public key certificate required to create the token
1. In the Microsoft Endpoint Manager admin center, choose Devices > macOS > macOS enrollment >
Enrollment Program Tokens > Add .
2. Grant permission to Microsoft to send user and device information to Apple by selecting I agree .
3. Choose Download your public key to download and save the encryption key (.pem) file locally. The .pem
file is used to request a trust-relationship certificate from the Apple portal.
Step 2. Use your key to download a token from Apple
1. Choose Create a token for via Apple Business Manager or Create a token via Apple School
Manager to open the appropriate Apple portal, and sign in with your company Apple ID. You can use this
Apple ID to renew your token.
2. For DEP, in the Apple portal, choose Get Star ted for Device Enrollment Program > Manage Ser vers >
Add MDM Ser ver .
3. For Apple School Manage, in the Apple portal, choose MDM Ser vers > Add MDM Ser ver .
4. Enter the MDM Ser ver Name , and then choose Next . The server name is for your reference to identify the
mobile device management (MDM) server. It is not the name or URL of the Microsoft Intune server.
5. The Add <Ser verName> dialog box opens, stating Upload Your Public Key . Select Choose File… to
upload the .pem file, and then choose Next .
6. Go to Deployment Programs > Device Enrollment Program > Manage Devices .
7. Under Choose Devices By , specify how devices are identified:
Serial Number
Order Number
Upload CSV File .
8. For Choose Action , choose Assign to Ser ver , choose the <ServerName> specified for Microsoft Intune,
and then choose OK . The Apple portal assigns the specified devices to the Intune server for management
and then displays Assignment Complete .
Step 3. Save the Apple ID used to create this token
In the Microsoft Endpoint Manager admin center, provide the Apple ID for future reference.
Step 4. Upload your token
In the Apple token box, browse to the certificate (.pem) file, choose Open , and then choose Create . With the
push certificate, Intune can enroll and manage macOS devices by pushing policy to enrolled devices. Intune
automatically synchronizes with Apple to see your enrollment program account.
Depar tment Name Appears when users tap About Configuration during
activation.
Depar tment Phone Appears when the user clicks the Need Help button
during activation.
You can choose to show or hide a variety of Setup Assistant screens on the device when the user sets it up.
If you choose Hide , the screen won't be displayed during setup. After setting up the device, the user can
still go in to the Settings menu to set up the feature.
If you choose Show , the screen will be displayed during setup. The user can sometimes skip the screen
without taking action. But they can then later go into the device's Settings menu to set up the feature.
Location Ser vices Prompt the user for their location. For macOS 10.11 and
later and iOS/iPadOS 7.0 and later.
Restore Display the Apps & Data screen. This screen gives the user
the option to restore or transfer data from iCloud Backup
when they set up the device. For macOS 10.9 and later,
and iOS/iPadOS 7.0 and later.
Apple ID Give the user the options to sign in with their Apple ID
and use iCloud. For macOS 10.9 and later, and iOS/iPadOS
7.0 and later.
Terms and Conditions Require the user to accept Apple's terms and conditions.
For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
Apple Pay Give the user the option to set up Apple Pay on the
device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0
and later.
Zoom Give the user to the option to zoom the display when
they set up the device. For iOS/iPadOS 8.3 and later.
Siri Give the user the option to set up Siri. For macOS 10.12
and later, and iOS/iPadOS 7.0 and later.
Diagnostic Data Display the Diagnostics screen to the user. This screen
gives the user the option to send diagnostic data to
Apple. For macOS 10.9 and later, and iOS/iPadOS 7.0 and
later.
iCloud diagnostics Display the iCloud Analytics screen to the user. For macOS
10.12.4 and later.
iCloud Storage Display the iCloud Documents and Desktop screen to the
user. For macOS 10.13.4 and later.
IF Y O U C H O O SE SH O W , DURIN G SET UP T H E DEVIC E
SET UP A SSISTA N T SC REEN SET T IN GS W IL L . . .
Display Tone Give the user the option to turn on Display Tone. For
macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later.
Screen Time Display the Screen Time screen. For macOS 10.15 and
later, and iOS/iPadOS 12.0 and later.
Privacy Display the Privacy screen to the user. For macOS 10.13.4
and later, and iOS/iPadOS 11.3 and later.
To comply with Apple's terms for acceptable enrollment program traffic, Intune imposes the following
restrictions:
A full sync can run no more than once every seven days. During a full sync, Intune fetches the complete
updated list of serial numbers assigned to the Apple MDM server connected to Intune. After an
Enrollment Program device is deleted from Intune portal without being unassigned from the Apple
MDM server in the Apple portal, it won't be re-imported to Intune until the full sync is run.
A sync is run automatically every 24 hours. You can also sync by clicking the Sync button (no more than
once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is disabled
until a sync is completed. This sync will refresh existing device status and import new devices assigned to
the Apple MDM server.
Distribute devices
You have enabled management and syncing between Apple and Intune, and assigned a profile to let your devices
enroll. You can now distribute devices to users. Devices with user affinity require each user be assigned an Intune
license. Devices without user affinity require a device license. An activated device cannot apply an enrollment
profile until the device is wiped.
6. Choose Renew token and enter the Apple ID used to create the original token.
Next steps
After enrolling macOS devices, you can start managing them.
Use Direct Enrollment for macOS devices
9/4/2020 • 2 minutes to read • Edit Online
Intune supports the enrollment of macOS devices using Direct Enrollment (DE) for corporate devices. Direct
Enrollment does not wipe the device. It enrolls the device through macOS settings. This method only supports
devices with no user affinity .
Prerequisites
Physical access to macOS devices
Set MDM authority
An Apple MDM push certificate
Administrator rights on the macOS devices you are enrolling
NOTE
Enroll with user affinity is not supported on macOS when using Direct Enrollment. For devices that need user
affinity, use Automated Device Enrollment.
Direct Enrollment
Because Direct Enrollment only supports enrollment without user affinity, the company portal cannot be used to
install available applications.
Export the profile and install on macOS devices
1. In the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Apple enrollment
> Apple Configurator > Profiles > choose the profile to export > Expor t Profile .
2. Under Direct enrollment , choose Download profile , and save the file.
NOTE
A downloaded enrollment profile is valid for two weeks after download. You can download as many enrollment
profiles using this link as you need. Downloading a new profile does not render the previous one invalid, however it
also doesn't extend the previously downloaded file expiry time.
Next steps
After enrolling macOS devices, you can start managing them.
Incomplete user enrollments report
4/22/2020 • 3 minutes to read • Edit Online
This report tells you where in the Company Portal enrollment process users are not completing the enrollment
process.
To see the report, choose Intune > Device enrollment > Incomplete user enrollments .
Using this information, you can update your onboarding documents to help users complete enrollment. For
example, if many users are quitting at the Terms of Use, you might investigate that area and make it more intuitive
for users.
A C T IO N N A M E SC REEN O R F LO W P L AT F O RM A C T IO N
A C T IO N N A M E SC REEN O R F LO W P L AT F O RM A C T IO N
Compliance/Activation section
A C T IO N N A M E SC REEN O R F LO W P L AT F O RM A C T IO N
Next steps
After checking on your incomplete enrollment rates, you can review the enrollment options to see if you can make
any changes to improve enrollment.
Troubleshoot device enrollment in Microsoft Intune
9/4/2020 • 21 minutes to read • Edit Online
This article provides suggestions for troubleshooting device enrollment issues. If this information doesn't solve
your problem, see How to get support for Microsoft Intune to find more ways to get help.
Android issues
Android enrollment errors
The following table lists errors that end users might see while enrolling Android devices in Intune.
IT admin needs to assign license The device can't be enrolled because the Before users can enroll their devices,
for access user's account doesn't have the they must have been assigned the
Your IT admin hasn't given you access necessary license. necessary license. This message means
to use this app. Get help from your IT that they have the wrong license type
admin or try again later. for the mobile device management
authority. For example, they'll see this
error if both of the following are true:
1. Intune has been set as the
mobile device management
authority
2. They're using a System Center
2012 R2 Configuration Manager
license.
For more information, see Assign
Intune licenses to your user accounts.
IT admin needs to set MDM The mobile device management The mobile device management
authority authority hasn't been defined. authority hasn't been set in Intune. See
Looks like your IT admin hasn't set an information about how to set the
MDM authority. Get help from your IT mobile device management authority.
admin or try again later.
Devices fail to check in with the Intune service and display as "Unhealthy" in the Intune admin console
Issue: Some Samsung devices that are running Android versions 4.4.x and 5.x might stop checking in with the
Intune service. If devices don't check in:
They can't receive policy, apps, and remote commands from the Intune service.
They show a Management State of Unhealthy in the administrator console.
Users who are protected by Conditional Access policies might lose access to corporate resources.
Samsung Smart Manager software, which ships on certain Samsung devices, can deactivate the Intune Company
Portal and its components. When the Company Portal is in a deactivated state, it can't run in the background and
can't contact the Intune service.
Resolution #1:
Tell your users to start the Company Portal app manually. Once the app restarts, the device checks in with the
Intune service.
IMPORTANT
Opening the Company Portal app manually is a temporary solution, because Samsung Smart Manager may deactivate the
Company Portal app again.
Resolution #2:
Tell your users to try upgrading to Android 6.0. The deactivation issue doesn't occur on Android 6.0 devices. To
check if an update is available, go to Settings > About device > Download updates manually > follow the
prompts.
Resolution #3:
If Resolution #2 doesn't work, have your users follow these steps to make Smart Manager exclude the Company
Portal app:
1. Launch the Smart Manager app on the device.
6. Under App power saving or App optimization , confirm that Company Portal is turned off.
Profile installation failed
Issue: A user receives a Profile installation failed error on an Android device.
Resolution:
1. Confirm that the user is assigned an appropriate license for the version of the Intune service that you're
using.
2. Confirm that the device isn't already enrolled with another MDM provider.
3. Confirm that the device doesn't already have a management profile installed.
4. Confirm that Chrome for Android is the default browser and that cookies are enabled.
Android certificate issues
Issue : Users receive the following message on their device: You can't sign in because your device is missing a
required certificate.
Resolution 1 :
The user might be able to retrieve the missing certificate by following the instructions in Your device is missing a
required certificate. If the error persists, try Resolution 2.
Resolution 2 :
After entering their corporate credentials and getting redirected for federated login, users might still see the
missing certificate error. In this case, the error may mean that an intermediate certificate is missing from your
Active Directory Federation Services (AD FS) server
The certificate error occurs because Android devices require intermediate certificates to be included in an SSL
Server hello. Currently, a default AD FS server or WAP - AD FS Proxy server installation sends only the AD FS
service SSL certificate in the SSL server hello response to an SSL Client hello.
To fix the issue, import the certificates into the Computers Personal Certificates on the AD FS server or proxies as
follows:
1. On the ADFS and proxy servers, right-click Star t > Run > cer tlm.msc to launch the Local Machine Certificate
Management Console.
2. Expand Personal and choose Cer tificates .
3. Find the certificate for your AD FS service communication (a publicly signed certificate), and double-click to
view its properties.
4. Choose the Cer tification Path tab to see the certificate's parent certificate/s.
5. On each parent certificate, choose View Cer tificate .
6. Choose Details > Copy to file… .
7. Follow the wizard prompts to export or save the public key of the parent certificate to the file location of your
choice.
8. Right-click Cer tificates > All Tasks > Impor t .
9. Follow the wizard prompts to import the parent certificate(s) to Local Computer\Personal\Cer tificates .
10. Restart the AD FS servers.
11. Repeat the above steps on all of your AD FS and proxy servers.
To verify a proper certificate installation, you can use the diagnostics tool available on
https://www.digicert.com/help/. In the Ser ver Address box, enter your ADFS server's FQDN (IE: sts.contso.com)
and click Check Ser ver .
To validate that the cer tificate installed correctly :
The follow steps describe just one of many methods and tools that you can use to validate that the certificate
installed correctly.
1. Go to the free Digicert tool.
2. Enter your AD FS server's fully qualified domain name (for example, sts.contoso.com) and select CHECK
SERVER .
If the Server certificate is installed correctly, you see all check marks in the results. If the problem above exists, you
see a red X in the "Certificate Name Matches" and the "SSL Certificate is correctly Installed" sections of the report.
iOS/iPadOS issues
iOS/iPadOS enrollment errors
The following table lists errors that end users might see while enrolling iOS/iPadOS devices in Intune.
DeviceCapReached Too many mobile devices are enrolled The user must remove one of their
already. currently enrolled mobile devices from
the Company Portal before enrolling
another. See the instructions for the
type of device you're using: Android,
iOS/iPadOS, Windows.
APNSCertificateNotValid There's a problem with the certificate The Apple Push Notification Service
that lets the mobile device (APNs) provides a channel to contact
communicate with your company's enrolled iOS/iPadOS devices. Enrollment
network. will fail and this message will appear if:
The steps to get an APNs
certificate weren't completed, or
The APNs certificate has expired.
Review the information about how to
set up users in Sync Active Directory
and add users to Intune and organizing
users and devices.
ERRO R M ESSA GE ISSUE RESO L UT IO N
AccountNotOnboarded There's a problem with the certificate The Apple Push Notification Service
that lets the mobile device (APNs) provides a channel to contact
communicate with your company's enrolled iOS/iPadOS devices. Enrollment
network. will fail and this message will appear if:
The steps to get an APNs
certificate weren't completed, or
The APNs certificate has expired.
For more information, review Set up
iOS/iPadOS and Mac management with
Microsoft Intune.
DeviceTypeNotSupported The user might have tried to enroll Make sure that your user's device is
using a non-iOS device. The mobile running iOS/iPadOS version 8.0 or later.
device type that you're trying to enroll
isn't supported.
UserLicenseTypeInvalid The device can't be enrolled because the Before users can enroll their devices,
user's account isn't yet a member of a they must be members of the right user
required user group. group. This message means that they
have the wrong license type for the
mobile device management authority.
For example, they'll see this error if both
of the following are true:
1. Intune has been set as the
mobile device management
authority
2. they'e using a System Center
2012 R2 Configuration Manager
license.
Review the following articles for more
information:
Devices are inactive or the admin console can't communicate with them
Issue: iOS/iPadOS devices aren't checking in with the Intune service. Devices must check in periodically with the
service to maintain access to protected corporate resources. If devices don't check in:
They can't receive policy, apps, and remote commands from the Intune service.
They show a Management State of Unhealthy in the administrator console.
Users who are protected by Conditional Access policies might lose access to corporate resources.
Resolution: Share the following resolutions with your end users to help them regain access to corporate
resources.
When users start the iOS/iPadOS Company Portal app, it can tell if their device has lost contact with Intune. If it
detects that there's no contact, it automatically tries to sync with Intune to reconnect (users will see the Tr ying to
sync… message).
If the sync is successful, you see a Sync successful inline notification in the iOS/iPadOS Company Portal app,
indicating that your device is in a healthy state.
If the sync is unsuccessful, users see an Unable to sync inline notification in the iOS/iPadOS Company Portal app.
To fix the issue, users must select the Set up button, which is to the right of the Unable to sync notification. The
Set up button takes users to the Company Access Setup flow screen, where they can follow the prompts to enroll
their device.
Once enrolled, the devices return to a healthy state and regain access to company resources.
Verify WS -Trust 1.3 is enabled
Issue Automated Device Enrollment (ADE) iOS/iPadOS devices can't be enrolled
Enrolling ADE devices with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request
user tokens. Active Directory enables this endpoint by default. To get a list of enabled endpoints, use the Get-
AdfsEndpoint PowerShell cmdlet and looking for the trust/13/UsernameMixed endpoint. For example:
EN RO L L M EN T SET T IN GS VA L UE
Platform iOS/iPadOS
macOS issues
macOS enrollment errors
Error message 1: It looks like you're using a virtual machine. Make sure you've fully configured your virtual
machine, including serial number and hardware model. If this isn't a virtual machine, please contact support.
Error message 2: We're having trouble getting your device managed. This problem could be caused if you're
using a virtual machine, have a restricted serial number, or if this device is already assigned to someone else. Learn
how to resolve these problems or contact your company support.
Issue: This message could be a result of any of the following reasons:
A macOS virtual machine (VM) isn't configured correctly
You've enabled device restrictions that require the device to be corporate-owned or have a registered device
serial number in Intune
The device has already been enrolled and is still assigned to someone else in Intune
Resolution: First, check with your user to determine which of the issues affects their device. Then complete the
most relevant of the following solutions:
If the user is enrolling a VM for testing, make sure it's been fully configured so that Intune can recognize its
serial number and hardware model. Learn more about how to set up VMs in Intune.
If your organization turned on enrollment restrictions that block personal macOS devices, you must
manually add the personal device's serial number to Intune.
If the device is still assigned to another user in Intune, its former owner did not use the Company Portal app
to remove or reset it. To clean up the stale device record from Intune:
1. In the Microsoft Endpoint Manager admin center, sign in with your administrative credentials.
2. Choose Devices > All devices .
3. Find the device with the enrollment problem. Search by device name or MAC/HW Address to narrow
your results.
4. Select the device > Delete . Delete all other entries associated with the device.
PC Issues
ERRO R M ESSA GE ISSUE RESO L UT IO N
IT admin needs to assign license The device can't be enrolled because the Before users can enroll their devices,
for access user's account doesn't have the they must have been assigned the
Your IT admin hasn't given you access necessary license. necessary license. This message means
to use this app. Get help from your IT that they have the wrong license type
admin or try again later. for the mobile device management
authority. For example, they'll see this
error if both of the following are true:
1. Intune has been set as the
mobile device management
authority
2. They're using a System Center
2012 R2 Configuration Manager
license.
See information about how to assign
Intune licenses to your user accounts.
IMPORTANT
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems
might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For
added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
For more information about how to back up and restore the registry, read How to back up and restore the registry in
Windows
General enrollment Error codes
ERRO R C O DE P O SSIB L E P RO B L EM SUGGEST ED RESO L UT IO N
0x80CF0437 The clock on the client computer isn't Make sure that the clock and the time
set to the correct time. zone on the client computer are set to
the correct time and time zone.
0x80240438, 0x80CF0438, can't connect to the Intune service. Verify that Intune supports the proxy
0x80CF402C Check the client proxy settings. configuration on the client computer.
Verify that the client computer has
Internet access.
0x80240438, 0x80CF0438 Proxy settings in Internet Explorer and can't connect to the Intune service.
Local System aren't configured. Check the client proxy settings. Verify
that Intune supports the proxy
configuration on the client computer.
Verify that the client computer has
Internet access.
0x80043001, 0x80CF3001, Enrollment package is out of date. Download and install the current client
0x80043004, 0x80CF3004 software package from the
Administration workspace.
0x80043002, 0x80CF3002 Account is in maintenance mode. You can't enroll new client computers
when the account is in maintenance
mode. To view your account settings,
sign in to your account.
0x80043005, 0x80CF3005 The client computer has been retired. Wait a few hours, remove any older
versions of the client software from the
computer, and then retry the client
software installation.
0x80043006, 0x80CF3006 The maximum number of seats allowed Your organization must buy additional
for the account has been reached. seats before you can enroll more client
computers in the service.
0x80043007, 0x80CF3007 Couldn't find the certificate file in the Extract all files before you start the
same folder as the installer program. installation. Do not rename or move
any of the extracted files: all files must
exist in the same folder or the
installation will fail.
0x8024D015, 0x00240005, The software can't be installed because Restart the computer and then retry
0x80070BC2, 0x80070BC9, a restart of the client computer is the client software installation.
0x80CFD015 pending.
0x80070032 One or more prerequisites for installing Make sure that all required updates are
the client software weren't found on the installed on the client computer and
client computer. then retry the client software
installation.
ERRO R C O DE P O SSIB L E P RO B L EM SUGGEST ED RESO L UT IO N
0x80043008, 0x80CF3008 Failed to start the Microsoft Online Contact Microsoft Support as described
Management Updates service. in How to get support for Microsoft
Intune.
0x80043009, 0x80CF3009 The client computer is already enrolled You must retire the client computer
into the service. before you can re-enroll it in the
service.
0x8004300B, 0x80CF300B The client software installation package Intune doesn't support the version of
can't run because the version of Windows that is running on the client
Windows that is running on the client computer.
isn't supported.
0xAB2 The Windows Installer couldn't access This error is caused by a custom action
VBScript run time for a custom action. that is based on Dynamic-Link Libraries
(DLLs). When troubleshooting the DLL,
you might have to use the tools that
are described in Microsoft Support
KB198038: Useful Tools for Package and
Deployment Issues.
0x80cf0440 The connection to the service endpoint Trial or paid account is suspended.
terminated. Create a new trial or paid account and
re-enroll.
Next steps
If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support
for Microsoft Intune.
Troubleshoot iOS/iPadOS device enrollment problems
in Microsoft Intune
9/4/2020 • 7 minutes to read • Edit Online
This article helps Intune administrators understand and troubleshoot problems when enrolling iOS/iPadOS devices
in Intune.
Prerequisites
Before you start troubleshooting, it's important to collect some basic information. This information can help you
better understand the problem and reduce the time to find a resolution.
Collect the following information about the problem:
What is the exact error message?
Where do you see the error message?
When did the problem start? Has enrollment ever worked?
What platform (Android, iOS/iPadOS, Windows) has the problem?
How many users are affected? Are all users affected or just some?
How many devices are affected? Are all devices affected or just some?
What is the MDM authority?
How is enrollment being performed? Is it "Bring your own device" (BYOD) or Apple Automated Device
Enrollment (ADE) with enrollment profiles?
Error messages
Profile Installation Failed. A Network Error Has Occurred.
Cause: There's an unspecified problem with iOS/iPadOS on the device.
Resolution
1. To prevent data loss in the following steps (restoring iOS/iPadOS deletes all data on the device), make sure to
back up your data.
2. Put the device in recovery mode and then restore it. Make sure that you set it up as a new device. For more
information about how to restore iOS/iPadOS devices, see https://support.apple.com/HT201263.
3. Re-enroll the device.
Profile Installation Failed. Connection to the server could not be established.
Cause: Your Intune tenant is configured to only allow corporate-owned devices.
Resolution
1. Sign in to the Azure portal.
2. Select More Ser vices , search for Intune, and then select Intune .
3. Select Device enrollment > Enrollment restrictions .
4. Under Device Type Restrictions , select the restriction that you want to set > Proper ties > Select platforms
> select Allow for iOS , and then click OK .
5. Select Configure platforms , select Allow for personally owned iOS/iPadOS devices, and then click OK .
6. Re-enroll the device.
Cause: You enroll a device that was previously enrolled with a different user account, and the previous user was
not appropriately removed from Intune.
Resolution
1. Cancel any current profile installation.
2. Open https://portal.manage.microsoft.com in Safari.
3. Re-enroll the device.
NOTE
If enrollment still fails, remove cookies in Safari (don't block cookies), then re-enroll the device.
NOTE
This error can also occur if the user is attempting to enroll more devices than device enrollment is configured to allow. Follow
the resolutions steps for Device Cap Reached below if these steps do not resolve the issue.
2. In the Microsoft Endpoint Manager admin center, choose Devices > Enrollment restrictions > check the
device enrollment limit. By default, the limit is set to 15.
3. If the number of devices enrolled has reached the limit, remove unnecessary devices, or increase the device
enrollment limit. Because every enrolled device consumes an Intune license, we recommend that you always
remove unnecessary devices first.
4. Re-enroll the device.
Workplace Join failed
Cause: The Company Portal app is out of date or corrupted.
Resolution
1. Remove the Company Portal app from the device.
2. Download and install the Microsoft Intune Company Por tal app from App Store .
3. Re-enroll the device.
User License Type Invalid
Cause: The user who is trying to enroll the device does not have a valid Intune license.
Resolution
1. Go to the Microsoft 365 admin center, and then choose Users > Active Users .
2. Select the affected user account > Product licenses > Edit .
3. Verify that a valid Intune license is assigned to this user.
4. Re-enroll the device.
User Name Not Recognized. This user account is not authorized to use Microsoft Intune. Contact your system
administrator if you think you have received this message in error.
Cause: The user who is trying to enroll the device does not have a valid Intune license.
1. Go to the Microsoft 365 admin center, and then choose Users > Active Users .
2. Select the affected user account, and then choose Product licenses > Edit .
3. Verify that a valid Intune license is assigned to this user.
4. Re-enroll the device.
Profile Installation Failed. The new MDM payload does not match the old payload.
Cause: A management profile is already installed on the device.
Resolution
1. Open Settings on the iOS/iPadOS device > General > Device Management .
2. Tap the existing management profile, and tap Remove Management .
3. Re-enroll the device.
NoEnrollmentPolicy
Cause: The Apple Push Notification Service (APNs) certificate is missing, invalid, or expired.
Resolution
Verify that a valid APNs certificate is added to Intune. For more information, see Set up iOS/iPadOS enrollment.
AccountNotOnboarded
Cause: There's a problem with the Apple Push Notification service (APNs) certificate configured in Intune.
Resolution
Renew the APNs certificate, and then re-enroll the device.
IMPORTANT
Make sure that you renew the APNs certificate. Don't replace the APNs certificate. If you replace the certificate, you have to
re-enroll all iOS/iPadOS devices in Intune.
To renew the APNs certificate in Intune standalone, see Renew Apple MDM push certificate.
To renew the APNs certificate in Microsoft 365, see Create an APNs Certificate for iOS/iPadOS devices.
XPC_TYPE_ERROR Connection invalid
When you turn on a ADE-managed device that is assigned an enrollment profile, enrollment fails, and you receive
the following error message:
asciidoc
mobileassetd[83] <Notice>: 0x1a49aebc0 Client connection: XPC_TYPE_ERROR Connection invalid <error:
0x1a49aebc0> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string:
0x1a49aee18> { length = 18, contents = "Connection invalid" } }
iPhone mobileassetd[83] <Notice>: Client connection invalid (Connection invalid); terminating connection
iPhone com.apple.accessibility.AccessibilityUIServer(MobileAsset)[288] <Notice>: [MobileAssetError:29] Unable
to copy asset information from https://mesu.apple.com/assets/ for asset type
com.apple.MobileAsset.VoiceServices.CombinedVocalizerVoices
iPhone mobileassetd[83] <Notice>: 0x1a49aebc0 Client connection: XPC_TYPE_ERROR Connection invalid <error:
0x1a49aebc0> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string:
0x1a49aee18> { length = 18, contents = "Connection invalid" }
Cause: There's a connection issue between the device and the Apple ADE service.
Resolution
Fix the connection issue, or use a different network connection to enroll the device. You may also have to contact
Apple if the issue persists.
Other issues
ADE enrollment doesn't start
When you turn on a ADE-managed device that is assigned an enrollment profile, the Intune enrollment process isn't
initiated.
Cause: The enrollment profile is created before the ADE token is uploaded to Intune.
Resolution
1. Edit the enrollment profile. You can make any change to the profile. The purpose is to update the modification
time of the profile.
2. Synchronize ADE-managed devices: In the Microsoft Endpoint Manager admin center, choose Devices > iOS >
iOS enrollment > Enrollment program tokens > choose a token > Sync now . A sync request is sent to
Apple.
ADE enrollment stuck at user login
When you turn on a ADE-managed device that is assigned an enrollment profile, the initial setup sticks after you
enter credentials.
Cause: Multi-Factor authentication (MFA) is enabled. Currently MFA doesn't work during enrollment on ADE
devices.
Resolution
Disable MFA, and then re-enroll the device.
Authentication doesn’t redirect to the government cloud
Government users signing in from another device are redirected to the public cloud for authentication rather than
the government cloud.
Cause: Azure AD does not yet support redirecting to the government cloud when signing in from another device.
Resolution
Use the iOS Company Portal Cloud setting in the Settings app to redirect government users’ authentication
towards the government cloud. By default, the Cloud setting is set to Automatic and Company Portal directs
authentication towards the cloud that is automatically detected by the device (such as Public or Government).
Government users who are signing in from another device will need to manually select the government cloud for
authentication.
Open the Settings app and select Company Portal. In the Company Portal settings, select Cloud . Set the Cloud to
Government.
Next steps
Troubleshoot device enrollment in Intune
Ask a question on the Intune forum
Check the Microsoft Intune Support Team Blog
Check the Microsoft Enterprise Mobility and Security Blog
Troubleshoot Windows device enrollment problems in
Microsoft Intune
9/4/2020 • 15 minutes to read • Edit Online
This article helps Intune administrators understand and troubleshoot problems when enrolling Windows devices in
Intune.
Prerequisites
Before you start troubleshooting, it's important to collect some basic information. This information can help you
better understand the problem and reduce the time to find a resolution.
Collect the following information about the problem:
Is a valid Intune license assigned to the user? Before users can enroll their devices, they must have the necessary
license assigned.
Is the latest update installed on the Windows device? Some features in Intune only work with the latest version
of Windows. There are many fixes for known issues available through Windows Update. Applying all the latest
updates often fixes a Windows device enrollment problem.
What is the exact error message?
Where do you see the error message?
When did the problem start? Has enrollment ever worked?
What platform (Android, iOS/iPadOS, Windows) has the problem?
How many users are affected? Are all users affected or just some?
How many devices are affected? Are all devices affected or just some?
What is the MDM authority?
How is enrollment being performed? Is it "Bring your own device" (BYOD) or Apple Automated Device
Enrollment (ADE) with enrollment profiles?
Error messages
This user is not authorized to enroll.
Error 0x801c003: "This user is not authorized to enroll. You can try to do this again or contact your system
administrator with the error code (0x801c0003)." Error 80180003: "Something went wrong. This user is not
authorized to enroll. You can try to do this again or contact your system administrator with error code 80180003."
Cause: Any of the following conditions:
The user has already enrolled the maximum number of devices allowed in Intune.
The device is blocked by the device type restrictions.
The computer is running Windows 10 Home. However, enrolling in Intune or joining Azure AD is only supported
on Windows 10 Pro and higher editions.
Resolution
There are several possible solutions to this issue:
Rem o ve devi c es t h at w er e en r o l l ed
NOTE
This method increases the device enrollment limit for all users, not just the affected user.
1. Sign in to the Microsoft Endpoint Manager admin center with a global administrator account.
2. Go to Devices > Enrollment restrictions , and then select the Default restriction under Device Type
Restrictions .
3. Select Platforms , and then select Allow for Windows (MDM) .
IMPORTANT
If the current setting is already Allow , change it to Block , save the setting, and then change it back to Allow and
save the setting again. This resets the enrollment setting.
4. Wait for approximately 15 minutes, and then enroll the affected device again.
Upgr ade W i n do w s 10 Ho m e
1. Sign out of Windows, then sign in by using the other account that has enrolled or joined the device.
2. Go to Settings > Accounts > Work Access , then remove the work or school account.
3. Sign out of Windows, then sign in by using your account.
4. Enroll the device in Intune or join the device to Azure AD.
This account is not allowed on this phone.
Error: "This account is not allowed on this phone. Make sure the information you provided is correct, and then try
again or request support from your company."
Cause: The user who tried to enroll the device doesn't have a valid Intune license.
Resolution
Assign a valid Intune license to the user, and then enroll the device.
Looks like the MDM Terms of Use endpoint is not correctly configured.
Cause: One of the following conditions is true:
You use both Mobile Device Management (MDM) for Microsoft 365 and Intune on the tenant, and the user who
tries to enroll the device doesn't have a valid Intune license or an Office 365 license.
The MDM terms and conditions in Azure AD is blank or doesn't contain the correct URL.
Resolution
To fix this issue, use one of the following methods:
A ssi g n a v a l i d l i c e n se t o t h e u se r
Go to the Microsoft 365 Admin Center, and then assign either an Intune or an Microsoft 365 license to the user.
C o r r e c t t h e M D M t e r m s o f u se U R L
1. Sign in to the Azure portal, and then select Azure Active Director y .
2. Select Mobility (MDM and MAM) , and then click Microsoft Intune .
3. Select Restore default MDM URLs , verify that the MDM terms of use URL is set to
https://por tal.manage.microsoft.com/TermsofUse.aspx .
4. Choose Save .
Something went wrong.
Error 80180026: "Something went wrong. Confirm you are using the correct sign-in information and that your
organization uses this feature. You can try to do this again or contact your system administrator with the error code
80180026."
Cause: This error can occur when you try to join a Windows 10 computer to Azure AD and both of the following
conditions are true:
MDM automatic enrollment is enabled in Azure.
The Intune PC client (Intune PC agent) is installed on the Windows 10 computer.
Resolution
Use one of the following methods to address this issue:
D i sa b l e M D M a u t o m a t i c e n r o l l m e n t i n A z u r e .
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta
Cause: The targeted Windows device doesn't meet either of the following requirements:
The device must have a physical TPM 2.0 chip. Devices with virtual TPMs (for example, Hyper-V VMs) or TPM 1.2
chips don't work with self-deploying mode.
The device must be running one of the following versions of Windows:
Windows 10 build 1709 or a later version.
If Hybrid Azure AD Join is used, Windows 10 build 1809 or a later version.
Resolution
Make sure that the targeted device meets both requirements that are described in the Cause section.
For more information about how to deploy a Windows device in kiosk mode with Autopilot, see Deploying a kiosk
using Windows Autopilot.
Something went wrong. Error Code 80070774.
Error 0x80070774: Something went wrong. Confirm you are using the correct sign-in information and that your
organization uses this feature. You can try to do this again or contact your system administrator with the error code
80070774.
This issue typically occurs before the device is restarted in a Hybrid Azure AD Autopilot scenario, when the device
times out during the initial Sign in screen. It means that the domain controller can't be found or successfully
reached because of connectivity issues. Or that the device has entered a state which can't join the domain.
Cause: The most common cause is that Hybrid Azure AD Join is being used and the Assign user feature is
configured in the Autopilot profile. Using the Assign user feature performs an Azure AD join on the device during
the initial sign-in screen which puts the device in a state where it can't join your on-premises domain. Therefore,
the Assign user feature should only be used in standard Azure AD Join Autopilot scenarios. The feature should be
not used in Hybrid Azure AD Join scenarios.
Another possible cause for this error is that the Autopilot object's associated AzureAD device has been deleted. To
resolve this, delete the Autopilot object and reimport the hash to generate a new one.
Resolution
1. In the Microsoft Endpoint Manager admin center, choose > Devices > Windows > Windows devices .
2. Select the device which is experiencing the issue > click the ellipsis (…) on the rightmost side.
3. Select Unassign user and wait for the process to finish.
4. Verify that the Hybrid Azure AD Autopilot profile is assigned before re-attempting OOBE.
Second resolution
If the issue persists, on the server that hosts the Offline Domain Join Intune Connector, check to see if Event ID
30312 is logged within the ODJ Connector Service log. Event 30312 resembles the following:
This issue is usually caused by incorrectly delegating permissions to the organizational unit where the Windows
Autopilot devices are created. For more information, see Increase the computer account limit in the Organizational
Unit.
1. Open Active Director y Users and Computers (DSA.msc) .
2. Right-click the organizational unit that you will use to create hybrid Azure AD-joined computers > Delegate
Control .
3. In the Delegation of Control wizard, select Next > Add > Object Types .
4. In the Object Types pane, select the Computers check box > OK .
5. In the Select Users , Computers , or Groups pane, in the Enter the object names to select box, enter the
name of the computer where the Connector is installed.
6. Select Check Names to validate your entry > OK > Next .
7. Select Create a custom task to delegate > Next .
8. Select the Only the following objects in the folder check box, and then select the Computer objects ,
Create selected objects in this folder , and Delete selected objects in this folder check boxes.
9. Select Next .
10. Under Permissions , select the Full Control check box. This action selects all the other options.
11. Select Next > Finish .
The Enrollment Status Page times out before the sign-in screen
Cause: This issue can arise if all the following conditions are true:
You're using the Enrollment Status Page to track Microsoft Store for Business apps.
You have an Azure AD Conditional Access policy that uses the require a device to marked as compliant control.
The policy applies to All Cloud apps and Windows.
Resolution:
Try either of the following:
Target your Intune compliance policies to devices. Make sure that compliance can be determined before the user
logs on.
Use offline licensing for store apps. This way, the Windows client doesn't have to check with the Microsoft Store
before determining device compliance.
Next steps
Troubleshoot device enrollment in Intune
Ask a question on the Intune forum
Check the Microsoft Intune Support Team Blog
Check the Microsoft Enterprise Mobility and Security Blog
Get support for Microsoft Intune
Find co-management enrollment errors
Troubleshoot Windows 10 group policy-based auto-
enrollment in Intune
9/4/2020 • 3 minutes to read • Edit Online
You can use group policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. For
more information on this feature, see Enroll a Windows 10 device automatically using Group Policy.
Verify that auto-enrollment is enabled for all users who will enroll the devices inIntune. For more
information, see Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal.
Verify that MDM user scope is set to All to allow all users to enroll a device in Intune.
Verify that MAM User scope is set to None . Otherwise, this setting will have precedence over the MDM
scope and cause issues.
Verify that MDM discover y URL is set to
https://enrollment.manage.microsoft.com/enrollmentser ver/discover y .
Verify that the device is running Windows 10, version 1709 or a later version.
Verify that the devices are set tohybrid Azure AD joined . This setting means that the devices are both
domain-joined and Azure AD-joined.
To verify the settings, run dsregcmd /status at the command line. Then, verify the following status values
in the output:
Device State
AzureAdJoined: YES
DomainJoined: YES
SSO State
AzureAdPrt: YES
You can find this same information in the list of Azure AD-joined devices:
Both Microsoft Intune andMicrosoft Intune Enrollment might be listed underMobility (MDM and
MAM) in the Azure AD blade. If both are present, make sure that you configure the auto-enrollment settings
underMicrosoft Intune .
Verify that the following Group Policy policy settingis successfully deployed to all devices that should be
enrolled in Intune:
Computer Configuration > Policies > Administrative Templates > Windows Components > MDM
> Enable automatic MDM enrollment using default Azure AD credentials
You can contact your domain administrators to verify that the Group Policy policy setting is deployed
successfully.
Make sure that the device isn't enrolled in Intune by using the classic PCagent.
Verify the following settings in Azure AD and Intune:
In Azure AD Device settings:
The Users may join devices to Azure AD setting is set to All .
The number of devices that a user has in Azure AD doesn't exceed the Maximum number of devices
per user quota.
In Intune enrollment restrictions:
Enrollment of Windows devices is allowed.
Troubleshooting
If the issue persists, examine the MDM logs on the device in the following location in Event Viewer:
Applications and Ser vices Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-
Provider > Admin
Look for Event ID 75 (Event message "Auto MDM Enroll: Succeeded"). This event indicates thatthe auto-enrollment
succeeded.
Event ID 75 isn't logged in the following situations:
The enrollment fails.
To verify this error, look for Event ID 76 (Event message: Auto MDM Enroll: Failed (Unknown Win32 Error
code: 0x8018002b)). This event indicates a failed auto-enrollment.
For a resolution to this error, see Troubleshooting Windows device enrollment problems in Microsoft Intune.
The enrollment wasn't triggered at all.In this case, event ID 75 and event ID 76 aren't logged.
The auto-enrollment process is triggered by the "Schedule created by enrollment client for
automatically enrolling in MDM from AAD " task that's located under Microsoft > Windows >
EnterpriseMgmt in Task Scheduler.
This task is created when the Enable automatic MDM enrollment using default Azure AD
credentials Group Policy policy setting is successfully deployed to the target device. The task is scheduled
to run every 5 minutes during 1 day.
To verify that the task is started, check the task scheduler event logs under the following location in Event
Viewer:
Applications and Ser vices Logs > Microsoft > Windows > Task Scheduler > Operational
When the task is triggered on the scheduler, Event ID 107 is logged.
When the task is completed, Event ID 102 is logged. The event is logged whether or not auto enrollment
succeeds.
NOTE
You can use the task scheduler log to check whether auto-enrollment is triggered. However, you can't use the log to
determine whether auto-enrollment succeeded.
The following situation may cause the Schedule created by enrollment client for automatically enrolling in
MDM from AAD task not to be started:
The device is already enrolled in another MDM solution. In this case, Event ID 7016 together with
error code 2149056522 is logged in the Applications and Ser vices Logs > Microsoft >
Windows > Task Scheduler > Operational event log.
To fix this issue, unenroll the device from the MDM.
A Group Policy issue exists. In this case, force an update of Group Policy settings by running the
following command:
gpupdate /force
If the issue persists, do additional troubleshooting in Active Directory.
Next steps
Troubleshoot Windows device enrollment
Troubleshoot Android Enterprise device problems in
Microsoft Intune
9/4/2020 • 2 minutes to read • Edit Online
This article helps Intune administrators understand and troubleshoot problems when Android Enterprise devices in
Intune.
Device management
File path Internal storage/Android/Data.com.microsoft.windowsintune.companyportal/files missing on work
profile enrolled devices
Answer : This is expected behavior. This path is only created for the Device Admin (Legacy Android Enrollment)
scenario.
To collect Company Portal logs, follow these steps:
1. In the Company Portal app with the badge, tap Menu > Help > Email Suppor t , and then tap Send Email &
Upload logs .
2. When you're prompted Send help request with , select one of the Email apps.
3. An email is generated to your IT admin with an incident ID that can be provided to Microsoft product support.
Managed Google Play Last Sync time hasn't been updated in days
This is expected behavior. The sync is only triggered when you manually do so.
Encryption is required when a device is enrolled. Can it be turned off?
No, Google requires that the device be encrypted to create a work profile.
Samsung devices are blocking the use of third-party keyboards like SwiftKey
Samsung began enforcing this restriction on Android 8.0+ devices. Microsoft is currently working with Samsung
on this issue and will post new information when it's available.
Remote actions
Wipe (Factory Reset) option isn't available for work profile enrolled device
This is expected behavior. In the work profile scenario, the MDM provider doesn't have full control over the device.
The only option available is Retire (Remove Company Data) which removes the whole work profile and all its
contents.
Wipe is supported for Android Enterprise corporate-owned with work profile devices.
Is device passcode reset supported?
For work profile enrolled devices, you can only reset the work profile passcode on Android 8.0 or later devices
when:
the work profile passcode is managed
the end user has allowed you to reset it.
For Dedicated devices (COSU) and Fully Managed, device passcode reset is supported.
Next steps
Troubleshoot device enrollment in Intune
Ask a question on the Intune forum
Check the Microsoft Intune Support Team Blog
Check the Microsoft Enterprise Mobility and Security Blog