Enroll Intune
Enroll Intune
To use Microsoft Intune as your mobile device management (MDM) provider, you must enroll devices in Intune
using a supported enrollment method. Enrollment sets up and secures the device so that it aligns with your
organization's policies and is suitable for use at work or school. Intune deploys and enforces policies through a
management profile, which is installed on the device during enrollment. Enrollment is enabled for all platforms
by default.
Microsoft Intune supports Android, macOS, iOS, and Windows devices. Some enrollment methods require you,
as the IT administrator, to initiate enrollment while other methods require your employees or students to initiate
it. This article provides an overview of the types of devices and enrollment methods that Intune supports.
NOTE
Intune marks devices that are Azure AD-registered as personally-owned devices.
For more information about the iOS/iPadOS enrollment methods supported in Intune, see Enroll iOS/iPadOS
devices.
macOS enrollment methods
You can use the following methods to enroll macOS devices in Intune:
Bring-your-own-device (BYOD)
Device enrollment manager
Apple Automated Device Enrollment
For more information about the macOS enrollment methods supported in Intune, see Set up enrollment for
macOS devices.
Windows enrollment methods
You can use the following methods to enroll Windows devices in Intune:
Bring-your-own-device (BYOD)
Device enrollment manager
Automatic enrollment via MDM
Automatic enrollment via Group Policy
Windows Autopilot
Bulk enrollment
Co-management with Microsoft Intune and Configuration Manager
For more information about the Windows enrollment methods supported in Intune, see Enrollment methods for
Windows devices .
Android enrollment methods
To select the appropriate enrollment method for Android devices, consider the enrollment type you'll use and
the device's ownership status (personal versus corporate-owned). For more information about the Android
enrollment methods supported in Intune, see Enroll Android devices.
Personal Android devices
You can set up user-initiated enrollment for people who want to use their personal devices at work or school.
Employees and students initiate enrollment by signing into the Company Portal app with their work or school
account.
Intune supports the following device management configurations on personal devices:
Android Device Administrator (also referred to as Android Device Admin)
Android Enterprise with work profile
In the table, this data is shown in the Enrollment type column.
EN RO L L M EN T M DM P RO F IL E
EN RO L L M EN T T Y P E M ET H O D RESET REQ UIRED USER A F F IN IT Y REM O VA B L E
EN RO L L M EN T M DM P RO F IL E
EN RO L L M EN T T Y P E M ET H O D RESET REQ UIRED USER A F F IN IT Y REM O VA B L E
Next steps
You can adjust the settings in Intune to restrict specific platforms from enrolling. For more information, see
Create a device platform restriction.
Enrolled device management capabilities of
Microsoft Intune
9/23/2022 • 4 minutes to read • Edit Online
Microsoft Intune lets you manage a range of devices by enrolling them into the service. You can enroll some
device types yourself, or users can enroll using the company portal app. Enrolling lets them browse and install
apps, make sure that their devices are compliant with company policies, and contact their IT support.
This article gives a full list of the capabilities that you get after devices are enrolled.
Management, inventory, app deployment, provisioning, and retirement are all handled through Intune in the
Azure portal.
Users gain access to the company portal, which enables them to install apps, enroll and remove devices, and
contact their IT department or helpdesk.
Configuration policies Lets you manage many settings and Manage settings and features on your
features on mobile devices in your devices with Microsoft Intune policies
Custom policies organization. For example, you can
require a password, limit the number
of failed attempts, limit the amount of
time before the screen locks, set
password expiration, and prevent
previously used passwords. You can
also control the use of hardware and
software features such as the device
camera or the web browser.
Remote Wipe, Remote Lock, and Erases sensitive data when a device is Help protect your devices with remote
Passcode Reset lost or stolen. For example, you can lock and passcode reset
remotely lock the device, restore it to
factory settings, or wipe only
corporate data.
Kiosk mode Lets you lock down certain features of iOS configuration policy settings in
mobile devices such as screen captures Microsoft Intune
and power switches. Also lets you
restrict devices to run a single app that
you specify.
Autopilot Reset Sends a task to the device to start the Remote Windows Autopilot Reset
reset process remotely, avoiding the
need for IT staff or other
administrators to visit each machine to
start the process. When Autopilot
reset is used on a device, the device's
primary user will be removed. The next
user who signs in after the reset will be
set as the primary user.
App management
C A PA B IL IT Y DETA IL S M O RE IN F O RM AT IO N
App deployment and management Provides a range of tools to help you Deploy apps in Microsoft Intune
manage mobile apps through their
lifecycle, including app deployment
from installation files and app stores,
detailed monitoring of app status, and
app removal.
Compliant and noncompliant apps Lets you specify lists of compliant apps iOS policy settings in Microsoft Intune
(that users are allowed to install) and
noncompliant apps (that users aren't
allowed to install).
Mobile application management Configures restrictions for apps by Configure and deploy mobile
using mobile application management application management policies in the
for all devices that are both managed Microsoft Intune console
with Intune and not managed with
Intune. You can increase the security of
your company data by restricting
operations such as copy and paste,
external backup of data, and the
transfer of data between apps.
iOS mobile app configuration Uses mobile app configuration policies Configure iOS/iPadOS apps with
to supply settings for iOS/iPadOS apps mobile app configuration policies in
that might be required when the user Microsoft Intune
runs the app. For example, an app
might require the user to specify a
port number or logon information. You
can streamline app configuration and
reduce the number of support calls.
iOS/iPadOS mobile app provisioning Helps you deploy provisioning profiles Use iOS/iPadOS mobile provisioning
profiles to iOS/iPadOS apps that are nearing profile policies to prevent your apps
expiration. from expiring
C A PA B IL IT Y DETA IL S M O RE IN F O RM AT IO N
Managed browser Configures managed browser policies Manage Internet access using
to control the websites that device managed browser policies with
users can visit. In addition, you can Microsoft Intune
also apply mobile application
management policies to the managed
browser.
Windows Hello for Business Lets you integrate with Windows Hello Control Windows Hello for Business
for Business, which is an alternative settings on devices with Microsoft
sign-in method for Windows 10 that Intune
uses on-premises Active Directory or
Azure Active Directory to replace
passwords, smart cards, or virtual
smart cards.
Volume purchased apps Helps you manage apps that you Manage volume-purchased apps using
purchased through a volume-purchase Microsoft Intune
program by importing the license
information from the app store,
tracking how many of the licenses you
have used, and preventing you from
installing more copies of the app than
you own.
Certificate profiles Creates and deploys trusted certificate Secure resource access with certificate
profiles and Simple Certificate profiles in Microsoft Intune
Enrollment Protocol (SCEP) certificates,
which can be used to secure and
authenticate Wi-Fi, VPN, and email
profiles.
Wi-Fi profiles Deploys wireless network settings to Wi-Fi connections in Microsoft Intune
your users. By deploying these
settings, you minimize the user effort
that's required to connect to the
corporate network.
Email profiles Creates and deploys email settings to Configure access to corporate email
devices so that users can access using email profiles with Microsoft
corporate email on their personal Intune
devices without any required setup on
their part.
VPN profiles Deploys VPN settings to users and VPN connections in Microsoft Intune
devices in your organization. By
deploying these settings, you minimize
the user effort that's required to
connect to resources on the company
network.
C A PA B IL IT Y DETA IL S M O RE IN F O RM AT IO N
Conditional Access policies Manages access to Microsoft Exchange Restrict access to email and SharePoint
email and SharePoint Online from with Microsoft Intune
devices that are not managed by
Intune.
Next steps
See a list of devices that you can manage.
Enrollment options for devices managed by Intune
9/23/2022 • 2 minutes to read • Edit Online
As an Intune admin, you can configure device enrollment to help users and enable Intune capabilities. Intune
includes the following enrollment options:
Enrollment restrictions
You can choose to restrict device enrollment by:
Device platform
Number of devices per user
Block personal devices
Learn more about enrollment restrictions.
Corporate identifiers
You can list international mobile equipment identifier (IMEI) numbers and serial numbers to identify corporate-
owned devices. Learn more about corporate identifiers.
Multi-factor authentication
You can require users to use an additional verification method, such as a phone, PIN or biometric data, when
they enroll a device. Learn more about multi-factor authentication.
Device categories
You can use device categories to automatically add devices to groups based on categories that you define.
Organizing devices into groups makes it easier for you to manage those devices. Learn more about device
categories.
Quickstart: Set up automatic enrollment for
Windows 10/11 devices
9/23/2022 • 2 minutes to read • Edit Online
In this quickstart, you'll set up Microsoft Intune to automatically enroll devices when specific users sign in to
Windows 10/11 devices.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Microsoft Intune subscription - sign up for a free trial account.
To complete this quickstart, you must first create a user and create a group.
6. Select Some from the MDM user scope to use MDM auto-enrollment to manage enterprise data on
your employees' Windows devices. MDM auto-enrollment will be configured for AAD joined devices and
bring your own device scenarios.
7. Click Select groups > Contoso Testers > Select as the assigned group.
8. Select Some from the MAM Users scope to manage data on your workforce's devices.
9. Choose Select groups > Contoso Testers > Select as the assigned group.
10. Use the default values for the remaining configuration values.
11. Choose Save .
Clean up resources
To reconfigure Intune automatic enrollment, check out Set up enrollment for Windows devices.
Next steps
In this quickstart, you learned how to set up auto-enrollment for devices running Windows 10/11. For more
information about device enrollment, see What is device enrollment?
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Enroll your Windows 10/11 device
Quickstart: Enroll your Windows device
9/23/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
In this quickstart, you'll first take the role of an Intune user and enroll a device running Windows 10/11 into
Microsoft Intune. Then you'll return to Intune and confirm that the device enrolled.
Enrolling your devices into Microsoft Intune allows you to access your organization's secure data, including
email, files, and other resources, from your Windows device. This is true for both devices running Windows
10/11 devices (including desktop) and Windows 10 Mobile devices. Enrolling your devices helps secure this
access for both you and your organization, and helps keep your work data separate from your personal data.
TIP
Find out what happens when you enroll your device in Intune and what that means for the information on your device.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Microsoft Intune subscription - sign up for a free trial account
To complete this quickstart, you must complete the steps to setup automatic enrollment in Intune.
3. In the Settings window you will see a list of Windows specifications for your PC. Within this list,
locate the Version .
4. Confirm that the Windows Version is Windows 10 (version 1607 or later) or Windows 11 (version 21H2
or later).
IMPORTANT
The steps presented in this quickstart are for Windows 10 (version 1607 or higher) or Windows 11 (version 21H2
or later). If your version is 1511 or earlier, see Enroll device running Windows 10, version 1511 and earlier.
NOTE
If you setting up an ".onmicrosoft.com", the user account will have .onmicrosoft.com as part of the account
address.
You'll see a message indicating that your company or school is registering your device.
4. When you see the You're all set! screen, select Done . You're done.
5. You will now see the added account as part of the Access work or school settings on your Windows
desktop.
If you followed the previous steps, but still can't access your work or school email account and files,
follow the steps in Troubleshoot Windows 10/11 device access.
Clean up resources
To unenroll your Windows device, see Remove your Windows device from management.
Next steps
In this quickstart, you learned how to enroll a Windows 10/11 device into Intune. You can learn about other
ways to enroll devices across all platforms. For more information about using devices with Intune, see Use
managed devices to get work done.
To follow this series of Intune quickstarts, continue to the next quickstart.
Quickstart: Set a required password length for Android devices
Tutorial: Use Autopilot to enroll Windows devices in
Intune
9/23/2022 • 3 minutes to read • Edit Online
Windows Autopilot simplifies enrolling devices. With Microsoft Intune and Autopilot, you can give new devices
to your end users without the need to build, maintain, and apply custom operating system images.
In this tutorial, you'll learn how to:
Add devices to Intune
Create an Autopilot device group
Create an Autopilot deployment profile
Assign the Autopilot deployment profile to the device group
Distribute Windows devices to users
If you don't have an Intune subscription, sign up for a free trial account.
For an overview of Autopilot benefits, scenarios, and prerequisites, see Overview of Windows Autopilot.
Prerequisites
Set up Windows automatic enrollment
Azure Active Directory Premium subscription
Add devices
The first step in setting up Windows Autopilot is to add the Windows devices to Intune. All you have to do is
create a CSV file and import it into Intune.
1. In any text editor, create a list of comma-separated values (CSV) that identify the Windows devices. Use
the following format:
serial-number, windows-product-id, hardware-hash, optional-Group-Tag
The first three items are required, but the Group Tag (previously known "order ID") is optional.
2. Save the CSV file.
3. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows
Enrollment > Devices (under Windows Autopilot Deployment Program ) > Impor t .
4. Under Add Windows Autopilot devices , browse to the CSV file you saved.
5. Choose Impor t to start importing the device information. Importing can take several minutes.
6. After import is complete, choose Devices > Windows > Windows enrollment > Devices (under
Windows Autopilot Deployment Program > Sync . A message displays that the synchronization is in
progress. The process might take a few minutes to complete, depending on how many devices you're
synchronizing.
7. Refresh the view to see the new devices.
Clean up resources
If you don't want to use Autopilot devices anymore, you can delete them.
1. If the devices are enrolled in Intune, you must first delete them from the Azure Active Directory portal.
2. In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows
enrollment > Devices (under Windows Autopilot Deployment Program ).
3. Choose the devices you want to delete, and then choose Delete .
4. Confirm the deletion by choosing Yes . It can take a few minutes to delete.
Next steps
You can find more information about other options available for Windows Autopilot.
In-depth Autopilot enrollment article
Tutorial: Use Apple's Corporate Device Enrollment
features in Apple Business Manager (ABM) to enroll
iOS/iPadOS devices in Intune
9/23/2022 • 7 minutes to read • Edit Online
The Device Enrollment features in Apple Business Manager simplifies enrolling devices. Intune also supports
Apple's older Device Enrollment Program (DEP) portal, but we encourage you to start fresh with Apple Business
Manager. With Microsoft Intune and Apple Corporate Device Enrollment, devices are automatically securely
enrolled the first time the user turns on the device. You can therefore ship devices to many users without having
to set up each device individually.
In this tutorial, you'll learn how to:
Get an Apple Device Enrollment token
Sync managed devices to Intune
Create an Enrollment profile
Assign the Enrollment profile to devices
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Devices purchased in Apple Business Manager or Apple's Device Enrollment Program
Set the mobile device management authority
Get an Apple MDM Push certificate
13. In the Apple token box, browse to the certificate (.pem) file, choose Open , and then choose Create .
14. If you want to apply Scope Tags to limit which admins have access to this token, select scopes.
NOTE
Ensure that Device Type Restrictions under Enrollment Restrictions does not have the default All Users policy set
to block the iOS/iPadOS platform. This setting will cause automated enrollment to fail and your device will show as Invalid
Profile, regardless of user attestation. To permit enrollment only by company-managed devices, block only personally
owned devices, which will permit corporate devices to enroll. Microsoft defines a corporate device as a device that's
enrolled via a Device Enrollment Program or a device that's manually entered under Corporate device identifiers .
Next steps
You can find more information about other options available for enrolling iOS/iPadOS devices.
In-depth iOS/iPadOS ADE enrollment article
Identify devices as corporate-owned
9/23/2022 • 5 minutes to read • Edit Online
As an Intune admin, you can identify devices as corporate-owned to refine management and identification.
Intune can perform additional management tasks and collect additional information such as the full phone
number and an inventory of apps from corporate-owned devices. You can also set device restrictions to block
enrollment by devices that aren't corporate-owned.
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are:
Enrolled with a device enrollment manager account (all platforms)
Enrolled by using Google Zero Touch
Enrolled by using Knox Mobile Enrollment
Enrolled with the Apple Device Enrollment Program, Apple School Manager, or Apple Configurator
(iOS/iPadOS only)
Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI)
numbers (all platforms with IMEI numbers) or serial number (iOS/iPadOS and Android)
Enrolled as Android Enterprise corporate-owned devices with work profile
Enrolled as Android Enterprise fully managed devices
Enrolled as Android Enterprise dedicated devices
Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory
registered will be marked as personal.
Set as corporate in the device's properties list
After enrollment, you can change the ownership setting between Personal and Corporate .
01234567890123,device details
02234567890123,device details
IMPORTANT
Some Android and iOS/iPadOS devices have multiple IMEI numbers. Intune only reads one IMEI number per enrolled
device. If you import an IMEI number but it is not the IMEI inventoried by Intune, the device is classified as a personal
device instead of a corporate-owned device. If you import multiple IMEI numbers for a device, uninventoried numbers
display Unknown for enrollment status.
Also note: Serial Numbers are the recommended form of identification for iOS/iPadOS devices. Android Serial numbers are
not guaranteed to be unique or present. Check with your device supplier to understand if serial number is a reliable
device ID. Serial numbers reported by the device to Intune might not match the displayed ID in the Android
Settings/About menus on the device. Verify the type of serial number reported by the device manufacturer. Attempting to
upload a file with serial numbers containing dots (.) will cause the upload to fail. Serial numbers with dots are not
supported.
IMEI specifications
For detailed specifications about International Mobile Equipment Identifiers, see 3GGPP TS 23.003.
This report tells you where in the Company Portal enrollment process users are not completing the enrollment
process.
To see the report, sign in to the Microsoft Endpoint Manager admin center. Then select Devices > *Monitor >
Incomplete user enrollments .
Using this information, you can update your onboarding documents to help users complete enrollment. For
example, if many users are quitting at the Terms of Use, you might investigate that area and make it more
intuitive for users.
A C T IO N N A M E SC REEN O R F LO W P L AT F O RM A C T IO N
A C T IO N N A M E SC REEN O R F LO W P L AT F O RM A C T IO N
Compliance/Activation section
A C T IO N N A M E SC REEN O R F LO W P L AT F O RM A C T IO N
Next steps
After checking on your incomplete enrollment rates, you can review the enrollment options to see if you can
make any changes to improve enrollment.
Terms and conditions for user access
9/23/2022 • 4 minutes to read • Edit Online
Use an Intune terms and conditions policy to present relevant disclaimers for legal or compliance requirements
to device users. A terms and conditions policy requires targeted users to accept your terms in Company Portal
before they can enroll devices or access protected resources.
This article describes how to get started with terms and conditions in Intune.
NOTE
Report data is updated every 24 hours and can take up to 12 hours to finish generating. Because of this, data in the
report can have up to a 36 hour latency.
TIP
Do not change the version number for changes like typo and formatting fixes.
Applies to
Android
iOS
macOS
Windows 10
Windows 11
Device limit restrictions can be configured two ways:
Intune enrollment
Azure Active Directory (AD) joined or Azure AD registered
This article clarifies when these limits are applied based on your configuration.
Android Enterprise No No No
dedicated device
Android device No No
administrator DEM
Windows devices
Intune device limit restrictions don't apply for the following Windows enrollment types:
Co-managed enrollments
Group policy object (GPO) enrollments
Azure AD joined enrollments
Bulk Azure AD joined enrollments
Autopilot enrollments
Device enrollment manager enrollments
You can't enforce device limit restrictions for these enrollment types because they're considered shared device
scenarios. You can set hard limits for these enrollment types in Azure Active Directory.
For the device limit restriction in Azure, the Maximum number of devices per user setting applies to devices
that are either Azure AD joined or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined
devices.
Windows 10/11 example 1
The Azure Maximum number of devices per user setting is set to 5.
The Intune Device limit setting is set to 3.
The devices are hybrid Azure AD joined and enrolled automatically (GPO configured).
Outcome: Because the enrollment is pushed through GPO, the Azure device registration limit doesn't apply. The
Intune device limit restriction also doesn't apply.
Windows 10/11 example 2
The Azure Maximum number of devices per user setting is set to 5.
The Intune Device limit setting is set to 2.
The devices are local domain joined and enrolled by using Settings > Access Work or School > Connect .
Outcome: You can only enroll two devices before they're blocked. You can register up to five devices.
Next steps
Create a device limit restriction in Azure.
Learn more about registration and domain joined.
Add device enrollment managers
9/23/2022 • 2 minutes to read • Edit Online
A device enrollment manager (DEM) is a non-administrator user who can enroll devices in Intune. Device
enrollment managers are useful to have when you need to enroll and prepare many devices for distribution.
People signed in to a DEM account can enroll and manage up to 1,000 devices, while a standard non-admin
account can only enroll 15.
A DEM account requires an Intune user or device license, and an associated Azure AD user. Global
Administrators and Intune Service Administrators can add and manage device enrollment managers in the
Microsoft Endpoint Manager admin center.
This article describes the limits and specifications of enrollment manager and how to manage permissions.
TIP
To compare DEM best practices and capabilities alongside other Windows enrollment methods, see Intune enrollment
method capabilities for Windows devices.
Account permissions
These Azure AD roles can manage device enrollment managers:
Global Administrator
Intune Service Administrator role in Azure AD
People assigned these roles can add and delete device enrollment managers, and view all DEM users in the
Microsoft Endpoint Manager admin center.
Device categories allow you to easily manage and group devices in Microsoft Intune. Create a category, such as
sales or accounting, and Intune automatically add all devices that fall within that category to the corresponding
device group in Intune.
To enable categories in your tenant, you must create a category in the Microsoft Endpoint Manager admin
center and set up dynamic Azure Active Directory (Azure AD) security groups.
This article describes how to configure and edit device categories.
Best practices
Device categories are supported on devices running Android, iOS/iPadOS, or Windows. People with Windows
devices must use the Company Portal website to select their category. Regardless of platform, any device user
can sign in to portal.manage.microsoft.com at anytime and go to My devices to select a category.
If an iOS/iPadOS or Android device is already enrolled before you configure categories, the user will receive a
notification about the device on the Company Portal website. The notification informs them that they need to
select a category the next time they're in the Company Portal app.
Get an Apple MDM push certificate
9/23/2022 • 3 minutes to read • Edit Online
Upload and renew your Apple MDM push certificates in Microsoft Intune. An Apple MDM Push certificate is
required to manage iOS/iPadOS and macOS devices in Microsoft Intune, and enables devices to enroll via:
The Intune Company Portal app.
Apple bulk enrollment methods, such as the Device Enrollment Program, Apple School Manager, and Apple
Configurator.
Certificates must be renewed annually.
This article describes how to use Intune to create and renew an Apple MDM push certificate.
NOTE
The certificate is associated with the Apple ID used to create it. As a best practice, use a company email address as your
Apple ID and make sure the mailbox is monitored by more than one person, such as by a distribution list. Avoid using a
personal Apple ID.
Managed Apple ID
If you plan to federate your existing Azure AD accounts with Apple to use Managed Apple ID, contact Apple to
have the existing APNS certificate migrated to your new Managed Apple ID. For more information, see the Apple
Support user guide for Apple School Manager.
Step 4. Enter the Apple ID used to create your Apple MDM push certificate
Return to the admin center and enter your Apple ID as a reminder for when you need to renew the certificate.
Step 5. Browse to your Apple MDM push certificate to upload
1. Select the Folder icon.
2. Select the certificate file (.pem) you downloaded in the Apple portal.
3. Select Upload to finish configuring the MDM push certificate.
TIP
Each certificate has a unique UID. To find it, look for the subject ID, which shows the GUID portion of the UID, in
the certificate details. You can also find this information on the enrolled iOS/iPadOS device. Go to Settings >
General > Device Management > Management Profile > More Details > Management Profile . The
Topic value contains the unique GUID that you can match up to the certificate in the Apple Push Certificates
portal.
8. Select Upload .
9. On the Confirmation screen, select Download .
10. Return to the admin center > Configure MDM Push Cer tificate page, and upload your certificate file.
Renewal is complete when your Apple MDM push certificate status appears active in both the admin center and
Apple portal.
Next steps
For more information about enrollment options, see Choose how to enroll iOS/iPadOS devices.
Require multifactor authentication for Intune device
enrollments
9/23/2022 • 2 minutes to read • Edit Online
Intune can use Azure Active Directory (Azure AD) Conditional Access policies to require multifactor
authentication (MFA) for device enrollment to help you secure your corporate resources.
MFA works by requiring any two or more of the following verification methods:
Something you know (typically a password or PIN).
Something you have (a trusted device that isn't easily duplicated, like a phone).
Something you are (biometrics, like a fingerprint).
MFA is supported for iOS/iPadOS, macOS, Android, and Windows 8.1 or later devices.
When you enable MFA, end users need a second device, and must supply two forms of credentials to enroll a
device.
IMPORTANT
You must have an Azure Active Directory Premium P1 or above assigned to your users to implement this policy.
IMPORTANT
Don't configure Device based access rules for Microsoft Intune enrollment.
A UTO M AT ED DEVIC E EN RO L L M EN T
C LO UD A P P M FA P RO M P T LO C AT IO N N OT ES
Microsoft Intune Enrollment Setup Assistant With this option, MFA is applied
only to the enrollment of the device
(one-time MFA prompt). Conditional
Access MFA is applied only to the
login of the Company Portal on the
device.
7. Under Conditions you don't need to configure any settings for MFA.
8. Under Access controls > Grant
a. Select Require multifactor authentication and Require device to be marked as compliant .
b. Ensure Require all the selected controls is selected under For multiple controls .
c. Choose Select .
9. Under Session .
a. Select Sign-in frequency .
b. Ensure Ever y time is selected.
c. Select Select .
10. In New policy , choose Enable policy > On , and then choose Create .
NOTE
A second device is required to complete the MFA challenge for corporate devices like the following:
Android Enterprise Fully Managed.
Android Enterprise Corporate Owned Work Profile.
iOS/iPadOS Automated Device Enrollment.
macOS Automated Device Enrollment.
The second device is required because the primary device can't receive calls or text messages during the provisioning
process.
Next steps
When end users enroll their device, they now must authenticate with a second form of identification, like a PIN, a
phone, or biometrics.
Intune enrollment methods for Windows devices
9/23/2022 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
To manage devices in Intune, devices must first be enrolled in the Intune service. Both personally owned and
corporate-owned devices can be enrolled for Intune management.
There are two ways to get devices enrolled in Intune:
Users can self-enroll their Windows PCs
Admins can configure policies to force automatic enrollment without any user involvement
TIP
For guidance on which enrollment method is right for your organization, see Deployment guide: Enroll Windows devices
in Microsoft Intune.
Next steps
Learn the capabilities of the Windows enrollment methods
Intune enrollment method capabilities for Windows
devices
9/23/2022 • 2 minutes to read • Edit Online
There are several methods to enroll your workforce's devices in Intune. Each method has different best practices
and capabilities, as shown in the tables below.
Commonl
y used in
EDU
Devices
can be
used as
shared
devices
Personal
devices
must
access
company
resources
Self-
servicing
of apps
Condition ** **
al Access
A Z URE
A Z URE AD
AD JO IN ED
JO IN ED W IT H
W IT H A UTO P IL
A UTO P IL OT ( SEL F
A Z URE OT ( USER DEP LO Y I C O-
C A PA B IL I AD DRIVEN NG M A N A GE
T IES JO IN ED M O DE) M O DE) B UL K DEM BYOD GP O M EN T
User gets
associate
d with
the
device
Requires
Azure AD
Premium
Device
can
assess
resources
protected
by CA
Users
must not
be
admins
on their
devices
Ability to
configure
the
device
setup
experienc
e
Ability to
enroll
devices
without
user
interactio
n
Ability to *
run
PowerShe
ll scripts
A Z URE
A Z URE AD
AD JO IN ED
JO IN ED W IT H
W IT H A UTO P IL
A UTO P IL OT ( SEL F
A Z URE OT ( USER DEP LO Y I C O-
C A PA B IL I AD DRIVEN NG M A N A GE
T IES JO IN ED M O DE) M O DE) B UL K DEM BYOD GP O M EN T
Supports
automati
c
enrollme
nt after
AD
domain
join
Supports
automati
c
enrollme
nt after
Hybrid
Azure AD
join
Supports
automati
c
enrollme
nt after
Azure AD
join
* Client apps workloads in Configuration Manager must be moved to Intune Pilot or Intune.
** Devices are blocked for Conditional Access with the exception of Windows 10 (version 1803 and later) and
Windows 11.
Next steps
Set up enrollment for Windows
Set up enrollment for Windows devices
9/23/2022 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
This article helps IT administrators simplify Windows enrollment for their users. Once you've set up Intune,
users enroll Windows devices by signing in with their work or school account.
As an Intune admin, you can simplify enrollment in the following ways:
Enable automatic enrollment (Azure AD Premium required).
CNAME registration.
Enable bulk enrollment (Azure AD Premium and Windows Configuration Designer required).
Two factors determine how you can simplify Windows device enrollment:
Do you use Azure Active Director y Premium? Azure AD Premium is included with Enterprise Mobility +
Security and other licensing plans.
What versions of Windows clients will users enroll? Devices running Windows 11 or Windows 10 can
automatically enroll by adding a work or school account. Devices running earlier versions must enroll using
the Company Portal app.
Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows
Configuration Designer app.
Multi-user support
Intune supports multiple users on devices that both:
Run Windows 11 or the Windows 10 Creator's update
Are Azure Active Directory domain-joined
When standard users sign in with their Azure AD credentials, they receive apps and policies assigned to their
user name. Only the device's Primary user can use the Company Portal for self-service scenarios like installing
apps and device actions (like Remove or Reset). For shared Windows 10/11 devices that don't have a primary
user assigned, the Company Portal can still be used to install Available apps.
Enable Windows automatic enrollment
Automatic enrollment lets users enroll their Windows devices in Intune. To enroll, users add their work account
to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background,
the device registers and joins Azure Active Directory. Once registered, the device is managed with Intune.
Prerequisites
Azure Active Directory Premium subscription (trial subscription)
Microsoft Intune subscription
Global Administrator permissions
Configure automatic MDM enrollment
1. Sign in to the Azure portal, and select Azure Active Director y > Mobility (MDM and MAM) >
Microsoft Intune .
2. Configure MDM User scope . Specify which users' devices should be managed by Microsoft Intune.
These Windows 10 devices can automatically enroll for management with Microsoft Intune.
None - MDM automatic enrollment disabled
Some - Select the Groups that can automatically enroll their Windows 10 devices
All - All users can automatically enroll their Windows 10 devices
IMPORTANT
For Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the
MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The
device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you
have configured them.
If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM: configure the
MDM user scope to All (or Some , and specify a group) and configure the MAM user scope to None (or
Some , and specify a group – ensuring that users are not members of a group targeted by both MDM and
MAM user scopes).
For corporate devices, the MDM user scope takes precedence if both MDM and MAM user scopes are
enabled. The device will get automatically enrolled in the configured MDM.
NOTE
MDM user scope must be set to an Azure AD group that contains user objects.
TYPE H O ST N A M E P O IN T S TO TTL
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point
each one to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use the following
formats as their email/UPN:
[email protected]
[email protected]
[email protected]
The Contoso DNS admin should create the following CNAMEs:
TYPE H O ST N A M E P O IN T S TO TTL
NOTE
End users must access the Company Portal website through Microsoft Edge to view Windows apps that you've assigned
for specific versions of Windows. Other browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer do not
support this type of filtering.
IMPORTANT
If you do not have Auto-MDM enrollment enabled, but you have Windows 10/11 devices that have been joined to Azure
AD, two records will be visible in the Intune console after enrollment. You can stop this by making sure that users with
Azure AD joined devices go to Accounts > Access work or school and Connect using the same account.
TYPE H O ST N A M E P O IN T S TO TTL
TYPE H O ST N A M E P O IN T S TO TTL
Next steps
Considerations when managing Windows devices using Intune on Azure.
Bulk enrollment for Windows devices
9/23/2022 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
As an administrator, you can join large numbers of new Windows devices to Azure Active Directory and Intune.
To bulk enroll devices for your Azure AD tenant, you create a provisioning package with the Windows
Configuration Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the
devices to your Azure AD tenant and enrolls them for Intune management. Once the package is applied, it's
ready for your Azure AD users to sign in.
NOTE
In the past, any standard user in the tenant could retrieve a bulk enrollment token and create a provisioning package. To
increase security, users must now have a specific Azure AD role assignment to create a bulk enrollment token. You can
assign roles in Intune for Education > Tenant settings or in the Microsoft Endpoint Manager admin center > Tenant
administration . The roles are:
Global Administrator
Cloud Device Administrator
Intune Administrator
Password Administrator
Azure AD users are standard users on these devices and receive assigned Intune policies and required apps.
Windows devices that are enrolled into Intune using Windows bulk enrollment can use the Company Portal app
to install available apps.
3. A New project window opens where you specify the following information:
Name - A name for your project
Project folder - Save location for the project
Description - An optional description of the project
4. Enter a unique name for your devices. Names can include a serial number (%SERIAL%) or a random set
of characters. Optionally, you can also enter a product key if you are upgrading the edition of Windows,
configure the device for shared use, and remove pre-installed software.
5. Optionally, you can configure the Wi-Fi network devices connect to when they first start. If the network
devices aren't configured, a wired network connection is required when the device is first started.
6. Select Enroll in Azure AD , enter a Bulk Token Expir y date, and then select Get Bulk Token . The token
validity period is 180 days.
NOTE
Once a provisioning package is created, it can be revoked before its expiration by removing the associated
package_{GUID} user account from Azure AD.
Provision devices
1. Access the provisioning package in the location specified in Project folder specified in the app.
2. Choose how you're going to apply the provisioning package to the device. A provisioning package can be
applied to a device one of the following ways:
Place the provisioning package on a USB drive, insert the USB drive into the device you'd like to bulk
enroll, and apply it during initial setup
Place the provisioning package on a network folder, and apply it after initial setup
For step-by-step instruction on applying a provisioning package, see Apply a provisioning package.
3. After you apply the package, the device will automatically restart in one minute.
4. When the device restarts, it connects to the Azure Active Directory and enrolls in Microsoft Intune.
NOTE
Bulk enrollment is considered a userless enrollment method, and because of it, only the "Default" enrollment restriction in
Intune would apply during enrollment. Make sure Windows platform is allowed in the default restriction, otherwise, the
enrollment will fail. To check the capabilities alongside other Windows enrollment methods, see Intune enrollment method
capabilities for Windows devices.
Applies to
Windows 10
Windows 11
The enrollment status page (ESP) displays the provisioning status to people enrolling Windows devices and
signing in for the first time. You can configure the ESP to block device use until all required policies and
applications are installed. Device users can look at the ESP to track how far along their device is in the setup
process.
The ESP can be deployed during the default out-of-box experience (OOBE) for Azure Active Directory (Azure AD)
Join, and any Windows Autopilot provisioning scenario.
To deploy the ESP to devices, you have to create an ESP profile in Microsoft Intune. Within the profile, you can
configure the ESP settings that control:
Visibility of installation progress indicators
Device access during provisioning
Time limits
Allowed troubleshooting operations
This article describes the information that the enrollment status page tracks and how to create an ESP profile.
Windows CSP
ESP uses the EnrollmentStatusTracking configuration service provider (CSP) and FirstSyncStatus CSP to track
app installation.
TIP
If you only want the ESP to appear on Autopilot devices during initial device setup, select the No option.
Then create a new ESP profile, choose the Yes option, and target the profile to an Autopilot device group.
Block device use until all apps and profiles are installed : Your options:
No : Users can leave the ESP before Intune is finished setting up the device.
Yes : Users can't leave the ESP until Intune is done setting up the device. This option unlocks
additional settings for this scenario.
Allow users to reset device if installation error occurs : Your options:
No : The ESP doesn't give users the option to reset theirs devices when an installation fails.
Yes : The ESP gives users the option to reset their devices when an installation fails.
Allow users to use device if installation error occurs : Your options:
No : The ESP doesn't give users the option to bypass the ESP when an installation fails.
Yes : The ESP gives users the option to bypass the ESP and use their devices when an
installation fails.
Block device use until these required apps are installed if they are assigned to the
user/device : Your options:
All : All assigned apps must be installed before users can use their devices.
Selected : Select-apps must be installed before users can use their devices. Choose this option
to select from your managed apps.
6. Select Next .
7. In Assignments , select the groups that will receive your profile. Optionally, select Edit filter to restrict
the assignment further.
NOTE
Due to OS restrictions, a limited selection of filters are available for ESP assignments. The picker only shows filters
that have rules defined for osVersion , operatingSystemSKU , and enrollmentProfileName properties. Filters
that contain other properties aren't available.
8. Select Next .
9. Optionally, in Scope tags , assign a tag to limit profile management to specific IT groups, such as
US-NC IT Team or JohnGlenn_ITDepartment . Then select Next .
NOTE
Scope tags limit who can see and reprioritize ESP profiles in the admin center. A scoped user can tell the relative
priority of their profile even if they can't see all of the other profiles in Intune. For more information about scope
tags, see Use role-based access control and scope tags for distributed IT.
10. In Review + create , review your settings. After you select Create , your changes are saved, and the
profile is assigned. Once deployed, the profile will be applied the next time the devices check in. You can
access the profile from your profiles list.
Prioritize profiles
If you assign a user or device more than one ESP profile, the profile with the highest priority takes precedence
over the other profiles. The profile set to 1 has the highest priority.
Intune applies profiles in the following order:
1. Intune applies the highest-priority profile assigned to the device.
2. If no profiles are targeted at the device, Intune applies the highest-priority profile assigned to the user. This
only works in scenarios where there is a user. In white glove and self-deploying scenarios, only profiles
targeted at devices can be applied.
3. If no profiles are assigned to the device or user, Intune applies the default ESP profile.
To prioritize your profiles:
1. Hover over the profile in the list with your cursor until you see three vertical dots.
2. Drag the profile to the desired position in the list.
ESP tracking
The enrollment status page tracks these phases of provisioning:
Device preparation
Device setup
Account setup
This section describes the types of information, apps, and policies tracked during each phase.
Device preparation
During device preparation, the enrollment status page tracks these tasks for the device user:
Secure your hardware
Join your organization's network
Register your device for mobile management
Secure your hardware
This task ensures that the device completes the Trusted Platform Module (TPM) key attestation and validates its
identity with Azure AD. Azure AD sends a token to the device, which is used during Azure AD join.
This step is required for self-deploying mode and white glove deployment. It isn't needed for Windows Autopilot
scenarios in user-driven mode.
Join your organization's network
The device uses the token received in the previous step to join Azure AD. This step is required in self-deploying
mode and white glove deployment. Devices in user-driven mode have already completed this task by time they
open the ESP.
Register your device for mobile management
The device enrolls in Microsoft Intune for mobile device management (MDM).
This step is required in self-deploying mode and white glove deployment. Devices in user-driven mode have
already completed this step by time they open the ESP.
After enrollment, the device calculates the policies and apps required to track in the next phase. For Windows 10,
version 1903 and later versions, the device also creates the tracking policy for the SideCar agent, and installs the
Intune Management Extension that's used to install Win32 apps.
Device setup
The enrollment status page tracks these items during the device setup phase:
Security policies
Certificate profiles
Network connection
Apps
Security policies
ESP doesn't track security policies, such as device restrictions, but these policies are installed in the background.
The ESP does track Microsoft Edge, Assigned Access, and Kiosk Browser policies.
TIP
When complete, the status for security policies appears on the ESP as (1 of 1) completed .
Certificates
The ESP tracks the installation of SCEP certificate profiles targeted at devices.
Network connections
The ESP tracks VPN and Wi-Fi profiles targeted at devices.
Apps
The ESP tracks the installation of apps deployed in a device context, and includes:
Per machine line-of-business (LoB) MSI apps
LoB store apps where installation context = device
Offline store apps where installation context = device
Win32 applications for Windows 10, version 1903 and later, and Windows 11.
NOTE
It's preferable to deploy the offline-licensed Microsoft Store for Business apps. Don't mix LOB and Win32 apps. Both LOB
(MSI) and Win32 installers use TrustedInstaller, which doesn't allow simultaneous installations. If the OMA DM agent
starts an MSI installation, the Intune Management Extension plugin starts a Win32 app installation by using the same
TrustedInstaller. In this situation, Win32 app installation fails and returns an Another installation is in progress,
please tr y again later error message. In this situation, ESP fails. Therefore, don't mix LOB and Win32 apps in any type
of Autopilot enrollment.
Account setup
During the account setup phase, the ESP tracks apps and policies targeted at users, including:
Security policies
Certificates
Network connections
Apps
TIP
Before installation begins, the device creates a tracking policy and calculates all apps and policies that need to be
tracked. While that's happening, the ESP shows subtasks in an Identifying state.
Security policies
ESP doesn't track security policies, such as device restrictions, but these policies are installed in the background.
The ESP does track Microsoft Edge, Assigned Access, and Kiosk Browser policies.
Certificates
The ESP tracks the installation of SCEP certificate profiles assigned to users.
Network connections
The ESP tracks Wi-Fi profiles assigned to users.
Apps
During this phase, the ESP tracks the installation of apps assigned to the user. The ESP tracks Win32 apps for
Windows 10, version 1903 and later.
It also tracks the following types of apps when they're assigned to all devices, all users, or a user group that
includes the enrolling device user:
Per user LoB MSI apps
Per machine LoB MSI apps
LoB store apps, online store apps, and offline store apps
Known issues
This section lists the known issues for the enrollment status page.
When creating apps that will be deployed during ESP, any reboots that are packaged within the app may
cause ESP to hang and fail the deployment. We recommend specifying the reboot behavior in Intune instead
of triggering the reboot within the package.
Disabling the ESP profile doesn't remove ESP policy from devices and users still get ESP when they log in to
device for first time. The policy isn't removed when the ESP profile is disabled.
A reboot during device setup forces the user to enter their credentials before the account setup phase. User
credentials aren't preserved during reboot. Instruct the device users to enter their credentials to continue to
the account setup phase.
The ESP always times out on devices running Windows 10, version 1903 and earlier, and enrolled via the Add
work and school account option. The ESP waits for Azure AD registration to complete. The issue is fixed on
Windows 10 version 1903 and later.
Hybrid Azure AD Autopilot deployment with ESP takes longer than the timeout duration entered in the ESP
profile. On Hybrid Azure AD Autopilot deployments, the ESP takes 40 minutes longer than the value set in
the ESP profile. For example, you set the timeout duration to 30 minutes in the profile. The ESP can take 30
minutes + 40 minutes. This delay gives the on-prem AD connector time to create the new device record to
Azure AD.
Windows logon page isn't pre-populated with the username in Autopilot User Driven Mode. If there's a
reboot during the Device Setup phase of ESP:
the user credentials aren't preserved
the user must enter the credentials again before proceeding from Device Setup phase to the Account
setup phase
ESP is stuck for a long time or never completes the "Identifying" phase. Intune computes the ESP policies
during the identifying phase. A device may never complete computing ESP policies if the current user doesn't
have an Intune licensed assigned.
Configuring Microsoft Defender Application Control causes a prompt to reboot during Autopilot. Configuring
Microsoft Defender Application (AppLocker CSP) requires a reboot. When this policy is configured, it may
cause a device to reboot during Autopilot. Currently, there's no way to suppress or postpone the reboot.
When the DeviceLock policy is enabled as part of an ESP profile, the OOBE or user desktop autologon could
fail unexpectantly for two reasons.
If the device didn't reboot before exiting the ESP Device setup phase, the user may be prompted to
enter their Azure AD credentials. This prompt occurs instead of a successful autologon where the user
sees the Windows first login animation.
The autologon will fail if the device rebooted after the user entered their Azure AD credentials but
before exiting the ESP Device setup phase. This failure occurs because the ESP Device setup phase
never completed. The workaround is to reset the device.
ESP doesn't apply to a Windows device that was enrolled with Group Policy (GPO).
Scripts that run in user context ('Run this script using the logged on credentials' on the script properties is set
to 'yes') may not execute during ESP. As a workaround, execute scripts in System context by changing this
setting to 'no'.
Troubleshooting
For help with errors or messages related to the ESP, including how to disable an already-enabled ESP, see
Troubleshoot the Windows Enrollment Status page.
Work with existing on-premises proxy servers
9/23/2022 • 2 minutes to read • Edit Online
This article explains how to configure the Intune Connector for Active Directory to work with outbound proxy
servers. It's intended for customers with network environments that have existing proxies.
By default, the Intune Connector for Active Directory will attempt to automatically locate a proxy server on the
network using Web Proxy Auto-Discovery (WPAD). If this has been configured on your network, other
configuration may not be required. When changes are needed, the following sections describe how to override
the default settings, using the standard .NET Framework capabilities for configuring proxy settings. More
options are described in that documentation.
For more information about how connectors work, see Understand Azure AD Application Proxy connectors.
To ensure that the Connector Updater service also bypasses the proxy, make a similar change to C:\Program
Files\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<defaultProxy>
<defaultProxy enabled="False" />
</defaultProxy>
</system.net>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />
</startup>
<appSettings>
<add key="BaseServiceAddress" value="https://manage.microsoft.com/" />
</appSettings>
</configuration>
Be sure to make copies of the original files, in case you need to revert to the default .config files.
Once the configuration files have been modified, you'll need to restart the Intune Connector service.
1. Open ser vices.msc .
2. Find and select the Intune ODJConnector Ser vice .
3. Select Restar t .
To ensure that the Connector Updater service also bypasses the proxy, make a similar change to C:\Program
Files\Microsoft Intune\ODJConnector\ODJConnectorSvc\ODJConnectorSvc.exe.config.
Be sure to make copies of the original files, in case you need to revert to the default .config files.
Once the configuration files have been modified, you'll need to restart the Intune Connector service.
1. Open ser vices.msc .
2. Find and select the Intune ODJConnector Ser vice .
3. Select Restar t .
Next steps
Manage your devices
Enroll Android devices
9/23/2022 • 2 minutes to read • Edit Online
As an Intune administrator, you can enroll Android devices in the following ways:
Android Enterprise (offering a set of enrollment options that provide users with the most up-to-date and
secure features):
Android Enterprise personally owned with a work profile : For personal devices granted
permission to access corporate data. Admins can manage work accounts, apps, and data. Personal
data on the device is kept separate from work data and admins don't control personal settings or data.
Android Enterprise dedicated : For corporate-owned, single use devices, such as digital signage,
ticket printing, or inventory management. Admins lock down the usage of a device for a limited set of
apps and web links. It also prevents users from adding other apps or taking other actions on the
device.
Android Enterprise fully managed : For corporate-owned, single user devices used exclusively for
work and not personal use. Admins can manage the entire device and enforce policy controls
unavailable to personally owned/corporate-owned work profiles.
Android Enterprise corporate-owned with a work profile : For corporate-owned, single user
devices intended for corporate and personal use.
Android device administrator , including Samsung Knox Standard devices and Zebra devices. Device
administrator should be used in areas where Android Enterprise or Google Mobile Services (GMS) is
unavailable. Google has decreased support for device administrator (DA) management in areas where
Android Enterprise is available, and encourages organizations to migrate to Android Enterprise device
management. For a list of countries that support Android Enterprise, see Is Android Enterprise available in
my country?
Android (AOSP) offers a set of enrollment options for devices that aren't integrated with Google Mobile
services.
Corporate-owned, user associated devices: For corporate-owned, single user devices intended
exclusively for work and not personal use. Admins can manage the entire device.
Corporate-owned, userless devices: For corporate-owned, shared devices. Admins can manage the
entire device.
TIP
For guidance on which enrollment method is right for your organization, see Deployment guide: Enroll Android devices in
Microsoft Intune.
Prerequisites
To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to
Microsoft Intune . See Set the MDM authority for instructions. You set this item only once, when you’re first
setting up Intune for mobile device management.
For Android Enterprise, refer to the following support article from Google to ensure that Android Enterprise is
available in your country or region: https://support.google.com/work/android/answer/6270910
For devices manufactured by Zebra Technologies, you may need to grant the Company Portal more permissions
depending on the capabilities of the specific device. Mobility Extensions on Zebra devices has more details.
For Samsung Knox Standard devices, there are more prerequisites.
Next steps
Set up Android Enterprise personally owned work profile enrollment
Set up Android Enterprise dedicated device enrollment
Set up Android Enterprise fully managed enrollment
Set up Android device administrator enrollment
Set up Android Enterprise corporate-owned work profile
Set up Android (AOSP) corporate-owned user-associated enrollment
Set up Android (AOSP) corporate-owned userless enrollment
Connect your Intune account to your Managed
Google Play account
9/23/2022 • 3 minutes to read • Edit Online
To support the following Android enrollment types, you must connect your Intune tenant account to your
Managed Google Play account:
Android Enterprise personally-owned work profile
Android Enterprise corporate-owned work profile
Android Enterprise fully managed
Android Enterprise dedicated devices
Refer to the following support article from Google to ensure that Android Enterprise is available in your country
or region: https://support.google.com/work/android/answer/6270910
Intune makes it easier for you to configure and use Android Enterprise management. After connecting to Google
Play, Intune automatically adds these four common Android Enterprise related apps to the Intune admin
console:
Microsoft Intune - Used for Android Enterprise fully managed, dedicated and corporate-owned work
profile scenarios.
Microsoft Authenticator - Helps you sign in to your accounts if you use two-factor verification, and is also
used for Android Enterprise dedicated devices that enroll with Azure AD Shared device mode.
Intune Company Por tal - Used for Android Enterprise personally-owned work profile scenarios, as well as
App Protection Policies (APP).
Managed Home Screen - Used for multi-app kiosk mode on Android Enterprise dedicated devices. Learn
more about Managed Home Screen.
NOTE
Due to interaction between Google and Microsoft domains, this step may require that you adjust your browser settings.
Make sure that "portal.azure.com" and "play.google.com" are in the same security zone in your browser.
1. If you haven't already, set the mobile device management authority to Microsoft Intune .
2. Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Android > Android
enrollment > Managed Google Play . If you are using a custom Intune admin role, access to option
this requires Organization Read and Update permissions.
3. Choose I agree to grant Microsoft permission to send user and device information to Google.
4. Choose Launch Google to connect now to open the Managed Google Play website. The website
opens on a new tab in your browser.
5. On Google's sign-in page, enter the Google account that will be associated with all Android Enterprise
management tasks for this tenant. This Google account is the one that your company's IT admins share to
manage and publish apps in the Google Play console. You can use an existing Google account or create a
new one. The account you choose must not be associated with a G-Suite domain.
IMPORTANT
Be sure to use or create an Enterprise account rather than a personal GMail account. Keep in mind that the
account you use should be one that is easily shared or transferred in the case that the person setting up the
Managed Google Play connection leaves the company or moves teams.
NOTE
If you are using the Microsoft Edge browser, click Sign-In in the upper right corner to sign-in to your Google
account.
6. Provide your company's name for Organization name . For Enterprise mobility management
(EMM) provider , Microsoft Intune should be displayed.
7. Agree to the Android agreement, and then choose Confirm . Your request will be processed.
NOTE
Choose a scope tag for your Managed Google Play apps. Under this section, you can select a scope tag that will
apply to all newly-approved Managed Google Play apps. You must have the following permissions to interact with
this section:
Android Sync - Read
Android Sync – UpdateOnBoarding
Admins without these permissions will not be able to remove the scope tag selected on the pane. Tenant admins,
or admins who are in charge of giving admin permissions to others, can update permissions in Microsoft Endpoint
Manager admin center by selecting Tenant Administration > Roles .
IMPORTANT
Only link 1 Intune account to a managed Google Play account. Linking multiple accounts is unsupported and
prevents basic functionality from working as expected.
Next steps
After connecting to the Managed Google Play account, you can set up Android Enterprise:
Personally-owned work profile devices.
Corporate-owned work profile devices.
Dedicated devices.
Fully managed devices.
Set up enrollment of Android Enterprise personally-
owned work profile devices
9/23/2022 • 2 minutes to read • Edit Online
Intune helps you deploy apps and settings to Android Enterprise personally-owned work profile devices to make
sure work and personal information are separate. For specific details about Android Enterprise, see Android
Enterprise requirements.
To set up Android Enterprise personally-owned work profile management, follow these steps:
1. Connect your Intune tenant account to your Android Enterprise account.
2. Specify Android Enterprise work profile enrollment settings. Android Enterprise personally-owned work
profiles are supported on only certain Android devices. Any device that supports Android Enterprise
personally-owned work profiles also supports Android device administrator management. Intune lets you
specify how devices that support work profiles should be managed from within Enrollment Restrictions.
Block : All Android devices will be enrolled as Android device administrator devices, unless device
administrator enrollment is also blocked. This behavior includes devices that support Android
Enterprise personally-owned work profiles.
Allow (set by default) : All devices that support Android Enterprise personally-owned work profiles
are enrolled as personally-owned work profile devices. Any Android device that doesn't support
personally-owned work profiles is enrolled as an Android device administrator device, unless device
administrator enrollment is blocked.
NOTE
The default set to Allow is true for new tenants as of July 2019. All previous tenants will experience no change to their
Enrollment Restrictions, and will see whatever policies they have set in Enrollment Restrictions. For previous tenants that
never had Enrollment Restrictions changes, Block will still be the default for personally-owned work profiles.
3. Tell your users how to enroll their devices. To enroll, users must be using the primary user account on their
device. Enrolling with a secondary user account is not supported.
Devices previously enrolled with Android device administrator can be re-enrolled using personally-owned work
profiles. You'll first need to unenroll the device administrator devices. Then you can re-enroll them with
personally-owned work profiles.
NOTE
As an administrator, you can accomplish this remotely using the Retire function. This function can be found in the actions
menu after selecting the device from the All Devices blade.
If you're enrolling personally-owned work profile devices by using a Device Enrollment Manager account, there's
a limit of 10 devices that can be enrolled per account.
For more information, see Data Intune sends to Google.
Next steps
Deploy Android Enterprise apps
Add Android Enterprise configuration policies
See also
Configuring and troubleshooting Android Enterprise devices in Microsoft Intune
Set up Intune enrollment of Android Enterprise
dedicated devices
9/23/2022 • 5 minutes to read • Edit Online
Android Enterprise supports corporate-owned, single-use, kiosk-style devices with its dedicated devices solution
set. Such devices are used for a single purpose, such as digital signage, ticket printing, or inventory
management, to name just a few. Admins can lock down the usage of a device to a single app, or a limited set of
apps, inclusive of web apps. Users are prevented from adding other apps or taking actions on the device that
unless explicitly approved by admins.
Devices that you manage in this way can be enrolled into Intune in two different ways:
1. As a standard Android Enterprise dedicated device. These devices are enrolled into Intune without a user
account and are not associated with any end user. These devices are not intended for personal use
applications or apps that have a strong requirement for user-specific account data such as Outlook or
Gmail.
2. As a standard Android Enterprise dedicated device that is automatically set up with Microsoft's
Authenticator application configured into Azure AD Shared device mode during enrollment. These
devices are enrolled into Intune without a user account and are not associated with any end user. These
devices are intended for use with applications that have integrated with Azure AD's Shared device mode
to allow for single sign-in and single sign-out between users across participating applications.
Intune helps you deploy apps and settings to Android Enterprise dedicated devices. For specific details about
Android Enterprise, see Android enterprise requirements.
Device requirements
Devices must meet these requirements to be managed by Endpoint Manager as an Android Enterprise dedicated
device:
Android OS version 8.0 and above.
Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices
must have GMS available and must be able to connect to GMS.
You must create an enrollment profile so that you can enroll your dedicated devices. When the profile is created,
it provides you with an enrollment token (random string) and a QR code. Depending on the Android OS and
version of the device, you can use either the token or QR code to enroll the dedicated device.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned dedicated devices .
2. Choose Create and fill out the required fields.
Name : Type a name that you'll use when assigning the profile to the dynamic device group.
Token type : Choose the type of token you want to use to enroll dedicated devices.
Corporate-owned dedicated device (default) : This token enrolls devices as a standard
Android Enterprise dedicated device. These devices require no user credentials at any point.
This is the default token type that dedicated devices will enroll with unless updated by Admin at
time of token creation.
Corporate-owned dedicated device with Azure AD shared mode : This token enrolls
devices as a standard Android Enterprise dedicated device and, during enrollment, deploys
Microsoft's Authenticator app configured into Azure AD Shared device mode. With this option,
users can achieve single sign-in and single sign-out across apps on the device that are
integrated with the Azure AD Microsoft Authentication Library and global sign-in/sign-out calls.
Token expiration date : The date when the token expires. Google enforces a maximum of 90 days.
3. Choose Create to save the profile.
Create a device group
You can target apps and policies to either assigned or dynamic device groups. You can configure dynamic Azure
AD device groups to automatically populate devices that are enrolled with a particular enrollment profile by
following these steps:
1. Sign in to the Microsoft Endpoint Manager admin center and choose Groups > All groups > New group .
2. In the Group blade, fill out the required fields as follows:
Group type : Security
Group name : Type an intuitive name (like Factory 1 devices)
Membership type : Dynamic device
3. Choose Add dynamic quer y .
4. In the Dynamic membership rules blade, fill out the fields as follows:
Add dynamic membership rule : Simple rule
Add devices where : enrollmentProfileName
In the middle box, choose Equals .
In the last field, enter the enrollment profile name that you created earlier. For more information about
dynamic membership rules, see Dynamic membership rules for groups in Azure AD.
5. Choose Add quer y > Create .
Replace or remove tokens
Replace token : You can generate a new token/QR code when one nears expiration by using Replace Token.
Revoke token : You can immediately expire the token/QR code. From this point on, the token/QR code is no
longer usable. You might use this option if you:
accidentally share the token/QR code with an unauthorized party
accidentally share the token/QR code with an unauthorized party
complete all enrollments and no longer need the token/QR code
Replacing or revoking a token/QR code won't have any effect on devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned dedicated devices .
2. Choose the profile that you want to work with.
3. Choose Token .
4. To replace the token, choose Replace token .
5. To revoke the token, choose Revoke token .
NOTE
The Microsoft Intune app will be automatically installed during enrollment of a dedicated device. This app is required for
enrollment and cannot be uninstalled. The Microsoft Authenticator app will be automatically installed during
enrollment of a dedicated device when using the token type Corporate-owned dedicated device with Azure AD
shared mode . This app is required for this enrollment method and cannot be uninstalled.
Next steps
Deploy Android apps
Add Android configuration policies
Set up Intune enrollment of Android Enterprise fully
managed devices
9/23/2022 • 2 minutes to read • Edit Online
Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used
exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls
unavailable to personally-owned/corporate-owned work profiles, such as:
Allow app installation only from Managed Google Play.
Block uninstallation of managed apps.
Prevent users from factory resetting devices, and so on.
Intune helps you deploy apps and settings to Android Enterprise devices, including Android Enterprise fully
managed devices. For specific details about Android Enterprise, see Android Enterprise requirements.
Technical requirements
You must have an Intune standalone tenant to manage Android Enterprise fully managed devices. Fully
managed device management isn't available in the legacy Silverlight management console.
Devices must meet these requirements to be managed as an Android Enterprise fully managed device:
Android OS version 8.0 and above.
Devices must run a build of Android that has Google Mobile Services (GMS) connectivity. Devices must have
GMS available and must be able to connect to GMS.
There is no restriction on device manufacturer/OEM if the above requirements are met.
When this setting is set to Yes , it provides you with an enrollment token (a random string) and a QR code for
your Intune tenant. This single enrollment token is valid for all your users and won't expire. Depending on the
Android OS and version of the device, you can use either the token or QR code to enroll the device.
Next steps
Add Android Enterprise fully managed device configuration policies
Configure app configuration policies for Android Enterprise fully managed devices
Enroll your Android Enterprise dedicated, fully
managed, or corporate-owned with work profile
devices
9/23/2022 • 6 minutes to read • Edit Online
IMPORTANT
It's important that device users do not restart devices until enrollment is complete. If device users setting up fully
managed devices or corporate-owned devices with a work profile restart their devices in the middle of enrollment, their
devices may not be able to register with Microsoft Intune. Devices that restarted may appear to be enrolled but they
won't be protected by your Intune policies.
After you've set up your Android Enterprise dedicated devices, fully managed devices, or corporate-owned work
profile devices in Intune, you can enroll the devices. Intune enrollment for dedicated devices, fully managed
devices, and corporate-owned with a work profile start with a factory reset. How you enroll your Android
Enterprise devices depends on the operating system.
QR code 8.0
On participating manufacturers.
TIP
Corporate-owned work profile (COPE) device management is available on Android version 8.0 and newer.
NOTE
If you have an Azure AD Conditional Access policy defined that uses the require a device to be marked as compliant Grant
control or a Block policy and applies to All Cloud apps , Android , and Browsers , you must exclude the Microsoft
Intune cloud app from this policy. This is because the Android setup process uses a Chrome tab to authenticate your
users during enrollment. For more information, see Azure AD Conditional Access documentation.
NOTE
Browser zoom can cause devices to not be able to scan QR code. Increasing the browser zoom resolves the issue.
1. After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
2. On devices running Android 8.0, you'll be prompted to install a QR reader. Devices running Android 9 and
later are pre-installed with a QR reader.
3. Use the QR reader to scan the enrollment profile QR code and then follow the on-screen prompts to enroll.
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken"
6. Enter your organization's name and support information, which is shown on screen while users set up
their devices.
For more information about how to assign a default configuration or apply a configuration in the zero-touch
portal, see Zero-touch enrollment for IT admins (opens Android Enterprise Help docs).
Android device administrator (sometimes referred to "legacy" Android management and released with Android
2.2) is a way to manage Android devices. However, improved management functionality is available with
Android Enterprise. In an effort to move to modern, richer, and more secure device management, Google is
decreasing device administrator support in new Android releases.
Therefore, to avoid such reduced functionality, we advise against enrolling new devices using the device
administrator process described below.
For the same reasons, we also recommend that you migrate devices off of device administrator management if
the devices are going to update to Android 10.
IMPORTANT
In areas where Android Enterprise is available(opens Google documentation), Google is encouraging people to move away
from device administrator (DA) management by decreasing its management support in new Android releases.
In areas where Android Enterprise is unavailable, or for devices incapable of integrating with Google Mobile Services, we
still recommend using DA as your management solution in Microsoft Intune. For more information about using DA when
Google Mobile Services are unavailable, see How to use Intune in environments without Google Mobile Services.
DA is currently the recommended management solution for Microsoft Teams certified Android devices.
If you still decide to have users enroll their Android devices with device administrator management, continue to
the next section.
For more information about Google's Android Enterprise features, see these articles:
Google's guidance for migration from device administrator to Android Enterprise
Google's documentation on the plan to deprecate the device administrator API
Next steps
Assign compliance policies
Managing apps
Set up Intune enrollment for Android (AOSP)
corporate-owned userless devices
9/23/2022 • 6 minutes to read • Edit Online
Set up enrollment in Microsoft Intune for corporate-owned, userless devices built on the Android Open Source
Project (AOSP) platform. Intune offers an Android (AOSP) device management solution for corporate-owned
Android devices that are:
Not integrated with Google Mobile Services.
Intended to be shared by more than one user.
Used to accomplish a specific set of tasks at work.
This article describes how to set up Android (AOSP) device management and enroll RealWear devices for use at
work.
Prerequisites
To enroll and manage AOSP devices, you must have:
An active Microsoft Intune tenant.
RealWear devices, updated to Firmware 11.2 or later.
You must also:
Set Microsoft Intune as the mobile device management (MDM) authority in your tenant. You only need to
do this once, when you first set up Intune for mobile device management.
Assign valid licenses to all RealWear device users. For more information, see Microsoft Intune licensing.
TIP
Intune also generates a token in plain text form, but that one can't be used to enroll devices.
1. Sign in to the Microsoft Endpoint Manager admin center and select Devices > Android > Android
enrollment > Corporate-owned, userless devices .
2. Select Create and fill out the required fields.
Name : Type a name to use when assigning the profile to the dynamic device group.
Description : Add a profile description (optional).
Token expiration date : The date when the token expires. Intune enforces a maximum of 90 days.
SSID : Identifies the network that the device will connect to.
NOTE
Wi-Fi details are required because the RealWear device does not have a button or option that lets it
automatically connect to other devices.
Hidden Network : Choose whether this is a hidden network. By default, this setting is disabled.
Wi-Fi Type : Select the type of authentication needed for this network.
If you select WEP Pre-Shared Key or WPA Pre-Shared Key , also enter:
Pre-shared key : The pre-shared key that's used to authenticate with the network.
3. Select Next and optionally, select scope tags.
4. Select Next . Review the details of your profile and then select Create to save the profile.
Access enrollment token
After you create a profile, Intune generates a token that's needed for enrollment. To access the token:
1. Go to Corporate-owned, userless devices .
2. From the list, select your enrollment profile.
3. Select Tokens .
Another way to find the token is:
1. Go to Corporate-owned, userless devices .
2. Locate your profile in the list, and then select the More (...) menu that's next to it.
3. Select View enrollment token .
The token appears as a QR code. During device setup, when prompted to, scan the QR code to enroll the device
in Intune.
IMPORTANT
The QR code will contain any credentials provided in the profile in plain text to allow the device to successfully
authenticate with the network. This is required as the user will not be able to join a network from the device.
Since you're managing the device via Intune, you should skip the RealWear first time setup. The Intune QR codes is the
only thing you need to set up the device.
Replace token
Generate a new token to replace one that's nearing its expiration date. Replacing a token does not affect devices
that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Android > Android enrollment > Corporate-owned, userless devices .
3. Choose the profile that you want to work with.
4. Select Token > Replace token .
5. Enter the new token expiration date. Tokens must be replaced at least every 90 days.
6. Select OK .
Revoke token
Revoke a token to immediately expire it and make it unusable. For example, it's appropriate to revoke a token
when:
You accidentally share the token/QR code with an unauthorized party.
You complete all enrollments and no longer need the token.
Revoking a token does not affect devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Android > Android enrollment > Corporate-owned, userless devices .
3. Choose the profile that you want to work with.
4. Select Token > Revoke token > Yes .
Enroll devices
After you set up and assign the Android (AOSP) enrollment profiles, you can enroll devices via QR code.
1. Turn on your new or factory-reset device.
2. When the device prompts you to, scan the token's QR code.
TIP
To access the token in Intune, select Devices > Android > Android enrollment > Corporate-owned, userless
devices . Select your enrollment profile, and then select Tokens .
3. Follow the on-screen prompts to finish enrolling and registering the device. During setup, Intune
automatically installs and opens the apps that are needed for enrollment. Those apps include:
Microsoft Authenticator app
Microsoft Intune app
Intune Company Portal app
After enrollment
App updates
The Microsoft Intune app automatically installs available app updates for itself, Authenticator, and Company
Portal. When an update becomes available, the Intune app closes and installs the update. The app must be
closed completely to install the update.
Manage devices remotely
The following remote actions are available for Android (AOSP) devices:
Wipe
Delete
You can take action on one device at a time. For more information about where to find remote actions in Intune,
see Remove devices by using wipe, retire, or manually unenrolling the device.
NOTE
After you wipe an Android (AOSP) device, the device remains in a Pending state until it's fully restored to its factory
default settings. Then Intune removes it from the device list. When you delete a device, the device is removed from the
device list immediately, with no pending status, and the factory reset happens the next time the device checks in.
Troubleshooting
View version of Microsoft Intune and Microsoft Authenticator apps
To find out which version of the Microsoft Intune app or Microsoft Authenticator app is installed on a device:
1. Go to Devices and select the device name.
2. Select Discovered apps .
3. Find your app and then look in the Application Version column for the version number.
Troubleshooting + Support
Select Troubleshooting + Suppor t from the Microsoft Endpoint Manager navigation menu to:
See a list of Android (AOSP) devices enrolled by a user
Enable troubleshooting of Android (AOSP) devices the same way you can troubleshoot other user devices.
Share app logs with Microsoft
If you experience problems with enrollment or the Microsoft Intune app, you can use the Intune app to upload
and send app logs to Microsoft. After you submit the logs, you'll receive an incident ID to share with your
Microsoft support person.
Known limitations
The following are known limitations when working with AOSP devices in Intune:
You cannot enforce certain password types via device compliance and device restrictions profiles.
Password types include:
Password required, no restriction
Alphabetic
Alphanumeric
Alphanumeric with symbols
Weak biometric
Device compliance reporting is not available for Android (AOSP).
Android (AOSP) management is not supported in these environments:
Intune for Government Community Cloud (GCC) High and Department of Defense (D0D)
Intune operated by 21Vianet
Next steps
Create an Android (AOSP) device configuration policy to restrict settings on devices.
Create an Android (AOSP) device compliance policy.
For more information about how to get started with AOSP, see Android source requirements(opens
Android source documentation).
Set up Intune enrollment for Android (AOSP)
corporate-owned user-associated devices
9/23/2022 • 6 minutes to read • Edit Online
Set up enrollment in Intune for corporate-owned, user-associated devices built on the Android Open Source
Project (AOSP) platform. Intune offers an Android (AOSP) device management solution for corporate-owned
Android devices that are:
Not integrated with Google Mobile Services.
Intended to be used by a single user.
Used exclusively for work.
This article describes how to set up Android (AOSP) device management and enroll RealWear devices for use at
work.
Prerequisites
To enroll and manage AOSP devices, you must have:
An active Microsoft Intune tenant.
RealWear devices, updated to Firmware 11.2 or later.
You must also:
Set Microsoft Intune as the mobile device management (MDM) authority in your tenant. You only need to
do this once, when you first set up Intune for mobile device management.
Assign valid licenses to all RealWear device users. For more information, see Microsoft Intune licensing.
NOTE
Wi-Fi details are required because the RealWear device doesn't have a button or option that lets it
automatically connect to other devices.
Hidden network : Choose whether this is a hidden network. By default, this setting is disabled,
which means the network can broadcast its SSID.
Wi-Fi type : Select the type of authentication needed for this network.
If you select WEP Pre-shared key or WPA Pre-shared key , also enter:
Pre-shared key : The pre-shared key that's used to authenticate with the network.
3. Select Next and optionally, select scope tags.
4. Select Next . Review the details of your profile and then select Create to save the profile.
Access enrollment token
After you create a profile, Intune generates a token that's needed for enrollment. The token appears as a QR
code. During device setup, when prompted to, scan the QR code to enroll the device in Intune.
To view the token as a QR code:
1. Go to Corporate-owned, user-associated devices .
2. From the list, select your enrollment profile.
3. Select Token .
From the Token page, you can also export the enrollment profile JSON file.
IMPORTANT
The QR code will contain any credentials provided in the profile in plain text to allow the device to successfully
authenticate with the network. This is required as the user will not be able to join a network from the device.
Since you're managing the device via Intune, you should skip the RealWear first time setup. The Intune QR codes is the
only thing you need to set up the device.
Replace a token
You can generate a new token to replace one that's nearing its expiration date. The replacement token doesn't
affect devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Android > Android enrollment > Corporate-owned, user-associated devices .
3. Choose the profile that you want to work with.
4. Select Token > Replace token .
5. Enter the new token expiration date. Tokens must be replaced at least every 90 days.
6. Select OK .
Revoke a token
Revoke a token to immediately expire it and make it unusable. For example, it's appropriate to revoke a token
when:
You accidentally share the token/QR code with an unauthorized party.
You complete all enrollments and no longer need the token.
Revoking a token has no effect on devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Android > Android enrollment > Corporate-owned, user-associated devices .
3. Choose the profile that you want to work with.
4. Select Token > Revoke token > Yes .
Enroll devices
After you set up and assign the Android (AOSP) enrollment profiles, you can enroll devices via QR code.
1. Turn on your new or factory-reset device.
2. When the device prompts you to, scan the token's QR code.
TIP
To access the token in Intune, select Devices > Android > Android enrollment > Corporate-owned, user-
associated devices . Select your enrollment profile, and then select Token .
3. Step through the on-screen prompts to finish enrolling and registering the device. The following apps are
automatically installed during this time and used for enrollment:
Microsoft Intune app
Intune Company Portal app
Microsoft Authenticator app
After enrollment
Update apps
The Microsoft Intune app automatically updates itself. When an app update becomes available, the Intune app
closes and installs the update. The app must remain closed to install the update. The app also installs updates for
Microsoft Authenticator and the Company Portal app.
Manage devices remotely
The following remote actions are available for Android (AOSP) devices:
Wipe
Delete
You can take action on one device at a time. For more information about where to find remote actions in Intune,
see Remove devices by using wipe, retire, or manually unenrolling the device.
NOTE
After you wipe an Android (AOSP) device, the device remains in a Pending state until it's fully restored to its factory
default settings. Then Intune removes it from the device list. When you delete a device, the device is removed from the
device list immediately, with no pending status, and the factory reset happens the next time the device checks in.
Troubleshooting
View app versions
Find out which version of the Intune app or Microsoft Authenticator app is installed on a device.
1. Go to Devices and select the device name.
2. Select Discovered apps .
3. Find your app and then look in the Application Version column for the version number.
Troubleshooting + Support
Select Troubleshooting + Suppor t from the Microsoft Endpoint Manager navigation menu to:
See a list of Android (AOSP) devices enrolled by a user
Enable troubleshooting of Android (AOSP) devices the same way you can troubleshoot other user devices.
Share app logs with Microsoft
If you experience problems with enrollment or access to work resources, you can share diagnostic logs with
Microsoft in the Intune app or Company Portal app. After you submit the logs, you'll receive an incident ID to
share with your Microsoft support person.
Known limitations
The following are known limitations when working with AOSP devices in Intune:
You cannot enforce certain password types via device compliance and device restrictions profiles. Password
types include:
Password required, no restriction
Alphabetic
Alphanumeric
Alphanumeric with symbols
Weak biometric
Device compliance reporting is not available for Android (AOSP).
Android (AOSP) management is not supported in these environments:
Intune for Government Community Cloud (GCC) High and Department of Defense (DoD)
Intune operated by 21Vianet
Next steps
Create an Android (AOSP) device configuration policy to restrict settings on devices.
Create an Android (AOSP) device compliance policy.
Create a policy that requires users to accept your terms and conditions before enrollment.
For more information about how to get started with AOSP, see Android source requirements(opens
Android source documentation).
Manage Android personally-owned/corporate-
owned work profile devices with Intune
9/23/2022 • 6 minutes to read • Edit Online
Android Enterprise offers a set of enrollment options that provide users with the most up-to-date and secure
features. Enrolling with an Android Enterprise personally-owned/corporate-owned work profile allows a set of
features and services that separate personal apps and data from work apps and data. It also provides additional
management capabilities and privacy when people use their personal Android devices for work.
Supported devices
Android Enterprise management capabilities rely upon features that are part of more recent Android operating
systems. For devices that do not support Android Enterprise, conventional Android management remains
available. For more information, see Android Enterprise requirements.
Onboarding
Before enrolling Android Enterprise work profile devices, you must complete some onboarding steps. These
steps establish a connection between your Intune tenant and Managed Google Play. For more information, see
Enable enrollment of Android Enterprise personally-owned work profile devices or Set up Intune enrollment of
Android Enterprise corporate-owned devices with work profile.
App configuration
Android Enterprise provides infrastructure for deploying app configuration values to apps that support them. By
specifying configuration values for work apps, you ensure they are properly set when users launch the app for
the first time. Support for app configuration requires that app developers create their Android apps specifically
to support managed configuration values. If they do, then you can use Intune to specify and apply these
configuration settings. For more information, see Add app configuration policies for managed Android devices.
Email configuration
Android Enterprise doesn't provide a default email app or native email profile object like those provided by
iOS/iPadOS. Instead, email configurations can be set by applying app configuration settings to email apps that
support them. Gmail and Nine Work are two Exchange ActiveSync (EAS) client apps in the Play Store that
support configuration with Android Enterprise app configuration.
Intune provides configuration templates for Gmail and Nine Work apps when managed as work apps. Other
email apps that support app configuration profiles can be configured with mobile app configuration policies.
If you are using Exchange ActiveSync Conditional Access for an Android Enterprise personally-owned or
corporate-owned work profile device, consider using either the Gmail or Nine Work email app. The Microsoft
Outlook for Android app, or any other email app that uses modern authentication via MSAL, is also supported.
For more information, see How to configure email settings in Microsoft Intune.
NOTE
Azure Active Directory (Azure AD) Authentication Library (ADAL) will be deprecated, so we recommend updating apps
that currently use it to MSAL. For more information, see Update your applications to use Microsoft Authentication Library
(MSAL) and Microsoft Graph API.
VPN profiles
VPN support is similar to Android VPN profiles. The same VPN providers and basic configuration options are
available for Android Enterprise management with two differences:
Work profile-scoped VPN – VPN connections are limited to just the apps deployed to the personally-
owned or corporate-owned work profile. Only Android Enterpise-managed apps can use the VPN
connection. Personal apps on the device cannot use a managed VPN connection. For more information,
see Android Enterprise VPN settings.
App-specific VPN – App-specific VPN can be configured in Intune if the VPN provider supports:
configuration for app-specific VPN
the capability to configure per-app VPN via the Android Enterprise app configuration profile. For more
information, see Use a Microsoft Intune custom profile to create a per-app VPN profile for Android
devices.
Certificate profiles
The same certificate profile configuration options that are available to Android management are available on
Android Enterprise personally-owned and corporate-owned work profile devices. Android Enterprise provides
enhanced certificate management APIs. Enhanced certificate management provides the following functionality:
Ensures that cert deployment is silent and seamless for the user.
Ensures that deployed certs are removed when a device is retired from Intune and the work profile is
removed.
Provides improved messaging that informs users that the certificate was deployed and configured by their IT
department via their management service.
For more information, see Configure a certificate profile for your devices in Microsoft Intune.
Wi-Fi profiles
Wi-Fi profiles managed by Android Enterprise are removed when the device is retired from Intune and the work
profile is deleted. For more information, see How to configure Wi-Fi settings in Microsoft Intune.
Next steps
Enroll Android devices
Assign apps to Android Enterprise work profile devices with Intune
Set up Intune enrollment of Android Enterprise
corporate-owned devices with work profile
9/23/2022 • 4 minutes to read • Edit Online
Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate
and personal use.
End users can keep their work and personal data separate and are guaranteed that their personal data and
applications will remain private. Admins can control some settings and features for the entire device, including:
Setting requirements for the device password
Controlling Bluetooth and data roaming
Configuring factory reset protection
Intune helps you deploy apps and settings to Android Enterprise corporate-owned devices with work profile. For
specific details about Android Enterprise, see Android enterprise requirements.
Device requirements
Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile
devices:
Android OS version 8.0 and above.
Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices
must have GMS available and must be able to connect to GMS.
You must create an enrollment profile so that users can enroll corporate-owned work profile devices. When the
profile is created, it provides you with an enrollment token (random string) and a QR code. Depending on the
Android OS and version of the device, you can use either the token or QR code to enroll the dedicated device.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned devices with work profile .
2. Choose Create profile and fill out the fields.
Name : Type a name that you'll use when assigning the profile to the dynamic device group.
Description : Add a profile description (optional).
3. Choose Next .
4. On the Review + create page, choose Create to create the policy.
Create a device group
You can target apps and policies to either assigned or dynamic device groups. You can configure dynamic Azure
AD device groups to automatically populate devices that are enrolled with a particular enrollment profile by
following these steps:
1. Sign in to the Microsoft Endpoint Manager admin center and choose Groups > All groups > New group .
2. In the Group blade, fill out the required fields as follows:
Group type : Security
Group name : Type an intuitive name (like Factory 1 devices)
Membership type : Dynamic device
3. Choose Add dynamic quer y .
4. In the Dynamic membership rules blade, fill out the fields as follows:
Add dynamic membership rule : Simple rule
Add devices where : enrollmentProfileName
In the middle box, choose Equals .
In the last field, enter the enrollment profile name that you created earlier. For more information about
dynamic membership rules, see Dynamic membership rules for groups in Azure AD.
5. Choose Add quer y > Create .
Revoke tokens
You can immediately expire the token/QR code. From this point on, the token/QR code is no longer usable. You
might use this option if you:
accidentally share the token/QR code with an unauthorized party
complete all enrollments and no longer need the token/QR code
Revoking a token/QR code won't have any effect on devices that are already enrolled.
1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android
enrollment > Corporate-owned devices with work profile .
2. Choose the profile that you want to work with.
3. Choose Token .
4. To revoke the token, choose Revoke token > Yes .
NOTE
The Microsoft Intune app will be automatically installed during enrollment of a corporate-owned work profile device.
This app is required for enrollment and cannot be uninstalled.
Next steps
Deploy Android apps
Add Android configuration policies
Move Android devices from device administrator to
personally-owned work profile management
9/23/2022 • 4 minutes to read • Edit Online
You can help users move their Android devices from device administrator to personally-owned work profile
management by using the compliance setting to Block devices managed with device administrator . This
setting lets you make devices non-compliant if they're managed with device administrator.
When users see that they're out of compliance for this reason, they can tap Resolve . They'll be taken to a
checklist that will guide them through:
1. Unenrolling from device administrator management
2. Enrolling into personally-owned work profile management
3. Resolving any compliance issues.
Prerequisites
Users must have Android device administrator enrolled devices with Android Company Portal version
5.0.4720.0 or later.
Set up Android personally-owned work profile management by connecting your Intune tenant account to
your Android Enterprise account.
Set Android Enterprise personally-owned work profile enrollment for the group of users who are moving to
personally-owned work profile.
Consider increasing your user device limits. When unenrolling devices from device administrator
management, device records might not be immediately removed. To provide cushion during this period, you
might need to increase device limit capacity. This increase is so that the users can enroll into personally-
owned work profile management.
Configure Azure Active Directory device settings for Maximum number of devices per user.
Adjust the Intune device limit restrictions by setting the device limit.
4. On the Compliance settings page, in the Device Health section, set Block devices managed with
device administrator to Yes > Next .
5. On the Actions for noncompliance tab, you can configure the available actions for noncompliance to
customize the end-user experience for this flow.
NOTE
Of course, you can use user-friendly hyper-text for the links in your communication with users.
However, don't use URL-shorteners because the links may not work if changed that way.
If the Android Company Portal is open and in the background, when a user taps the link they might go
to the last page they had open instead.
Users must tap the link on an Android device. If they instead paste it into a browser, it will not launch
the Android Company Portal.
Choose Next .
6. On the Scope tags page, select any scope tags you want to include.
7. On the Assignments page, assign the policy to a group that has devices enrolled with device
administrator management > Next .
8. On the Review + create page, confirm all your settings, and then select Create .
Troubleshooting
The end user flow to move to new device management setup guides users through unenrolling from device
administrator management. It also helps users get set up with personally-owned work profile management.
Users must have Android device administrator enrolled devices with Android Company Portal version
5.0.4720.0 or later.
User sees an error after tapping Resolve
If users see an error after tapping the Resolve button, it's likely because of one of these reasons:
Personally-owned work profile enrollment isn't set up correctly. Either an Android Enterprise account isn't
connected or enrollment restrictions are set to block personally-owned work profile enrollment.
The device is running Android 4.4 or earlier, which doesn't support personally-owned work profile
enrollment.
The device manufacturer doesn't support personally-owned work profile enrollment on the device model.
Resolve button doesn't appear on the user's device
The Resolve button won't appear on the user's device if the user enrolls into device administrator management
after they've been targeted with the device compliance policy explained above.
To get the Resolve button to appear, the user must postpone setup and restart the process from the notification.
To avoid this condition, use enrollment restrictions to block enrollment into device administrator management.
User sees an error after tapping URL to Update device settings page
Users might see an error page in the browser when they tap the URL to the Update device settings page of
the Android Company Portal. This error can be caused by one of the following conditions:
The device isn't an Android.
The Android device doesn't have the Company Portal app.
The Android Company Portal version is earlier than 5.0.4720.0.
The Android device uses Android 6 or earlier.
Next steps
See the end user flow
Manage Android work profile devices with Intune
Automatically enroll Android devices by using
Samsung's Knox Mobile Enrollment
9/23/2022 • 6 minutes to read • Edit Online
This topic helps you set up Intune for enrolling supported Android devices using Samsung Knox Mobile
Enrollment (KME). Using Intune with Samsung KME, you can enroll large numbers of company-owned Android
devices when end users turn on their devices for the first time and connect to a WiFi or cellular network. Also,
devices can be enrolled using Bluetooth or NFC when using the Knox Deployment App.
To enable Intune enrollment using Samsung KME, you use both the Intune and Samsung Knox portals in this
order:
1. In the Knox portal:
a. Create an MDM profile
b. Add devices
c. Assign an MDM profile to the devices
2. In the Knox portal, configure end user sign in.
3. Distribute the devices.
A list of device identifiers (serial numbers and IMEIs) is automatically added to the Knox Portal when purchasing
devices from authorized resellers participating in the Knox Deployment Program.
Prerequisites
To enroll into Intune using KME, you must first register your company on the Samsung Knox portal by following
these steps:
1. Make sure KME is available in your country/region: KME is available in over 55 countries/regions. Ensure
that your country/region of deployment is supported.
2. Supported devices: KME is available on all Samsung devices with a minimum of Knox 2.4 for Android
enrollment and a minimum of Knox 2.8 for Android enterprise enrollment.
3. Network requirements: Make sure that the necessary firewall and network access rules are permitted on
your network.
4. Register for a Samsung account: A Samsung account is needed to register and enable KME and manage
all Knox Enterprise entitlements in a single place.
5. Registration Review: After your profile is completed and submitted, Samsung reviews your application
and either approves it immediately or puts it in a pending review status for further follow-up. After your
account is approved, you can continue to further steps.
Allow End User to Cancel Enrollment No Choose this option to allow users to
cancel KME.
Associate a Knox license with this No Leave this option unselected. Enrolling
profile to Intune using KME doesn't require a
Knox license.
* This field is not required to complete profile creation in the Knox portal. However, Intune does require this field
to be filled in so that the profile can successfully enroll the device in Intune.
Add devices
To assign MDM Profiles to devices, supported Samsung Knox devices must be added to the Knox Portal using
one of the following methods:
Using Samsung-Approved Reseller(s): Use this method if you're purchasing devices from one of the
Samsung-approved resellers. Resellers can auto-upload devices for you when approved. Visit the
Samsung Knox Enrollment User Guide to learn how to add resellers.
Using the Knox Deployment App (KDA): Use this method if you have existing devices that need to be
enrolled using KME. You can either use Bluetooth or NFC to add devices to the Knox Portal using this
method. Visit the Samsung Knox Enrollment User Guide to learn about using the KDA.
Distribute devices
After creating and assigning an MDM profile, associating a user name, and identifying the devices as corporate-
owned in Intune, you can distribute devices to users.
Still need help? Check out the complete KME User Guide.
Getting support
Learn more about how to get support for Samsung KME.
Android Enterprise security configuration framework
9/23/2022 • 2 minutes to read • Edit Online
The Android Enterprise security configuration framework is a series of recommendations for device compliance
and configuration policy settings. These recommendations help you tailor your organization's mobile device
security protection to your specific needs.
Security conscious organizations look at ways to ensure corporate data on mobile devices are protected. One
method used to protect that data is through device enrollment. Device enrollment helps organizations:
deploy compliance policies (like PIN strength, jailbreak/root validation, and so on).
deploy configuration policies (like WIFI, certificates, VPN).
manage the app lifecycle.
To help you set up a complete security scenario, Microsoft introduced a new taxonomy for security
configurations in Windows 10. Intune is using a similar taxonomy for this security configuration framework.
They include recommended device compliance and device restriction settings for basic, enhanced, and high
security. This taxonomy is explained in the following articles:
1. Android Enterprise framework deployment methodology: A recommended methodology for deploying the
security configuration framework.
2. Android device enrollment restrictions: Pre-enrollment device restrictions for Android Enterprise devices.
3. Set app configuration policies for Android Enterprise devices: Configure apps on the devices to disallow
personal accounts.
4. Android Enterprise personally-owned/corporate-owned work profile security settings: Specific configuration
settings for basic and high security on personally-owned/corporate-owned work profile devices.
5. Android Enterprise fully managed security settings: Specific configuration settings for basic, enhanced, and
high security on fully managed devices.
Next steps
Android Enterprise framework deployment methodology
Android Enterprise framework deployment
methodology
9/23/2022 • 2 minutes to read • Edit Online
Before deploying the framework, Microsoft recommends using a ring methodology for testing validation.
Defining deployment rings is generally a one-time event (or at least infrequent). However, IT should revisit these
groups to ensure that the sequencing is still correct.
Preview Production tenant Mobile capability End-user scenario 7-14 days, post
owners, UX validation, user facing Quality Assurance
documentation
All policy setting changes should be first applied in a pre-production environment to understand the policy
setting implications. After testing is complete, move the changes into production and apply them to a subset of
production users, the IT department, and other applicable groups. Finally, the complete the rollout to the rest of
the mobile user community. Roll out to production may take longer depending on the changes' scale of impact.
If there's no user impact, the change should roll out quickly. If there is user impact, rollout may need to go
slower because of the need to communicate changes to the user population.
When testing changes to Android Enterprise devices, be aware of the delivery timing. The status of compliance
policies for devices can be monitored. For more information, see Monitor Intune device compliance policies and
Monitor device profiles in Microsoft Intune.
Next steps
Android Enterprise device enrollment restrictions
Android Enterprise device enrollment restrictions for
personally owned work profile devices
9/23/2022 • 2 minutes to read • Edit Online
Before enrolling Android Enterprise personally owned work profile devices for the Android Enterprise security
configuration framework, organizations must configure the appropriate restrictions. These restrictions ensure
that users can only enroll
approved devices.
a specified number of devices.
devices with specified platforms.
devices with specified operating systems.
devices from specified manufacturers.
For more information on device enrollment restrictions, see Set enrollment restrictions.
A L LO W S P ERSO N A L
TYPE P L AT F O RM VERSIO N DEVIC ES
A L LO W S P ERSO N A L
TYPE P L AT F O RM VERSIO N DEVIC ES
Next steps
Set app configuration policies
Android Enterprise security configuration framework
app configuration policies
9/23/2022 • 2 minutes to read • Edit Online
As part of the Android Enterprise security configuration framework, you must properly set app configuration
policies for Android Enterprise devices.
Android Enterprise personally-owned/corporate-owned work profile devices are designed to isolate work and
personal data from one another. Android Enterprise fully managed devices are designed work or school data
only. So, Microsoft apps deployed on these devices must be configured to disallow personal accounts.
K EY VA L UES
Next steps
Apply Android Enterprise personally-owned/corporate-owned work profile security settings or Android
Enterprise fully managed security settings.
Android Enterprise personally-owned work profile
security configurations
9/23/2022 • 10 minutes to read • Edit Online
As part of the Android Enterprise security configuration framework, apply the following settings for Android
Enterprise work profile mobile users. For more information on each policy setting, see Android Enterprise
settings to mark devices as compliant or not compliant using Intune and Android Enterprise device settings to
allow or restrict features using Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
For personally-owned work profile devices, there are two recommended security configuration frameworks:
Personally-owned work profile enhanced security (level 2)
Personally-owned work profile high security (level 3)
NOTE
Because of the settings available for personally-owned work profile devices, there is no basic security (level 1) offering. The
available settings don't justify a difference between level 1 and level 2.
Administrators can incorporate the below configuration levels within their ring deployment methodology for
testing and production use by importing the sample Android Enterprise Security Configuration Framework
JSON templates with Intune's PowerShell scripts.
SEC T IO N SET T IN G VA L UE N OT ES
Device Health SafetyNet device attestation Check basic integrity & This setting configures
certified devices Google's SafetyNet
Attestation on end-user
devices. Basic integrity
validates the integrity of the
device. Rooted devices,
emulators, virtual devices,
and devices with signs of
tampering fail basic
integrity.
Basic integrity and
certified devices
validates the
compatibility of the
device with Google's
services. Only
unmodified devices that
have been certified by
Google can pass this
check.
SEC T IO N SET T IN G VA L UE N OT ES
System Security Required password type Numeric Complex Organizations may need to
update this setting to
match their password
policy.
System Security Block USB debugging on Block While this setting blocks
device debugging using a USB
device, it also disables the
ability to gather logs which
may be useful in
troubleshooting purposes.
System Security Minimum security patch Not configured Android devices can receive
level monthly security patches,
but the release is
dependent on OEMs and/or
carriers. Organizations
should ensure that
deployed Android devices
do receive security updates
before implementing this
setting. For the latest patch
releases, see Android
Security Bulletins.
Actions for noncompliance Mark device noncompliant Immediately By default, the policy is
configured to mark the
device as noncompliant.
Additional actions are
available. For more
information, see Configure
actions for noncompliant
devices in Intune.
Device restrictions
To simplify the table below, only configured settings are listed. Undocumented device restrictions are not
configured.
SEC T IO N SET T IN G VA L UE N OT ES
Work profile settings Data sharing between work Apps in work profile can
and personal profiles handle sharing request
from personal profile
Work profile settings Work profile notifications Not configured Blocking this setting
while device locked ensures sensitive data is not
exposed in work profile
notifications, which may
impact usability.
Work profile settings Default app permissions Device Default Admins need to review and
adjust the permissions
granted by apps they are
deploying.
Work profile settings Contact sharing via Enable By default, access to work
Bluetooth contacts is not available on
other devices, like
automobiles via Bluetooth
integration. Enabling this
setting improves hands free
user experiences. However,
the Bluetooth device may
cache the contacts upon
first connection.
Organizations should
consider balancing the
usability scenarios with data
protection concerns when
implementing this setting.
Work profile settings Search work contacts from Not configured Blocking users from
personal profile accessing work contacts
from the personal profile
may impact certain usability
scenarios like text
messaging and dialer
experiences within the
personal profile.
Organizations should
consider balancing the
usability scenarios with data
protection concerns when
implementing this setting.
Work profile settings Password expiration (days) Not configured Organizations may need to
update this setting to
match their password
policy.
Work profile settings Prevent reuse of previous Not configured Organizations may need to
passwords update this setting to
match their password
policy.
Device password Password expiration (days) Not configured Organizations may need to
update this setting to
match their password
policy.
Device password Prevent reuse of previous Not configured Organizations may need to
passwords update this setting to
match their password
policy.
SEC T IO N SET T IN G VA L UE N OT ES
System Security Threat scan on apps Require This setting ensures that
Google's Verify Apps scan is
turned on for end user
devices. If configured, the
end user will be blocked
from access until they turn
on Google's app scanning
on their Android device.
NOTE
When a personally-owned work profile is enabled, “One Lock” is configured by default to combine device and work profile
passcodes. One Lock may be disabled to separate work profile and device passcodes if necessary, under work profile
settings.
Microsoft Defender for Require the device to be at Clear This setting requires
Endpoint or under the machine risk Microsoft Defender for
score Endpoint. For more
information, see Enforce
compliance for Microsoft
Defender for Endpoint with
Conditional Access in
Intune.
Customers should
consider implementing
Microsoft Defender for
Endpoint or a mobile
threat defense solution.
It is not necessary to
deploy both.
SEC T IO N SET T IN G VA L UE N OT ES
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Work profile settings Work profile notifications Block Blocking this setting
while device locked ensures sensitive data is not
exposed in work profile
notifications, which may
impact usability.
SEC T IO N SET T IN G VA L UE N OT ES
Work profile settings Contact sharing via Not configured By default, access to work
Bluetooth contacts is not available on
other devices, like
automobiles via Bluetooth
integration. Enabling this
setting improves hands free
user experiences. However,
the Bluetooth device may
cache the contacts upon
first connection.
Organizations should
consider balancing the
usability scenarios with data
protection concerns when
implementing this setting.
Work profile settings Search work contacts from Block Blocking users from
personal profile accessing work contacts
from the personal profile
may impact certain usability
scenarios like text
messaging and dialer
experiences within the
personal profile.
Organizations should
consider balancing the
usability scenarios with data
protection concerns when
implementing this setting.
Work profile settings Password expiration (days) 365 Organizations may need to
update this setting to
match their password
policy.
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample Android Enterprise Security Configuration Framework
JSON templates with Intune's PowerShell scripts.
Android Enterprise fully managed security
configurations
9/23/2022 • 8 minutes to read • Edit Online
As part of the Android Enterprise security configuration framework, apply the following settings for Android
Enterprise fully managed mobile users. For more information on each policy setting, see Android Enterprise
device owner settings to mark devices as compliant or not compliant using Intune and Android Enterprise
device settings to allow or restrict features using Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
For corporate owned fully-managed devices, there are three recommended security configuration frameworks:
Fully managed basic security (level 1)
Fully managed enhanced security (level 2)
Fully managed high security (level 3)
Administrators can incorporate the below configuration levels within their ring deployment methodology for
testing and production use by importing the sample Android Enterprise Security Configuration Framework
JSON templates with Intune's PowerShell scripts.
SEC T IO N SET T IN G VA L UE N OT ES
SEC T IO N SET T IN G VA L UE N OT ES
Device Health SafetyNet device attestation Check basic integrity & This setting configures
certified devices Google's SafetyNet
Attestation on end-user
devices. Basic integrity
validates the integrity of the
device. Rooted devices,
emulators, virtual devices,
and devices with signs of
tampering fail basic
integrity.
Basic integrity and certified
devices validates the
compatibility of the device
with Google's services. Only
unmodified devices that
have been certified by
Google can pass this check.
Device Properties Minimum security patch Not configured Android devices can receive
level monthly security patches,
but the release is
dependent on OEMs and/or
carriers. Organizations
should ensure that
deployed Android devices
do receive security updates
before implementing this
setting. For the latest patch
releases, see Android
Security Bulletins.
System Security Required password type Numeric Complex Organizations may need to
update this setting to
match their password
policy.
SEC T IO N SET T IN G VA L UE N OT ES
Actions for noncompliance Mark device noncompliant Immediately By default, the policy is
configured to mark the
device as noncompliant.
Additional actions are
available. For more
information, see Configure
actions for noncompliant
devices in Intune.
Device restrictions
To simplify the table below, only configured settings are listed. Undocumented device restrictions are not
configured.
SEC T IO N SET T IN G VA L UE N OT ES
Device experience Make Microsoft Launcher Not configured Organizations may choose
the default launcher to implement Microsoft
Launcher to ensure a
consistent home screen
experience on Fully
managed devices. For more
information, see How to
Setup Microsoft Launcher
on Android Enterprise Fully
Managed Devices with
Intune
Applications Allow access to all apps in Not configured By default, users cannot
Google Play store install personal apps from
the Google Play Store on
fully managed devices. If
organizations would like to
allow fully managed devices
to be utilized for personal
use, consider changing this
setting.
Work profile password Required password type Numeric Complex Organizations may need to
update this setting to
match their password
policy.
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Microsoft Defender for Require the device to be at Clear This setting requires
Endpoint or under the machine risk Microsoft Defender for
score Endpoint. For more
information, see Enforce
compliance for Microsoft
Defender for Endpoint with
Conditional Access in
Intune.
Customers should
consider implementing
Microsoft Defender for
Endpoint or a mobile
threat defense solution.
It is not necessary to
deploy both.
SEC T IO N SET T IN G VA L UE N OT ES
Device restrictions
SEC T IO N SET T IN G VA L UE N OT ES
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample Android Enterprise Security Configuration Framework
JSON templates with Intune's PowerShell scripts.
Enroll iOS/iPadOS devices in Intune
9/23/2022 • 4 minutes to read • Edit Online
Intune enables mobile device management (MDM) of iPads and iPhones to give users secure access to company
email, data, and apps.
As an Intune admin, you can set up enrollment for iOS/iPadOS and iPadOS devices to access company
resources. You can let users enroll personally-owned devices, known as "bring your own device" (BYOD)
enrollment. You can also set up enrollment of company-owned devices.
User enrollment
User Enrollment gives admins a subset of management options compared to other enrollment methods. For
more information, see User Enrollment supported actions, passwords, and other options and Set up iOS/iPadOS
and iPadOS User Enrollment.
Apple Configurator
You can enroll iOS/iPadOS devices with Apple Configurator running on a Mac computer. To prepare devices, you
USB-connect them and install an enrollment profile. You can enroll devices with Apple Configurator in two ways:
Setup Assistant enrollment - Wipes the device, prepares it to run Setup Assistant, and installs the company's
policies for the device's new user.
Direct enrollment - Doesn't wipe the device and enrolls the device with a predefined policy. This method is
for devices with no user affinity.
Learn more about Apple Configurator enrollment.
See also
Troubleshooting iOS/iPadOS device enrollment problems in Microsoft Intune
Automatically enroll iOS/iPadOS devices by using
Apple's Automated Device Enrollment
9/23/2022 • 30 minutes to read • Edit Online
You can set up Intune to enroll iOS/iPadOS devices purchased through Apple's Automated Device Enrollment
(ADE). Automated Device Enrollment lets you enroll large numbers of devices without ever touching them.
Devices like iPhones, iPads, and MacBooks can be shipped directly to users. When a user turns on the device,
Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured
settings and the device enrolls into management.
To enable ADE, you use the Intune portal and either the Apple Business Manager (ABM) portal or the Apple
School Manager (ASM) portal. In either Apple portal, you need a list of serial numbers or a purchase order so
you can assign devices to Intune for management. You create ADE enrollment profiles in Intune. These profiles
contain settings that are applied to devices during enrollment. ADE can't be used with a Device Enrollment
Manager account.
NOTE
ADE sets device configurations that can't necessarily be removed by end users. Therefore, before ADE is used, the device
must be wiped to return it to an out-of-box (new) state. For more information, see Deployment guide: Enroll iOS and
iPadOS devices.
If you experience sync problems during the enrollment process, you can look for solutions at Troubleshoot
iOS/iPadOS device enrollment problems.
Deploying the Intune Company Portal app through Intune is the best way to provide the app to users and the
only way to:
Ensure all ADE devices, including already-enrolled ones, receive the app.
Enable automatic app updates for Company Portal on ADE devices.
Deploy the app as a required, VPP app with device licensing. For information about how to sync, assign, and
manage a VPP app, see assign a volume-purchased app.
To enable automatic app updates for Company Portal, go to your app token settings in the admin center and
change Automatic app updates to Yes . See Upload an Apple VPP or Apple Business Manager location token
for the steps to access your token settings. If you don't enable automatic updates, the device user will need to
manually check for them on their own.
Device staging is used to transition a device without user affinity, to a device with user affinity. To stage a device,
set up VPP deployment as described earlier in this section. Then configure and deploy an app configuration
policy. Make sure the policy only targets those ADE devices without user affinity.
IMPORTANT
During initial enrollment, Intune automatically pushes the app configuration policy settings for devices enrolled with Setup
Assistant with modern authentication, configured in Configure the Company Portal app to support iOS and iPadOS
devices enrolled with Automated Device Enrollment, when the enrollment profile setting Install Company Por tal is set
to yes. This configuration should not be deployed manually to users because it will cause a conflict with the configuration
sent during the initial enrollment. If both are deployed, Intune will incorrectly prompt device users to sign in to Company
Portal and download a management profile they've already installed.
Prerequisites
Devices purchased in Apple's ADE
Mobile device management (MDM) authority
An Apple MDM push certificate
Supported volume
Maximum enrollment profiles per token: 1,000.
Maximum Automated Device Enrollment devices per profile: Same as the maximum number of devices per
token (200,000 devices per token).
Maximum Automated Device Enrollment tokens per Intune account: 2,000.
Maximum Automated Device Enrollment devices per token: We recommend that you don't exceed 200,000
devices per token. Otherwise you might have sync problems. If you have more than 200,000 devices, split
the devices into multiple ADE tokens.
About 3,000 devices per minute sync from ABM/ASM over to Intune. We recommend that you wait to
manually sync again from the admin console until enough time has passed for all of the devices to
sync over (total number of devices/3,000 devices per minute).
NOTE
The following steps describe what you need to do in Apple Business Manager. For the specific steps, refer to Apple's
documentation. Apple Business Manager User Guide (on Apple's website) might be helpful.
NOTE
Devices will be blocked if there aren't enough Company Portal licenses for a VPP token or if the token is expired. Intune
alerts you when a token is about to expire or licenses are running low.
1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment >
Enrollment program tokens .
2. Select a token, and then select Profiles .
3. Select Create profile > iOS/iPadOS .
4. For Basics , give the profile a Name and Description for administrative purposes. Users don't see these
details.
5. Select Next .
IMPORTANT
If you make changes to existing enrollment profile settings, the new changes will not take effect on assigned devices until
devices are reset back to factory settings and reactivated. Reactivation occurs when the Remote Management Payload is
received on ADE devices. Renaming the device name template is the only change you can make that doesn't require a
factory reset.
6. In the User Affinity list, select an option that determines whether devices with this profile must enroll
with or without an assigned user.
Enroll with User Affinity . Select this option for devices that belong to users who want to use
Company Portal for services like installing apps.
Enroll without User Affinity . Select this option for devices that aren't affiliated with a single
user. Use this option for devices that don't access local user data. This option is typically used for
kiosk, point of sale (POS), or shared-utility devices.
In some situations, you might want to associate a primary user on devices enrolled without user
affinity. To do this task, you can send the IntuneUDAUserlessDevice key to the Company Portal app
in an app configuration policy for managed devices. The first user that signs in to the Company
Portal app is established as the primary user. If the first user signs out and a second user signs in,
the first user remains the primary user of the device. For more information, see Configure the
Company Portal app to support iOS and iPadOS ADE devices.
7. If you selected Enroll with User Affinity for the User Affinity field, you now have the option to
choose the authentication method to use when authenticating users. For Authentication method , select
one of the following options:
Company Por tal : Authenticate with the Company Portal app if you want to:
Use multifactor authentication.
Prompt users to change their passwords when they first sign in.
Prompt users to reset their expired passwords during enrollment.
These features aren't supported when you authenticate by using Apple Setup Assistant.
Setup Assistant (legacy) : Use the legacy Setup Assistant if you want users to experience the
typical, out-of-box-experience for Apple products. This installs standard preconfigured settings
when the device enrolls with Intune management. If you're using Active Directory Federation
Services and you're using Setup Assistant to authenticate, a WS-Trust 1.3 Username/Mixed
endpoint is required. Learn more.
Setup Assistant with modern authentication : Devices running iOS/iPadOS 13.0 and later can
use this method. Older iOS/iPadOS devices in this profile will fall back to using the Setup
Assistant (legacy) process.
NOTE
MFA won't work for Setup Assistant with modern authentication if you're using a 3rd party MFA provider
to present the MFA screen during enrollment. Only the Azure AD MFA screen works during enrollment.
For the latest support updates about custom controls for MFA, see Upcoming changes to Custom
Controls.
This method provides the same security as Company Portal authentication but avoids the issue of
leaving end users with a device they can't use until the Company Portal installs.
The Company Portal will be installed without user interaction (the user won't see the Install
Company Por tal option) in both of the following situations:
If you use the Install Company Por tal with VPP option below (recommended).
If the end user sets up their Apple ID account during Setup Assistant.
In both of these situations, the Company Portal will be a required app on the device. Also, when
the end user gets to the home screen, the correct app configuration policy will automatically be
applied to the device.
Don't send a separate app configuration policy to the Company Portal for iOS/iPadOS devices after
enrolling with Setup Assistant with modern authentication. Doing so will result in an error.
If you don't use the VPP option, the user must supply an Apple ID to install the Company Portal
(either during Setup Assistant or when Intune tries to install the Company Portal).
If a conditional access policy that requires multi-factor authentication (MFA) applies at enrollment
or during Company Portal sign in, then MFA is required. However, MFA is optional based on the
AAD settings in the targeted Conditional Access policy.
After completing all the Setup Assistant screens, the end user lands on the home page (at which
point their user affinity is established). However, until the user signs in to the Company Portal
using their Azure AD credentials and taps "Begin" at the "Setup Company access" screen, the
device:
Won’t be fully registered with Azure AD.
Won’t show up in the user’s device list in the Azure AD portal.
Won’t have access to resources protected by conditional access.
Won’t be evaluated for device compliance.
Will be redirected to the Company Portal from other apps if the user tries to open any
managed applications that are protected by conditional access.
8. If you selected Setup Assistant (legacy) for the authentication method but you also want to use
Conditional Access or deploy company apps on the devices, you need to install Company Portal on the
devices and sign in to complete the Azure AD registration. To do so, select Yes for Install Company
Por tal . If you want users to receive Company Portal without having to authenticate in to the App Store, in
Install Company Por tal with VPP , select a VPP token. Make sure the token doesn't expire and that you
have enough device licenses for the Company Portal app to deploy correctly.
9. If you select a token for Install Company Por tal with VPP , you can lock the device in Single App Mode
(specifically, the Company Portal app) right after the Setup Assistant completes. Select Yes for Run
Company Por tal in Single App Mode until authentication to set this option. To use the device, the
user must first authenticate by signing in with Company Portal.
NOTE
Multifactor authentication isn't supported on a single device locked in Single App Mode. This limitation exists
because the device can't switch to a different app to complete the second factor of authentication. If you want
multifactor authentication on a Single App Mode device, the second factor must be on a different device.
10. If you want devices using this profile to be supervised, select Yes in the Super vised list:
Supervised devices give you more management options and disabled Activation Lock by default.
Microsoft recommends that you use ADE as the mechanism for enabling supervised mode, especially if
you're deploying large numbers of iOS/iPadOS devices. Apple Shared iPad for Business devices must be
supervised.
Users are notified that their devices are supervised in two ways:
The lock screen says: This iPhone is managed by company name .
The Settings > General > About screen says: This iPhone is super vised. Company name can
monitor your Internet traffic and locate this device.
NOTE
If a device is enrolled without supervision, you need to use Apple Configurator if you want to set it to supervised.
To reset the device in this way, you need to connect it to a Mac with a USB cable. For more information, see Apple
Configurator Help.
11. In the Locked enrollment list, select Yes or No . Locked enrollment disables iOS/iPadOS settings that
allow the management profile to be removed from the Settings menu. After device enrollment, you can't
change this setting without wiping the device. To use this option, the device must have the Super vised
management option set to Yes .
NOTE
If a device is enrolled with locked enrollment, the user won't be able to use Remove Device or Factor y Reset in
the Company Portal app. The options will be unavailable to the user. Also, the user won't be able to remove the
device on the Company Portal website.
If a BYOD device is converted to an Apple ADE device and enrolled with a profile that has locked enrollment
enabled, the user will be allowed to use Remove Device and Factor y Reset for 30 days. After 30 days, the
options will be disabled or unavailable. For more information, see Prepare devices manually.
12. If you selected Enroll without User Affinity and Super vised in the previous steps, you need to decide
whether to configure the devices to be Apple Shared iPad for Business devices. Select Yes for Shared
iPad to enable multiple users to sign in to a single device. Users will authenticate by using their Managed
Apple IDs and federated authentication accounts or by using a temporary session (like the Guest
account). This option requires iOS/iPadOS 13.4 or later. With Shared iPad, all Setup Assistant panes after
activation are automatically skipped.
NOTE
A device wipe will be required if an iOS/iPadOS enrollment profile with Shared iPad enabled is sent to an
unsupported device. Unsupported devices include any iPhone models, and iPads running iPadOS/iOS 13.3 and
earlier. Supported devices include iPads running iPadOS 13.3 and later.
To set up Apple Shared iPad for Business, configure these settings:
In the User Affinity list, select Enroll without User Affinity .
In the Super vised list, select Yes .
In the Shared iPad list, select Yes .
If you're setting up Apple Shared iPad for Business devices, also configure:
Maximum cached users : Enter the number of users that you expect to use the shared iPad. You
can cache up to 24 users on a 32-GB or 64-GB device. If you choose a low number, it might take a
while for your users' data to appear on their devices after they sign in. If you choose a high
number, your users could run out of disk space.
Maximum seconds after screen lock before password is required : Enter the number of
seconds from 0 to 14,400. If the screen lock exceeds this amount of time, a device password will be
required to unlock the device. Available for devices in Shared iPad mode running iPadOS 13.0 and
later.
Maximum seconds of inactivity until user session logs out : The minimum allowed value
for this setting is 30. If there isn't any activity after the defined period, the user session ends and
signs the user out. If you leave the entry blank or set it to zero (0), the session will not end due to
inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
Require Shared iPad temporar y session only : Configures the device so that users only see
the guest version of the sign-in experience and must sign in as guests. They can't sign in with a
Managed Apple ID. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
When set to Yes , this setting cancels out the following shared iPad settings, because they are not
applicable in temporary sessions:
Maximum cached users
Maximum seconds after screen lock before password is required
Maximum seconds of inactivity until user session logs out
Maximum seconds of inactivity until temporar y session logs out : The minimum allowed
value for this setting is 30. If there isn't any activity after the defined period, the temporary session
ends and signs the user out. If you leave the entry blank or set it to zero (0), the session will not
end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
This setting is available when Require Shared iPad temporar y session only is set to Yes .
NOTE
If temporary sessions are enabled, all of the user's data is deleted when they sign out of the session. This
means that all targeted policies and apps will come down to the user when they sign-in, and they'll be erased
when the user sign outs.
To alter a Shared iPads configuration to not have temporary sessions, the device will need to be fully reset and
a new enrollment profile with the updated configurations will need to be sent down to the iPad.
13. In the Sync with computers list, select an option for the devices that use this profile. If you select Allow
Apple Configurator by cer tificate , you need to choose a certificate under Apple Configurator
Cer tificates .
NOTE
If you set Sync with computers to Deny all, the port will be limited on iOS and iPadOS devices. The port will
be limited to only charging. It will be blocked from using iTunes or Apple Configurator 2.
If you set Sync with computers to Allow Apple Configurator by cer tificate , make sure you have a local
copy of the certificate that you can use later. You won't be able to make changes to the uploaded copy, and it's
important to retain an copy of this certificate. If you want to connect to the iOS/iPadOS device from a macOS
device or PC, the same certificate must be installed on the device making the connection to the iOS/iPadOS
device.
14. If you selected Allow Apple Configurator by cer tificate in the previous step, choose an Apple
Configurator certificate to import.
15. You can specify a naming format for devices that's automatically applied when they're enrolled and upon
each successive check-in. To create a naming template, select Yes under Apply device name template .
Then, in the Device Name Template box, enter the template to use for the names that use this profile.
You can specify a template format that includes the device type and serial number. This feature supports
iPhone, iPad, and iPod Touch. The device name template entry cannot exceed the length of 63 characters,
including the variables.
16. You can activate a cellular data plan. This setting applies to devices running iOS/iPadOS 13.0 and later.
Configuring this option will send a command to activate cellular data plans for your eSim-enabled
cellular devices. Your carrier must provision activations for your devices before you can activate data
plans using this command. To activate cellular data plan, click Yes and then enter your carrier’s activation
server URL.
17. Select Next .
18. On the Setup Assistant tab, configure the following profile settings:
Depar tment Phone Appears when users tap the Need Help button during
activation.
You can choose to hide Setup Assistant screens on the device during user setup.
If you select Hide , the screen won't be displayed during setup. After setting up the device, the user can
still go to the Settings menu to set up the feature.
If you select Show , the screen will be displayed during setup, but only if there are steps to complete
after the restore or after the software update. Users can sometimes skip the screen without taking
action. They can then later go to the device's Settings menu to set up the feature.
With Shared iPad, all Setup Assistant panes after activation are automatically skipped regardless of the
configuration.
Location Ser vices Prompt the user for their location. For macOS 10.11 and
later, and iOS/iPadOS 7.0 and later.
Restore Display the Apps & Data screen. This screen gives users
the option to restore or transfer data from iCloud
Backup when they set up the device. For macOS 10.9
and later, and iOS/iPadOS 7.0 and later.
Apple ID Give the user the options to sign in with their Apple ID
and use iCloud. For macOS 10.9 and later, and
iOS/iPadOS 7.0 and later.
Terms and conditions Require the user to accept Apple's terms and conditions.
For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
SET UP A SSISTA N T F EAT URES W H AT H A P P EN S W H EN VISIB L E
Touch ID and Face ID Give the user the option to set up fingerprint or facial
identification on their device. For macOS 10.12.4 and
later, and iOS/iPadOS 8.1 and later. On iOS/iPadOS 14.5
and later, the Passcode and Touch ID Setup Assistant
screens during device setup aren’t working. If you use
version 14.5+, then don't configure the Passcode or
Touch ID Setup Assistant screens. If you require a
passcode on devices, then use a device configuration
policy or a compliance policy. After the user enrolls and
they receive the policy, they're prompted for a passcode.
Apple Pay Give the user the option to set up Apple Pay on the
device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0
and later.
Zoom Give the user to the option to zoom the display when
they set up the device. For iOS/iPadOS 8.3 and later.
Siri Give the user the option to set up Siri. For macOS 10.12
and later, and iOS/iPadOS 7.0 and later.
Diagnostics Data Display the Diagnostics screen. This screen gives the user
the option to send diagnostic data to Apple. For macOS
10.9 and later, and iOS/iPadOS 7.0 and later.
Display Tone Give the user the option to turn on Display Tone. For
macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later.
Privacy Display the Privacy screen. For macOS 10.13.4 and later,
and iOS/iPadOS 11.3 and later.
Android Migration Give the user the option to migrate data from an
Android device. For iOS/iPadOS 9.0 and later.
iMessage & FaceTime Give the user the option to set up iMessage and
FaceTime. For iOS/iPadOS 9.0 and later.
Screen Time Display the Screen Time screen. For macOS 10.15 and
later, and iOS/iPadOS 12.0 and later.
SIM Setup Give the user the option to add a cellular plan. For
iOS/iPadOS 12.0 and later.
Watch Migration Give the user the option to migrate data from a watch
device. For iOS/iPadOS 11.0 and later.
Device to Device Migration Give the user the option to migrate data from an old
device to this device. This feature isn't available for ADE
devices running iOS 13 and later, so this screen won't
appear on those devices.
Software Update Completed Shows the user all software updates that happen during
Setup Assistant.
Get Star ted Shows users the Get Started welcome screen.
NOTE
If you need to re-enroll your Automated Device Enrollment device, you need to first wipe the device from the Intune
admin console. To re-enroll:
1. Wipe the device from the Intune console.
Alternatively, retire the device from the Intune console and factory reset the device using the Settings app,
Apple Configurator 2, or iTunes.
2. Activate the device again and run through Setup Assistant to receive the Remote Management Profile.
IMPORTANT
If a device is deleted from Intune, but remains assigned to the ADE enrollment token in the ASM/ABM
portal, it will reappear in Intune on the next full sync. If you don't want the device to reappear in Intune,
unassign it from the Apple MDM server in the ABM/ASM portal.
If a device is released from ABM/ASM, it can take up to 45 days for it to be automatically deleted from
the devices page in Intune. You can manually delete released devices from Intune one by one if
needed. Released devices will be accurately reported as being Removed from ABM/ASM in Intune
until they are automatically deleted within 30-45 days.
A delta sync is run automatically every 12 hours. You can also trigger a delta sync by selecting the
Sync button (no more than once every 15 minutes). All sync requests are given 15 minutes to finish.
The Sync button is disabled until a sync is completed. This sync will refresh existing device status and
import new devices assigned to the Apple MDM server. If a delta sync fails for any reason, the next
sync will be a full sync to hopefully resolve any issues.
NOTE
You can also assign serial numbers to profiles in the Apple Serial Numbers pane.
1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment >
Enrollment Program Tokens . Select a token in the list.
2. Select Devices . Select devices in the list, and then select Assign profile .
3. Under Assign profile , choose a profile for the devices, and then select Assign .
Assign a default profile
You can pick a default profile to be applied to all devices that enroll with a specific token.
1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment >
Enrollment Program Tokens . Select a token in the list.
2. Select Set Default Profile , select a profile in the list, and then select Save . The profile will be applied to all
devices that enroll with the token.
NOTE
Ensure that Device Type Restrictions under Enrollment Restrictions does not have the default All Users policy set
to block the iOS/iPadOS platform. This setting will cause automated enrollment to fail and your device will show as Invalid
Profile, regardless of user attestation. To permit enrollment only by company-managed devices, block only personally
owned devices, which will permit corporate devices to enroll. Microsoft defines a corporate device as a device that's
enrolled via a Device Enrollment Program or a device that's manually entered under Corporate device identifiers .
Distribute devices
You enabled management and syncing between Apple and Intune and assigned a profile so your ADE devices
can be enrolled. You're now ready to distribute devices to users. Some things to know:
Devices enrolled with user affinity require that each user be assigned an Intune license.
Devices enrolled without user affinity typically don't have any associated users. These devices need to
have an Intune device license. If devices enrolled without user affinity will be used by an Intune-licensed
user, a device license isn't needed.
To summarize, if a device has a user, the user needs to have an assigned Intune license. If the device
doesn't have an Intune-licensed user, the device needs to have an Intune device license.
For more information on Intune licensing, see Microsoft Intune licensing and the Intune planning guide.
A device that's been activated needs to be wiped before it can enroll properly using ADE in Intune. After
it's been wiped but before activating it again, you can apply the enrollment profile. See Set up an existing
iPhone, iPad, or iPod touch
If you're enrolling with ADE and user affinity, the following error can happen during setup:
The SCEP server returned an invalid response.
You can resolve this error by trying to download the management again within 15 minutes. If it's been
more than 15 minutes, to resolve this error you'll need to factory reset the device. This error occurs
because of a 15-minute time limit on SCEP certificates, which is enforced for security.
For information on the end-user experience, see Enroll your iOS/iPadOS device in Intune by using ADE.
NOTE
As it says in the prompt, don't select Download Ser ver Token if you don't intend to renew the token. Doing so
will invalidate the token being used by Intune (or any other MDM solution). If you already downloaded the token,
be sure to continue with the next steps until the token is renewed.
4. After you download the token, go to Microsoft Endpoint Manager admin center. Select Devices >
iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens . Select the token.
5. Select Renew token . Enter the Apple ID used to create the original token (if it's not automatically
populated):
Next steps
Backup and restore scenarios for iOS/iPadOS
iOS/iPadOS enrollment overview
What are shared iOS and iPadOS devices?
9/23/2022 • 2 minutes to read • Edit Online
Shared devices are organization-owned multi-user devices. These devices can be special-purpose or multi-
purpose as needed in each environment. Shared devices enable front-line workers in healthcare, hospitality,
retail, manufacturing, and other industries to access critical applications and tools essential to their role in the
organization. In education, shared devices are used as learning aids or test-taking devices in classrooms.
Minimum device requirements iPadOS 13.4 or later with at least 32 iOS 13 or later, iPadOS 13 or later
GB of storage.
AAD federation with Apple Business or Required. This enables users to sign in Not required
School Manager using their AAD username and
password.
Device provisioning Shared iPad can be enabled on iPads Shared Device Mode can be configured
enrolled using Automated Device on devices enrolling using Automated
Enrollment without user affinity. Device Enrollment without user affinity.
For more information, see Use Intune
to enable shared device mode & SSO
extension.
C O N SIDERAT IO N SH A RED IPA D SH A RED DEVIC E M O DE
Temporary session without signing in Temporary sessions that do not Not applicable
require a Managed Apple ID or
password are allowed by default.
Temporary sessions can be allowed or
blocked by Intune policy. For more
information, see Shared iPad.
Supported app types Device-licensed purchased or custom Apps that have been modified to
apps (VPP), line-of-business apps, web support Shared Device Mode including
apps. MSAL integration. For more
information, see Modify your iOS
application to support shared device
mode.
Policy and app assignment Device-assigned required apps and Device-assigned required apps and
policies are supported. The same apps policies are supported.
and policies apply to any user signing
in on a Shared iPad.
Some device configuration policies can
be user-assigned. For more
information, see Configure settings for
Shared iPads.
Unsupported scenarios Conditional Access (see note below) Conditional Access (see note below)
App Protection Policies App Protection Policies
Intune Company Portal app Intune Company Portal app
Available apps Available apps
Apps that don’t support Shared Device
Mode
User-assigned policies and apps
IMPORTANT
The following Conditional Access configurations are not supported:
Granting Conditional Access conditions for a device that require an approved client app, require an app protection
policy, require per-device terms of use, or must be marked as compliant.
Conditional Access conditions that use filters for devices.
Next steps
Set up iOS/iPadOS device enrollment with Apple Configurator
Shared iPad devices
9/23/2022 • 11 minutes to read • Edit Online
Provisioning a device as a Shared iPad sets it up for use by multiple users. iPads running on iPadOS 13.4 and
later can be provisioned as a Shared iPad when enrolled using Automated Device Enrollment without user
affinity.
A Shared iPad consists of a pre-defined number of user partitions. User partitions ensure that each user’s apps,
data, and preferences are stored separately on Shared iPad and can be backed up to iCloud (if allowed by
admin) for seamless transition across multiple Shared iPads.
By federating your organization’s AAD instance in Apple Business or School Manager, a user can sign in on a
Shared iPad using their AAD username and password. This automatically creates a Managed Apple ID for the
user that matches their AAD username when they sign in on a Shared iPad for the first time. In addition, at first
sign-in on a Shared iPad, the user sets up an alphanumeric passcode for their user partition and the apps
assigned to the device are installed to the user partition. The next time the user accesses a Shared iPad, they only
need to provide their Managed Apple ID (same as their AAD username) and the alphanumeric passcode.
You can configure settings in device configuration profiles for a Shared iPad both in device and user context.
However, the settings on a Shared iPad follow the applicability rules in the table below. In general, a device
applicable setting applies to any active user on a Shared iPad device, while a user applicable setting applies
when the user is active on any Shared iPad device.
NOTE
Your Azure AD instance must be federated in Apple Business Manager for user group policy assignment to succeed.
All device configuration profile settings are device applicable for Shared iPad temporary sessions.
User-assigned policies apply to a Shared iPad when the user signs in using their federated Azure AD credentials. See
Apple’s documentation on federating an Azure AD instance with Apple Business Manager.
Device-assigned policies apply to a Shared iPad when you initiate a device-sync from MEM admin console or when
Intune notifies the device to check in with the Intune service. Learn more about frequency of device check-in with the
Intune service.
A P P L IC A B IL IT Y O N DEVIC E A P P L IC A B IL IT Y O N USER
P RO F IL E T Y P E SET T IN G N A M E GRO UP A SSIGN M EN T GRO UP A SSIGN M EN T
All users on a Shared iPad Assign all apps and profiles All apps and profiles apply You assign a Wi-Fi profile,
are in the same role. to Azure AD device group to any active user on the device restrictions, VPP
containing Shared iPads. Shared iPad or to Shared apps and home screen
All users on a Shared iPad temporary sessions. layout to an Azure AD
iPad are using device group containing a
temporary sessions. Shared iPad. These profiles
apply to any user signing in
on the Shared iPad.
Users on a Shared iPad are Assign all apps and When a user signs in on a You assign a common Wi-Fi
in different roles. profiles common to Shared iPad, the profile and all VPP apps to a
all roles to an Azure combination of device- device group containing a
AD device group targeted profiles and user- Shared iPad. Then you
containing Shared targeted profiles creates a assign varying home screen
iPads. customized experience for layouts to different roles
Assign profiles that the active user. using Azure AD user
vary by role and are groups. This customizes the
Only apps and profiles Shared iPad experience for
user applicable to assigned to the device
user groups. Ensure users in each role.
apply to Shared iPad
that the profile does temporary sessions.
not conflict with any
setting assigned to
the device group
above.
Apply different device Assign device When a user signs in on a You want to prevent all
restrictions to different restrictions that Shared iPad, the Shared iPad users from
users on a Shared iPad. should apply to all combination of device using AirDrop. But you only
users of the Shared targeted restrictions and want managers to be able
iPad to an Azure user-targeted restrictions to turn off Wi-Fi on Shared
device group creates a customized iPads.
containing the experience for the active
user. You assign a device
Shared iPads.
configuration profile
Assign user- Only device restrictions that blocks AirDrop to a
applicable device assigned to device device group containing
restrictions that vary groups apply to Shared a Shared iPad. Then you
by user to Azure AD iPad temporary assign a device
user groups. Ensure sessions. configuration profile
that the device that requires Wi-Fi to
restrictions do not be always on to a user
conflict with any group containing non-
device restrictions manager employees.
assigned to the
device group.
SC EN A RIO A DM IN C O N F IGURAT IO N SH A RED IPA D EXP ERIEN C E EXA M P L E
Show/hide different apps to Assign all apps to When a user signs in on a You assign Microsoft
different users on a Shared the Azure AD device Shared iPad, the user- Outlook, Teams and Safari
iPad. group containing assigned home screen to a device group
Shared iPads. layout applies to show/hide containing a Shared iPad.
Create home screen the apps as configured in Then you assign a home
layouts to Microsoft Endpoint screen layout that only
show/hide the apps Manager. shows Teams to a user
and assign the group containing users who
All apps assigned to the only require Teams when
home screen layouts device show in Shared
to Azure AD user using Shared iPad. You
iPad temporary assign another home screen
groups. sessions. layout that shows Outlook,
Teams and Safari to a user
group containing managers
who need access to all 3
apps when using Shared
iPad.
Hide unnecessary system Create a home screen The same home screen You create a home screen
apps on a Shared iPad. layout containing the layout will apply to any user layout that excludes
desired system apps and signing in on the Shared unnecessary system apps
managed apps. Assign the iPad and to Shared iPad like Settings, App Store,
home screen layout to the temporary sessions. Clock and assign the layout
Azure AD device group to a device group
containing Shared iPads. containing a Shared iPad.
NOTE
It is recommended that a setting is configured only once for Shared iPads.
Configuring multiple values of a setting for a Shared iPad is not recommended. If multiple values of a setting are
configured, the setting that applies cannot be pre-determined.
Intune may detect the conflict and the first setting assigned to the device would apply.
If a setting that is both device applicable and user applicable is assigned to an Azure AD device group and an
Azure AD user group, the applied value of the setting is chosen by iPadOS.
Known limitations
The following are known limitations when working with shared iPads:
Disabled settings and system apps: Shared iPads provide users access to a limited number of settings
and system apps. For more information on what settings and apps are disabled on Shared iPads. For more
information, see Shared iPad and Managed Apple IDs.
App Store installations are disabled: The App Store is available by default on Shared iPad. But app
installation is disabled for App Store apps when a device is set up as a Shared iPad. It is recommended that
you disable App Store using configuration profiles in Intune.
Company Por tal and available apps are not suppor ted: Intune Company Portal app and the Intune
Company Portal website are not supported on Shared iPad. Apps must be assigned as required to device
groups containing the Shared iPad to install. Available apps are not supported on Shared iPad.
Passcode complexity cannot be managed on Shared iPad: The passcode complexity for Shared iPad is
a complex 8 character alphanumeric and cannot be changed in Apple Business Manager. The passcode
complexity and length settings available in device configuration profile do not apply to Shared iPads. The
MDM administrator can set the grace period – a number of minutes during which the user can unlock the
iPad without a passcode.
Unsuppor ted scenarios: Some Intune scenarios are not supported on Shared iPads, namely, app-based
and device-based Conditional Access, app protection policies and compliance policies.
Wallpaper is not suppor ted: Setting a wallpaper image is currently not supported on Shared iPad. For
more information on wallpaper, see iOS/iPadOS Device Features.
Email profile shows error: if you assign an email profile to Shared iPads, it reports error. Email profiles on
Shared iPad are currently not supported.
User-assigned policies applying to Shared iPads do not show in reports: apps and profiles assigned to Azure
AD user groups do not reflect status in “device status” and “user status” under Monitoring section of the apps
or profiles when they apply on Shared iPads.
Azure AD federation requirement is not enforced: if the Managed Apple ID matches the Azure AD UPN and
the Azure AD user is assigned a user applicable device configuration profile, the profile will apply to the user
when they sign in using their Managed Apple ID on a Shared iPad. The Azure AD federation requirement is
currently not enforced.
Next steps
Set up iOS/iPadOS device enrollment with Apple Configurator
Backup and restore scenarios for iOS/iPadOS
9/23/2022 • 6 minutes to read • Edit Online
You might have to back up and restore an Intune Automated Device Enrollment (ADE) managed iOS/iPadOS
device during the setup assistant process. For example, when:
A device is factory reset and is then restored from a previous backup.
A user receives a new device and wants to migrate the data from the old device.
To back up and restore an iOS/iPadOS device, you must follow the Apple instructions:
To back up your device, see How to back up your iPhone, iPad, and iPod touch.
To restore your device, see Restore your iPhone, iPad, or iPod touch from a backup.
To transfer data to a new device, see the following Apple support article:
Use iCloud to transfer data from your previous iOS device to your new iPhone, iPad, or iPod touch
For more information about restoring Apple devices from backup, see Get started using Apple Business
Manager or Apple School Manager with Mobile Device Management.
NOTE
Device-to-Device migration as offered on the Quick Start screen after resetting an iOS device isn't supported with Apple
Business Manager (ABM). For details refer to the following Apple support document. Since this screen appears on the
device before a wi-fi connection has been established and before the ABM profile has been downloaded, this quick start
screen cannot be hidden via ABM.
NOTE
If you use enrollment restrictions to prevent (block) personally owned devices from enrolling, you will need to add the
devices using corporate device identifiers, prior to enrollment.
Next steps
Learn more about Automated Device Enrollment.
Set up iOS/iPadOS and iPadOS User Enrollment
(preview)
9/23/2022 • 3 minutes to read • Edit Online
You can set up Intune to enroll iOS/iPadOS and iPadOS devices using Apple's User Enrollment process. User
Enrollment gives admins a streamlined subset of management options compared to other enrollment methods.
For more information about the options available with User Enrollment, see User Enrollment supported actions,
passwords, and other options.
NOTE
Support for Apple's User Enrollment in Intune is currently in preview.
Prerequisites
Mobile Device Management (MDM) Authority
Apple MDM Push certificate
Managed Apple ID
iOS 13 or later
Federated Authentication with Apple Business Manager
NOTE
Apple released iPadOS in September 2019, which introduced a change that can affect Microsoft Azure Active Directory
(Azure AD) and Intune customers who use Conditional Access policies in their organization. For more information about
how this affects your policies and what actions to take, see Evaluate and update Conditional Access policies after new
iPadOS release.
An enrollment profile defines the settings applied to a group of devices during enrollment.
1. Federate your Azure AD instance with Apple Business Manager or Apple School Manager. For more
information, see Intro to federated authentication with Apple Business Manager.
2. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment >
Enrollment types (preview) > Create profile > iOS/iPadOS . This profile is where you'll indicate
what enrollment experience your iOS/iPadOS and iPadOS end users will have on devices not enrolled
through a corporate Apple method. If you'd like to make changes, you can edit this profile after you've
created it.
3. On the Basics page, enter a Name and Description for the profile for administrative purposes. Users
don't see these details. You can use this Name field to create a dynamic group in Azure Active Directory.
Use the profile name to define the enrollmentProfileName parameter to assign devices with this
enrollment profile. Learn more about Azure Active Directory dynamic groups.
4. Select Next .
5. On the Settings page, select one of the following options for Enrollment type :
Device enrollment : All the users in this profile will use Device Enrollment.
User enrollment : All the users in this profile will use User Enrollment.
Determine based on user choice : All users in this group will be given the choice of which
enrollment type to use. When users enroll their devices, they'll see an option to choose between I
own this device and (Company) owns this device . If they choose the latter, the device will be
enrolled by using Device Enrollment. If the user chooses I own this device , they'll get another option
to secure the entire device or only secure work-related apps and data. The end user's selection of
whether they own the device determines which enrollment type is implemented on their device. This
user choice is also reflected in the Device Ownership attribute in Intune. To learn more about the user
experience, see Set up iOS/iPadOS device access to your company resources.
6. Select Next .
7. On the Assignments page, choose the user groups containing the users to which you want this profile
assigned. You can choose to assign the profile to all users or specific groups. All users in the selected
groups will use the enrollment type chosen above. Device groups aren't supported for User Enrollment
scenarios because the feature is based on user identities, rather than devices. You can choose to assign
the profile to all users or specific groups.
8. Select Next .
9. On the Review and Create page, review your choices, and then select Create to assign the profile to
the users.
Profile priority
After you've created more than one enrollment type profile, you can change the priority order in which they're
applied.
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment >
Enrollment types (preview) .
2. Drag and drop the profiles in the list in the order you want them applied.
In case of conflicts between profiles for any user, the higher priority profile is applied for the user.
Intune actions and options supported with Apple
User Enrollment
9/23/2022 • 3 minutes to read • Edit Online
User Enrollment supports a subset of device management options. If a pre-existing configuration profile is
applied to a User Enrollment device, only settings supported by User Enrollment will be applied to that device.
NOTE
Support for Apple's User Enrollment in Intune is currently in preview for iOS and iPadOS.
Password settings
On User Enrollment devices, if you configure any password setting, then the Simple passwords settings is
automatically set to Block , and a 6 digit PIN is enforced.
For example, you configure the Password expiration setting, and push this policy to user-enrolled devices. On
the devices, the following happens:
The Password expiration setting is ignored.
Simple passwords, such as 111111 or 123456 , aren't allowed.
A 6 digit pin is enforced.
End-user actions
On User Enrollment devices, end users can perform these actions on their devices from the Company Portal
application and website:
Rename. This action applies only to the user-facing name within the Company Portal. It won't fully rename
the device outside of that context.
Remove
Remote Lock
Check Status
Next steps
Set up iOS/iPadOS and iPadOS User Enrollment
Set up iOS/iPadOS device enrollment with Apple
School Manager
9/23/2022 • 9 minutes to read • Edit Online
You can set up Intune to enroll iOS/iPadOS devices purchased through the Apple School Manager program.
Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever
touching them. When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings
and the device enrolls into management.
To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. A list
of serial numbers or a purchase order number is required so you can assign devices to Intune for management.
You create Automated Device Enrollment (ADE) enrollment profiles containing settings that applied to devices
during enrollment.
Apple School Manager enrollment can't be used with Apple's Automated Device Enrollment or the device
enrollment manager.
Prerequisites
Apple Mobile Device Management (MDM) Push certificate
MDM Authority
If using ADFS, user affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.
Devices purchased from the Apple School Management program
7. Choose the action Assign to Ser ver , and choose the MDM Ser ver you created.
8. Specify how to Choose Devices , then provide device information and details.
9. Choose Assign to Ser ver and choose the <ServerName> specified for Microsoft Intune, and then
choose OK .
Step 3. Save the Apple ID used to create this token
In the Microsoft Endpoint Manager admin center, provide the Apple ID for future reference.
NOTE
If you want do any of the following, set Authenticate with Company Por tal instead of Apple Setup
Assistant to Yes .
use multifactor authentication
prompt users who need to change their password when they first sign in
prompt users to reset their expired passwords during enrollment
These aren't supported when authenticating with Apple Setup Assistant.
6. Choose Device Management Settings and choose if you want devices using this profile to be
supervised. Super vised devices give you more management options and disabled Activation Lock by
default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode,
especially for organizations that are deploying large numbers of iOS/iPadOS devices.
Users are notified that their devices are supervised in two ways:
The lock screen says: "This iPhone is managed by Contoso."
The Settings > General > About screen says: "This iPhone is supervised. Contoso can monitor
your Internet traffic and locate this device."
NOTE
A device enrolled without supervision can only be reset to supervised by using the Apple Configurator.
Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable.
Learn more about this on Apple Configurator docs.
7. Choose if you want locked enrollment for devices using this profile. Locked enrollment disables
iOS/iPadOS settings that allow the management profile to be removed from the Settings menu. After
device enrollment, you can't change this setting without wiping the device. Such devices must have the
Super vised Management Mode set to Yes.
8. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose Yes
under Shared iPad (this option requires Enroll without User Affinity and Super vised mode set to
Yes .) Managed Apple IDs are created in the Apple School Manager portal. Learn more about shared iPad
and Apple's shared iPad requirements.
9. Choose if you want the devices using this profile to be able to Sync with computers . Deny All means
that all devices using this profile won't be able to sync with any data on any computer. If you choose
Allow Apple Configurator by cer tificate , you must choose a certificate under Apple Configurator
Cer tificates .
10. If you chose Allow Apple Configurator by cer tificate in the previous step, choose an Apple
Configurator Certificate to import.
11. You can specify a naming format for devices that is automatically applied when they enroll. To do so,
select Yes under Apply device name template . Then, in the Device Name Template box, enter the
template to use for the names using this profile. You can specify a template format that includes the
device type and serial number.
12. Choose OK .
13. Choose Setup Assistant Settings to configure the following profile settings:
SET T IN G DESC RIP T IO N
Depar tment Name Appears when users tap About Configuration during
activation.
Depar tment Phone Appears when the user clicks the Need Help button
during activation.
Setup Assistant Options The following optional settings can be set up later in the
iOS/iPadOS Settings menu.
SET T IN G DESC RIP T IO N
Location Ser vices If enabled, Setup Assistant prompts for the service
during activation.
iCloud and Apple ID If enabled, Setup Assistant prompts the user to sign in
an Apple ID and the Apps & Data screen will allow the
device to be restored from iCloud backup.
14. Choose OK .
15. To save the profile, choose Create .
To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions:
A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple
serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune
only refreshes serial numbers that aren't already listed in Intune.
Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the Sync
button is disabled.
Intune syncs new and removed devices with Apple every 24 hours.
NOTE
You can also assign Apple School Manager serial numbers to profiles from the Enrollment Program Devices blade.
Intune supports the enrollment of iOS/iPadOS devices using Apple Configurator running on a Mac computer.
Enrolling with Apple Configurator requires that you USB-connect each iOS/iPadOS device to a Mac computer to
set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:
Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
Direct enrollment - Does not wipe the device and enrolls the device through iOS/iPadOS settings. This
method only supports devices with no user affinity .
Apple Configurator enrollment methods can't be used with the device enrollment manager.
Prerequisites
Physical access to iOS/iPadOS devices
Set MDM authority
An Apple MDM push certificate
Device serial numbers (Setup Assistant enrollment only)
USB connection cables
macOS computer running Apple Configurator 2.0
NOTE
When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup
Assistant within the first 24 hours of the device being enrolled. Otherwise enrollment might fail, and a factory
reset will be needed to enroll the device.
6. If you chose Enroll with User Affinity , you have the option to let users authenticate with Company
Portal instead of the Apple Setup Assistant.
NOTE
If you want do any of the following, set Authenticate with Company Por tal instead of Apple Setup
Assistant to Yes .
use multifactor authentication
prompt users who need to change their password when they first sign in
prompt users to reset their expired passwords during enrollment
These are not supported when authenticating with Apple Setup Assistant.
7. Choose Create to save the profile.
WARNING
Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and
turn it on. Devices should be at the Hello screen when you connect the device. If the device was already
registered with the Apple ID account, the device must be deleted from the Apple iCloud before starting the
enrollment process. The prompt error appears as "Unable to activate [Device name]".
2. In the preferences pane, select Ser vers and choose the plus symbol (+) to launch the MDM Server
wizard. Choose Next .
3. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant
enrollment for iOS/iPadOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment
profile URL exported from Intune. Choose Next .
You can safely disregard a warning stating "server URL is not verified." To continue, choose Next until the
wizard is finished.
4. Connect the iOS/iPadOS mobile devices to the Mac computer with a USB adapter.
5. Select the iOS/iPadOS devices you want to manage, and then choose Prepare . On the Prepare
iOS/iPadOS Device pane, select Manual , and then choose Next .
6. On the Enroll in MDM Ser ver pane, select the server name you created, and then choose Next .
7. On the Super vise Devices pane, select the level of supervision, and then choose Next .
8. On the Create an Organization pane, choose the Organization or create a new organization, and then
choose Next .
9. On the Configure iOS/iPadOS Setup Assistant pane, choose the steps to be presented to the user,
and then choose Prepare . If prompted, authenticate to update trust settings.
10. When the iOS/iPadOS device finishes preparing, disconnect the USB cable.
Distribute devices
The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When
users turn on their devices, Setup Assistant starts.
After users receive their devices, they must complete Setup Assistant. Devices configured with user affinity can
install and run the Company Portal app to download apps and manage devices.
Direct enrollment
When you directly enroll iOS/iPadOS devices with Apple Configurator, you can enroll a device without acquiring
the device's serial number. You can also name the device for identification purposes before Intune captures the
device name during enrollment. The Company Portal app is not supported for directly enrolled devices. This
method does not wipe the device.
Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps,
cannot be installed.
Export the profile as .mobileconfig to iOS/iPadOS devices
1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS
enrollment > Apple Configurator > Profiles > choose the profile to export > Expor t Profile .
2. Under Direct enrollment , choose Download profile , and save the file. An enrollment profile file is
only valid for two weeks at which time you must re-create it.
3. Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile
to iOS/iPadOS devices.
4. Prepare the device with Apple Configurator by using the following steps:
a. On a Mac computer, open Apple Configurator 2.0.
b. Connect the iOS/iPadOS device to the Mac computer with a USB cord. Close Photos, iTunes, and
other apps that open for the device when the device is detected.
c. In Apple Configurator, choose the connected iOS/iPadOS device, and then choose the Add button.
Options that can be added to the device appear in the drop-down list. Choose Profiles .
d. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose
Add . The profile is added to the device. If the device is Unsupervised, the installation requires
acceptance on the device.
5. Use the following steps to install the profile on the iOS/iPadOS device. The device must have already
completed the Setup Assistant and be ready to use. If enrollment entails app deployments, the device
should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in
for the App Store.
a. Unlock the iOS/iPadOS device.
b. In the Install profile dialog box for Management profile , choose Install .
c. Provide the Device Passcode or Apple ID, if necessary.
d. Accept the Warning , and choose Install .
e. Accept the Remote Warning , and choose Trust .
f. When the Profile Installed box confirms the profile as Installed, choose Done .
6. On the iOS/iPadOS device, open Settings and go to General > Device Management > Management
Profile . Confirm that the profile installation is listed, and check the iOS/iPadOS policy restrictions and
installed apps. Policy restrictions and apps might take up to 10 minutes to appear on the device.
7. Distribute devices. The iOS/iPadOS device is now enrolled in Intune and managed.
Next steps
Manage enrolled devices in Microsoft Endpoint Manager by using the actions and features available in
the admin center. For more information about accessing device management actions and device details in
the admin center, see What is Microsoft Intune device management?
For information about enrolling macOS devices via direct enrollment with Apple Configurator, see Use
Direct Enrollment for macOS devices.
iOS/iPadOS Enterprise security configuration
framework
9/23/2022 • 2 minutes to read • Edit Online
The iOS/iPadOS security configuration framework is a series of recommendations for device compliance and
configuration policy settings. These recommendations help you tailor your organization's mobile device security
protection to your specific needs.
Security conscious organizations look at ways to ensure corporate data on mobile devices are protected. One
method used to protect that data is through device enrollment. Device enrollment helps organizations:
deploy compliance policies (like PIN strength, jailbreak/root validation, and so on).
deploy configuration policies (like WIFI, certificates, VPN).
manage the app lifecycle.
To help you set up a complete security scenario, Microsoft introduced a new taxonomy for security
configurations in Windows 10. Intune is using a similar taxonomy for this security configuration framework.
They include recommended device compliance and device restriction settings for basic, enhanced, and high
security. This taxonomy is explained in the following articles:
iOS/iPadOS framework deployment methodology: A recommended methodology for deploying the security
configuration framework.
Set app configuration policies for iOS/iPadOS devices: Configure apps on the devices to disallow personal
accounts.
iOS/iPadOS device compliance security settings: Specific configuration settings for ensuring personally
owned and corporate owned devices are healthy and compliant.
iOS/iPadOS personal device security settings: Specific configuration settings for basic, enhanced, and high
security on personally owned devices.
iOS/iPadOS supervised device security settings: Specific configuration settings for basic, enhanced, and high
security on corporate owned supervised devices.
Next steps
iOS/iPadOS framework deployment methodology
iOS/iPadOS framework deployment methodology
9/23/2022 • 2 minutes to read • Edit Online
Before deploying the framework, Microsoft recommends using a ring methodology for testing validation.
Defining deployment rings is generally a one-time event (or at least infrequent). However, IT should revisit these
groups to ensure that the sequencing is still correct.
Preview Production tenant Mobile capability End-user scenario 7-14 days, post
owners, UX validation, user facing Quality Assurance
documentation
All policy setting changes should be first applied in a pre-production environment to understand the policy
setting implications. After testing is complete, move the changes into production and apply them to a subset of
production users, the IT department, and other applicable groups. Finally, the complete the rollout to the rest of
the mobile user community. Roll out to production may take longer depending on the changes' scale of impact.
If there's no user impact, the change should roll out quickly. If there is user impact, rollout may need to go
slower because of the need to communicate changes to the user population.
When testing changes to iOS/iPadOS devices, be aware of the delivery timing. The status of compliance policies
for devices can be monitored. For more information, see Monitor Intune device compliance policies and Monitor
device profiles in Microsoft Intune.
Next steps
Set app configuration policies for iOS/iPadOS devices
iOS/iPadOS security configuration framework app
configuration policies
9/23/2022 • 2 minutes to read • Edit Online
As part of the iOS/iPadOS security configuration framework, you must properly set app configuration policies
for iOS/iPadOS devices.
iOS/iPadOS supervised devices are designed to be used for work or school data only. So, Microsoft apps
deployed on these devices must be configured to disallow personal accounts.
K EY VA L UES
IntuneMAMUPN UPN of the account allowed to sign into the app. For
Intune enrolled devices, the{{userprincipalname}}token
may be used to represent the enrolled user account.
Next steps
Apply iOS/iPadOS device compliance security configuration settings.
iOS/iPadOS device compliance security
configurations
9/23/2022 • 3 minutes to read • Edit Online
As part of the iOS/iPadOS security configuration framework, apply the following device compliance settings to
mobile users using personal and supervised devices. For more information on each policy setting, see Device
Compliance settings for iOS/iPadOS in Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
Administrators can incorporate the below configuration levels within their ring deployment methodology for
testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
NOTE
Due to the limited number of settings available for device compliance, there is no basic security (level 1) offering.
SEC T IO N SET T IN G VA L UE N OT ES
Actions for noncompliance Mark device noncompliant Immediately By default, the policy is
configured to mark the
device as noncompliant.
Additional actions are
available. For more
information, seeConfigure
actions for noncompliant
devices in Intune.
Microsoft Defender for Require the device to be at Clear This setting requires
Endpoint or under the machine risk Microsoft Defender for
score Endpoint. For more
information, see Enforce
compliance forMicrosoft
Defender for Endpoint with
Conditional Access in
Intune.
Customers should consider
implementing Microsoft
Defender for Endpoint or a
mobile threat defense
solution. It is not necessary
to deploy both.
Actions for noncompliance Mark device noncompliant Immediately By default, the policy is
configured to mark the
device as noncompliant.
Additional actions are
available. For more
information, seeConfigure
actions for noncompliant
devices in Intune.
Next steps
Apply iOS/iPadOS personal device security configurations or iOS/iPadOS supervised device security
configurations.
iOS/iPadOS personal device security configurations
9/23/2022 • 4 minutes to read • Edit Online
As part of the iOS/iPadOS security configuration framework, apply the following device compliance settings to
mobile users using personal devices. For more information on each policy setting, see iOS/iPadOS device
settings in Microsoft Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
Administrators can incorporate the below configuration levels within their ring deployment methodology for
testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
App Store, Doc Viewing, Block viewing non- Not configured Enabling this device
Gaming corporate documents in restriction blocks Outlook
corporate apps for iOS’s ability to export
contacts. This setting is not
recommended if using
Outlook for iOS. For more
information, see Support
Tip: Enabling Outlook iOS
Contact Sync with iOS12
MDM Controls.
App Store, Doc Viewing, Allow managed apps to Yes This setting is needed to
Gaming write contacts to allow Outlook for iOS to
unmanaged contacts export contacts when
accounts Block viewing corporate
documents in
unmanaged apps is set to
Yes. For more information,
see Support Tip: Enabling
Outlook iOS Contact Sync
with iOS12 MDM Controls.
App Store, Doc Viewing, Allow copy/paste to be Not configured Enabling this setting will
Gaming affected by managed open- block personal accounts
in within managed Microsoft
apps from sharing data to
unmanaged apps.
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
iOS/iPadOS supervised device security
configurations
9/23/2022 • 6 minutes to read • Edit Online
As part of the iOS/iPadOS security configuration framework, apply the following device compliance settings to
mobile users using supervised devices. For more information on each policy setting, see iOS/iPadOS device
settings in Microsoft Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following
the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your
organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to
usability.
Administrators can incorporate the below configuration levels within their ring deployment methodology for
testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
App Store, Doc Viewing, Block viewing non- Not configured Enabling this device
Gaming corporate documents in restriction blocks Outlook
corporate apps for iOS’s ability to export
contacts. This setting is not
recommended if using
Outlook for iOS. For more
information, see Support
Tip: Enabling Outlook iOS
Contact Sync with iOS12
MDM Controls.
SEC T IO N SET T IN G VA L UE N OT ES
App Store, Doc Viewing, Allow managed apps to Yes This setting is needed to
Gaming write contacts to allow Outlook for iOS to
unmanaged contacts export contacts when
accounts Block viewing corporate
documents in
unmanaged apps is set to
Yes. For more information,
see Support Tip: Enabling
Outlook iOS Contact Sync
with iOS12 MDM Controls.
App Store, Doc Viewing, Allow copy/paste to be Yes Enabling this setting will
Gaming affected by managed open- block personal accounts
in within managed Microsoft
apps from sharing data to
unmanaged apps.
Wireless Require joining Wi-Fi Not configured Care should be taken when
networks only using using this setting as this
configuration profiles could affect your ability to
connect to the device if the
specified Wi-Fi Networks
are unavailable or if the
setting is configured
incorrectly. This could result
in a situation where you are
locked out of the device
and unable to remotely
reset the device.
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for
testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON
templates with Intune's PowerShell scripts.
Set up enrollment for macOS devices in Intune
9/23/2022 • 7 minutes to read • Edit Online
Microsoft Intune supports enrollment on personal and company-owned devices. This article describes the
methods and features you can use to enroll personal, company-owned, and VM devices in Intune.
Enroll devices
After you enable enrollment, use one of the supported methods described in this section to enroll user-owned
and company-owned devices.
User-owned macOS devices (BYOD)
Intune supports bring-your-own-device, or BYOD, which lets people enroll their personal devices themselves. To
finish setting up enrollment for BYOD scenarios, tell your licensed users to use one of these options to enroll
devices:
Sign in to Company Portal website and follow on-screen instructions to add device.
Install Company Portal app for Mac at aka.ms/EnrollMyMac and follow-on screen instructions to add device.
Company-owned macOS devices
Intune supports the following enrollment methods for company-owned macOS devices. Select a hyperlinked
method to open its setup steps.
Apple Automated Device Enrollment: Use this method to automate the enrollment experience on devices
purchased through Apple Business Manager or Apple School Manager. Automated device enrollment
deploys the enrollment profile over-the-air, so you don't need to have physical access to devices.
Device enrollment manager (DEM): Use this method for large-scale deployments and when there are
multiple people in your organization who can help with enrollment setup. Someone with device enrollment
manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This
method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account
to enroll devices via Automated Device Enrollment.
Direct enrollment: Direct enrollment enrolls devices with no user affinity, so this method is best for devices
that aren't associated with a single user. This method requires you to have physical access to the Macs you're
enrolling.
Bootstrap tokens
Intune supports the use of bootstrap tokens on enrolled Macs running macOS 10.15 or later. Bootstrap tokens
grant volume ownership status to local user and guest accounts so that non-admin users can approve
important operations that an admin would otherwise need to do. Operations such as:
User-initiated software updates
Kernel extension installation on Apple silicon
You can utilize bootstrap tokens on supervised Macs, and Macs enrolled via macOS automated device
enrollment.
Get bootstrap token
The bootstrap token is automatically generated when:
A newly enrolled Mac checks in with Intune and
A secure token-enabled user (typically an Intune administrator) signs in to the Mac with their cleartext
password
The token is then automatically escrowed to Microsoft Intune. You can use a command line tool to manually
view, generate, and escrow a bootstrap token on supported macOS devices, if needed. For more information
about commands, see Use secure token, bootstrap token, and volume ownership in deployments on Apple
Support.
Monitor bootstrap escrow status
You can monitor the escrow status for any enrolled Mac in the admin center. The Bootstrap token escrowed
hardware property reports whether or not the bootstrap token has been escrowed in Intune. Intune reports Yes
when the token has been successfully escrowed and No when the token has not been escrowed.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > macOS . All macOS devices are shown in a table.
3. Select a device.
4. Select Hardware .
5. In your hardware details, scroll down to Conditional access > Bootstrap token escrowed .
Manage kernel extensions and software updates
A bootstrap token can be used to approve the installation of both kernel extensions and software updates on a
Mac with Apple silicon.
User-initiated software updates can be carried out with a bootstrap token on Macs that are running macOS,
version 11.1, and enrolled via automated device enrollment. To authorize user-initiated software updates on a
device that isn't enrolled via automated device enrollment, you must restart the Mac in recovery mode and
downgrade its security settings. You can also utilize the bootstrap token for software updates on Macs running
macOS 11.2 and later, with the only requirement being that the device needs to be supervised.
Kernel extension management is automatically available on Macs running macOS 11 or later and enrolled via
automated device enrollment. To authorize the remote management of kernel extensions on a device that isn't
enrolled via automated device enrollment, you must restart the Mac in recovery mode and downgrade its
security settings.
For more information about changing security settings, see Change security settings on the startup disk of a
Mac with Apple silicon on Apple Support.
serialNumber = "ABC123456789"
hw.model = "MacBookAir10,1"
Enter any string of alphanumeric characters for the serial number. For hardware model, we recommend using
the model of the device that's running the VM. To find your Mac's hardware model, select the Apple menu and
go to About This Mac > System Repor t > Model Identifier .
See the VMware customer connect website for more information about editing the .vmx file for your VMware
Fusion VM.
Apple Silicon
No changes are required for virtual machines running on Apple Silicon hardware. Parallels Desktop and
VMware Fusion are supported on Macs with Apple Silicon, so if you set up a VM this way, you don't need to
modify the hardware model ID or serial number.
User-approved enrollment
All Mac enrollments in Intune are considered user-approved. User-approved enrollment lets you manage
macOS devices that aren't part of Apple School Manager or Apple Business Manager. It provides the same level
of control as supervised macOS devices enrolled using Automated Device Enrollment or Apple Configurator.
Intune automatically turns on supervision for user-approved devices running macOS 11 and later. It also does
this for enrolled devices that later update to macOS 11 or later.
NOTE
Intune announced support for user approved enrollment in June 2020. BYOD enrollments that occured before that time
may not be user-approved. For more information about Apple devices becoming user approved, see User approved MDM
enrollment on the Apple Support website.
User experience
The device user signs in to the Company Portal app to initiate enrollment. Company Portal then opens the
device's system preferences and prompts the user to install the management profile. Company Portal provides
in-app instructions to help users find the profile. Users go to System Preferences > Profiles to approve the
management profile installation. Device users that don't provide approval during enrollment can return to
system preferences later to give approval.
Find out if device is user approved
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Choose Devices > All devices .
3. Choose a macOS device.
4. From the side menu, select Hardware .
5. Check the value next to User approved enrollment .
Next steps
For user-help documentation, which provides step-by-step enrollment instructions for device users, see
Enroll your macOS device in Intune. You can also create your own instructions if you prefer to capture
your organization's branded or customized enrollment experience.
After macOS devices are enrolled, you can create custom settings for macOS devices.
Automatically enroll macOS devices with the Apple
Business Manager or Apple School Manager
9/23/2022 • 13 minutes to read • Edit Online
IMPORTANT
Apple recently changed from using the Apple Device Enrollment Program (DEP) to Apple Automated Device Enrollment
(ADE). Intune is in the process of updating the Intune user interface to reflect that. Until such changes are complete, you'll
continue to see Device Enrollment Program in the Intune portal. Wherever that is shown, it now uses Automated Device
Enrollment.
You can set up Intune enrollment for macOS devices purchased through Apple's Apple Business Manager or
Apple School Manager. You can use either of these enrollments for large numbers of devices without ever
touching them. You can ship macOS devices directly to users. When the user turns on the device, Setup Assistant
runs with preconfigured settings and the device enrolls into Intune management.
To set up enrollment, you use both the Intune and Apple portals. You create enrollment profiles containing
settings that applied to devices during enrollment.
Neither Apple Business Manager enrollment or Apple School Manager work with the device enrollment
manager.
Prerequisites
Devices purchased in Apple School Manager or Apple's Automated Device Enrollment
A list of serial numbers or a purchase order number.
MDM Authority
Apple MDM Push certificate
3. Choose Download your public key to download and save the encryption key (.pem) file locally. The
PEM file is used to request a trust-relationship certificate from the Apple portal.
Step 2. Use your key to download a token from Apple
1. Choose Create a token via Apple Business Manager or Create a token via Apple School Manager
to open the Apple portal used by your organization.
2. Sign in to the portal with your company Apple ID. You can use this Apple ID to renew your token.
3. Select your account name to open the portal menu, and then choose Preferences .
4. Go to your MDM server assignments.
5. Select the option to add an MDM server.
6. Enter the MDM Ser vice Name . The purpose of the server name is to help identify your mobile device
management (MDM) server in the portal. It doesn't have to be the actual name or URL of the Microsoft
Intune server.
7. Upload your public key file and then save your changes. Then you can download the server token.
Best practices
While you're in the Apple portal, you can also apply device filters and assign devices to the MDM server.
Apply filters: To filter devices before assigning them to your MDM server, go to Devices > Filter . You can
filter devices by:
Device management
Source
Order number
Device type
Storage size
Bulk assign devices: You can assign all eligible devices to your new MDM servers at the same time.
1. Go to Devices > All Devices or select the devices you want to assign.
2. Select Edit MDM Ser ver .
3. Select the MDM server you want to use.
4. Select Continue .
5. When prompted to, confirm your changes. A notification appears to confirm that the devices have
been assigned to the new MDM server.
The Apple portal keeps track of your activity and changes. Select Activity to view assignment results and
download logs.
Step 3. Save the Apple ID used to create this token
Return to the Microsoft Endpoint Manager admin center and enter your Apple ID so that you have record of it
for future reference.
Step 4. Upload your token
In the Apple token box, browse to the certificate (.pem) file, choose Open , and then choose Create . With the
push certificate, Intune can enroll and manage macOS devices by pushing policy to enrolled devices. Intune
automatically synchronizes with Apple to see your enrollment program account.
Depar tment Name Appears when users tap About Configuration during
activation.
Depar tment Phone Appears when the user clicks the Need Help button
during activation.
You can choose to show or hide a variety of Setup Assistant screens on the device when the user sets it
up.
If you choose Hide , the screen won't be displayed during setup. After setting up the device, the user
can still go in to the Settings menu to set up the feature.
If you choose Show , the screen will be displayed during setup. The user can sometimes skip the
screen without taking action. But they can then later go into the device's Settings menu to set up the
feature.
Location Ser vices Prompt the user for their location. For macOS 10.11 and
later and iOS/iPadOS 7.0 and later.
Restore Display the Apps & Data screen. This screen gives the
user the option to restore or transfer data from iCloud
Backup when they set up the device. For macOS 10.9
and later, and iOS/iPadOS 7.0 and later.
Apple ID Give the user the options to sign in with their Apple ID
and use iCloud. For macOS 10.9 and later, and
iOS/iPadOS 7.0 and later.
Terms and Conditions Require the user to accept Apple's terms and conditions.
For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
Touch ID and Face ID Give the user the option to set up fingerprint
identification for the device. For macOS 10.12.4 and later,
and iOS/iPadOS 8.1 and later.
Apple Pay Give the user the option to set up Apple Pay on the
device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0
and later.
Siri Give the user the option to set up Siri. For macOS 10.12
and later, and iOS/iPadOS 7.0 and later.
Diagnostics Data Display the Diagnostics screen to the user. This screen
gives the user the option to send diagnostic data to
Apple. For macOS 10.9 and later, and iOS/iPadOS 7.0
and later.
Display Tone Give the user the option to turn on Display Tone. For
macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later.
iCloud diagnostics Display the iCloud Analytics screen to the user. For
macOS 10.12.4 and later.
Registration Display the registration screen. For macOS 10.9 and later.
Screen Time Display the Screen Time screen. For macOS 10.15 and
later, and iOS/iPadOS 12.0 and later.
Auto unlock with Apple Watch Give the user an option to use their Apple Watch to
unlock their Mac. For macOS 12.0 and later.
To comply with Apple's terms for acceptable enrollment program traffic, Intune imposes the following
restrictions:
A full sync can run no more than once every seven days. During a full sync, Intune fetches the
complete updated list of serial numbers assigned to the Apple MDM server connected to Intune. After
an Enrollment Program device is deleted from Intune portal without being unassigned from the Apple
MDM server in the Apple portal, it won't be re-imported to Intune until the full sync is run.
If a device is released from ABM/ASM, it can take up to 45 days for it to be automatically deleted from
the devices page in Intune. You can manually delete released devices from Intune one by one if
needed. Released devices will be accurately reported as being Removed from ABM/ASM in Intune
until they are automatically deleted within 30-45 days.
A sync is run automatically every 24 hours. You can also sync by clicking the Sync button (no more
than once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is
disabled until a sync is completed. This sync will refresh existing device status and import new devices
assigned to the Apple MDM server.
Distribute devices
You have enabled management and syncing between Apple and Intune, and assigned a profile to let your
devices enroll. You can now distribute devices to users. Devices with user affinity require each user be assigned
an Intune license. Devices without user affinity require a device license.
Devices registered with ABM/ASM and assigned a profile in Intune can be enrolled:
During Setup Assistant for new devices or wiped devices.
After Setup Assistant using the profiles command.
Enroll your macOS device registered in ABM/ASM with Automated Device Enrollment during Setup
Assistant
Devices configured in ABM/ASM will automatically enroll into management with Intune during Setup Assistant
with a Remote Management prompt.
NOTE
If the device was assigned to a macOS enrollment profile with user affinity, you must sign in to the Company Portal for
Azure AD registration and Conditional Access.
Enroll your macOS device registered in ABM/ASM with Automated Device Enrollment after Setup Assistant
For macOS 10.13 and later devices, you can follow these steps to enroll.
1. In the Apple Business Manager or Apple School Manager portal, import the device.
2. In the Microsoft Endpoint Manager admin center, make sure that the device is assigned a macOS enrollment
profile with or without user affinity.
3. Log in to the device as a local administrator account.
4. To trigger enrollment, on the Home page, open Terminal and run the following command: sudo profiles
renew -type enrollment
5. Enter your device password for the local administrator account.
6. In the Device enrollment window, choose Details .
7. In the System preferences window, choose Profiles .
8. Follow the prompts that will download the management profile, certs, and policies from Intune. You can view
the profiles on the device anytime by going to System Preferences > Profiles .
9. If the device was assigned to a macOS enrollment profile with user affinity, you must sign in to the Company
Portal for Azure AD registration and Conditional Access.
5. Choose Renew token and enter the Apple ID used to create the original token.
6. Upload the newly downloaded token.
7. Choose Renew token . You'll see the confirmation that the token was renewed.
Next steps
After enrolling macOS devices, you can start managing them.
Use Direct Enrollment for macOS devices
9/23/2022 • 2 minutes to read • Edit Online
Intune supports the enrollment of macOS devices using Direct Enrollment (DE) for corporate devices. Direct
Enrollment does not wipe the device. It enrolls the device through macOS settings. This method only supports
devices with no user affinity .
Prerequisites
Physical access to macOS devices
Set MDM authority
An Apple MDM push certificate
Administrator rights on the macOS devices you are enrolling
NOTE
Enroll with user affinity is not supported on macOS when using Direct Enrollment. For devices that need user
affinity, use Automated Device Enrollment.
Direct Enrollment
Because Direct Enrollment only supports enrollment without user affinity, the company portal cannot be used to
install available applications.
Export the profile and install on macOS devices
1. In the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Apple
enrollment > Apple Configurator > Profiles > choose the profile to export > Expor t Profile .
2. Under Direct enrollment , choose Download profile , and save the file.
NOTE
A downloaded enrollment profile is valid for two weeks after download. You can download as many enrollment
profiles using this link as you need. Downloading a new profile does not render the previous one invalid, however
it also doesn't extend the previously downloaded file expiry time.
Next steps
After enrolling macOS devices, you can start managing them.
What are enrollment restrictions?
9/23/2022 • 4 minutes to read • Edit Online
Applies to
Android
iOS
macOS
Windows 10
Windows 11
Device enrollment restrictions let you restrict enrollment based on device attributes. When restrictions are
applied, users on restricted devices or who exceed the device limit are blocked from enrolling in Microsoft
Intune. There are two types of device enrollment restrictions you can configure in Microsoft Intune:
Device platform restrictions define which platforms, versions, and management types can enroll. In Intune,
you can restrict device platforms, OS versions, manufacturer, and personally owned devices.
Device limit restrictions define how many devices each user can enroll.
Each restriction type comes with one default policy that you can edit and customize as needed. Intune applies
the default to all user and userless enrollments until you assign a higher-priority policy.
This article provides an overview of the available enrollment restrictions. When you're ready to create an
enrollment restriction policy, see Next steps (in this article).
Available restrictions
You can configure the following restrictions in the admin center:
Device limit
Device platform
OS version
Device manufacturer
Device ownership (personally-owned devices)
Device limit
Put a limit on the number of devices a person can enroll. You can set the device limit from 1 to 15.
This configuration is in the admin center under Enrollment device limit restrictions .
Device platform
Block devices running on a specific device platform. You can apply this restriction to devices running:
Android device administrator
Android Enterprise work profile
iOS/iPadOS
macOS
Windows 10/11
In groups where both Android platforms are allowed, devices that support work profile will enroll with a work
profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither
work profile nor device administrator enrollment will work until you complete all prerequisites for Android
enrollment.
This restriction is in the admin center under Enrollment device platform restrictions .
OS version
This restriction enforces your maximum and minimum OS version requirements. This type of restriction works
with the following operating systems:
Android device administrator*
Android Enterprise work profile*
iOS/iPadOS*
Windows
* Version restrictions are supported on these operating systems for devices enrolled via Intune Company Portal
only.
This restriction is in the admin center under Enrollment device platform restrictions .
Device manufacturer
This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in
the admin center under Enrollment device platform restrictions .
Personally-owned devices
This restriction helps prevent device users from accidentally enrolling their personal devices, and applies to
devices running:
Android
iOS/iPad OS
macOS
Windows 10/11
This restriction is in the admin center under Enrollment device platform restrictions .
Blocking personal Android devices
By default, until you manually make changes in the admin center, your Android Enterprise work profile device
settings and Android device administrator device settings are the same.
If you block Android Enterprise work profile enrollment on personal devices, only corporate-owned devices can
enroll with personally-owned work profiles.
Blocking personal iOS/iPadOS devices
By default, Intune classifies iOS/iPadOS devices as personally-owned. To be classified as corporate-owned, an
iOS/iPadOS device must fulfill one of the following conditions:
Registered with a serial number or IMEI.
Enrolled by using Automated Device Enrollment (formerly Device Enrollment Program).
NOTE
An iOS User Enrollment profile overrides an enrollment restriction policy. For more information, see Set up iOS/iPadOS
and iPadOS User Enrollment (preview).
NOTE
Since a co-managed device enrolls in the Microsoft Intune service based on its Azure AD device token, and not a user
token, only the default Intune enrollment restriction will apply to it.
Intune marks devices going through the following types of enrollments as corporate-owned, and blocks them
from enrolling because these methods don't offer the Intune administrator per-device control:
Automatic MDM enrollment with Azure Active Directory join during Windows setup*.
Automatic MDM enrollment with Azure Active Directory join from Windows Settings*.
Intune also blocks personal devices using these enrollment methods:
Automatic MDM enrollment with Add Work Account from Windows Settings*.
MDM enrollment only option from Windows Settings.
* These won't be blocked if registered with Autopilot.
Limitations
Enrollment restrictions are applied to users. For enrollment scenarios that aren't user-driven, such as
Windows Autopilot self-deploying mode, bulk enrollment (WCD), or Azure Virtual desktop, Intune
enforces the default policy.
Device limit restrictions can't be applied to devices in the following Windows enrollment scenarios,
because these scenarios utilize shared device mode:
Co-managed enrollments
Group Policy (GPO) enrollments
Azure Active Directory (Azure AD) joined enrollments, including bulk enrollments
Windows Autopilot enrollments
Device enrollment manager enrollments
Instead, you can configure a hard limit for these enrollment types in Azure AD. For more information, see
Manage device identities by using the Azure portal.
Next steps
Use the table-of-contents to step through each article in the enrollment restrictions how-to guide, or jump to an
article using the following links:
Create device platform enrollment restrictions
Create device limit enrollment restrictions
View enrollment reports
Create device platform restrictions
9/23/2022 • 5 minutes to read • Edit Online
Applies to
Android
iOS
macOS
Windows 10
Windows 11
Create a device platform enrollment restriction policy to restrict devices from enrolling in Intune. Available
restrictions include:
Device platform
OS version
Manufacturer
Ownership (personally-owned)
You can create a new device platform restriction policy in the Microsoft Endpoint Manager admin center or use
the default policy that's already available. You can have up to 25 device platform restriction policies.
This article describes the device platform restrictions supported in Microsoft Intune and how to configure them
in the admin center.
Default policy
Microsoft Intune provides one default policy for device platform restrictions that you can edit and customize as
needed. Intune applies the default policy to all user and userless enrollments until you assign a higher-priority
policy.
TIP
The min/max range isn't applicable to Apple devices that enroll with the Device Enrollment
Program, Apple School Manager, or the Apple Configurator app. Although Intune doesn't block
ADE enrollments that use Company Portal to authenticate, not meeting OS requirements impacts
registration because devices can't create the Azure AD device record used to evaluate Conditional
Access policies. You can tell that this is the case if a device user receives an error message that says
"Couldn't map device record with a user" after they sign in to Company Portal.
8. Select Next .
9. Optionally, add scope tags to the restriction. For more information about scope tags, see Use role-based
access control and scope tags for distributed IT.
NOTE
If you apply scope tags to a restriction, only Intune users within scope can view and manage the policy. Only
people in scope can view and reorder a restriction, or change its priority level. They can also see the relative
priority of the restriction, even if they can't see all restrictions.
Applies to
Android
iOS
macOS
Windows 10
Windows 11
Create a device limit enrollment restriction policy to limit the number of devices a user can enroll in Microsoft
Intune. Device limit restrictions work on devices that meet the following criteria:
Microsoft Intune-managed
Established contact with Intune within last 90 days
Not in a registration-pending state for more than 24 hours
Hasn't failed Apple enrollment
Hasn't been deleted from Microsoft Intune
Enrollment type is not in shared mode (check DeviceCountsForDeviceCap for detail)
You can create a new device limit-enrollment restriction policy in the Microsoft Endpoint Manager admin center
or use the default policy that's already available. You can have up to 25 device limit restriction policies.
This article describes how to create and configure a device limit-enrollment restriction policy in the admin
center.
Default policy
Microsoft Intune provides one default policy for device limit restrictions that you can edit and customize as
needed. Intune applies the default policy to all user and userless enrollments until you assign a higher-priority
policy.
Applies to
Android
iOS
macOS
Windows 10
Windows 11
Your can use the following reports in the Microsoft Endpoint Manager admin center to monitor and
troubleshoot issues with enrollment restrictions and enrollment status page assignments:
Enrollment failures report
Troubleshooting + support page
Device enrollment page
This article describes each report and how to access them in the admin center.
NOTE
Report data is only available for devices enrolled after the Microsoft Intune 2112 service release. No results are available
for devices enrolled prior to that release.