Device types and enrollment

MDM-enrolled devices may be completely controlled by the company (such as those running Android Enterprise dedicated or iOS supervised modes) or could be bring your own device (BYOD), such as those running the Android Enterprise work profile where users enroll personal devices to access company resources but are left with the freedom to use their device normally outside of work apps and data.

Android Enterprise modes include the following:

• Work profile: Personal data is kept separate from corporate data.
• Dedicated: Meant for single-use devices where most links/apps are blocked.
• Fully managed: Corporate-owned devices fully managed by the company and intended for work only (not personal usage).

Android Device Administrator (or legacy) has been deprecated and is not encouraged since the Android Enterprise options are now available.

Furthermore, iOS supervised mode is essentially a checkbox you can mark for iOS devices during configuration in order to restrict functionality, such as renaming the device, AirPrint, AirDrop, and more. View a complete list of settings you can restrict in supervised mode at https://docs.microsoft.com/en-us/intune/configuration/device-restrictions-ios.

Windows and Android devices are supported by default, whereas iOS and macOS devices require setting up an Apple push certificate in the Intune/Microsoft 365 device management portal. If bulk enrolling via Apple Configurator, you'll also need to create the profile to be used. The following screenshot shows the Device enrollment | Apple enrollment screen of Intune, where you'll find the Apple MDM Push certificate setup option:

The Apple push certificate allows you to manage iOS and macOS devices in Intune. It must be renewed regularly, and it grants Microsoft permission to send user and device data to Apple.

Once the prerequisites are met, and you've obtained the Apple push certificate if needed, you can bulk enroll users or allow self-enrollment via the Company Portal app. Apple also has Apple Configurator, Apple School Manager, and Device Enrollment Program available as bulk enrollment methods.

Because Android devices, as an example, are supported by default, a user simply needs to self-enroll. To do so, follow these steps:

1. Install the Intune Company Portal app from Google Play.
2. Sign in with a work or school account.
3. Work through the prompts, choosing what the app is and isn't allowed to access. At some point, you will choose BEGIN:

1. Depending on the settings configured by administrators, you may be prompted to update your passcode to meet the minimum security requirements before the device can complete enrollment and access company resources:

1. Once the required changes have been made to ensure the security of the device and the identity of the user accessing company data, the wizard will be complete. Click Done and then you can access resources and apps from the work profile.

In this section, we made a plan for setting up MDM and took a general look at the types of devices that can be enrolled in MDM. In the next section, we'll configure MDM using Azure AD.