This chapter covers Intune enrollment methods for BYOD and corporate devices, a critical topic for the MS-102 exam under Objective 2.4: Manage devices. You will learn the differences between user-owned (BYOD) and organization-owned (corporate) devices, the enrollment workflows for each, and how to configure enrollment restrictions and policies. Expect 10-15% of exam questions to touch enrollment methods, device ownership, or related policy application.
Jump to a section
Imagine a company that issues two types of ID cards: a corporate badge for employees (corporate devices) and a personal ID card for visitors (BYOD devices). The corporate badge is issued by the company, has a photo, employee ID, and a barcode that unlocks all doors, meeting rooms, and IT resources. The company controls who gets a badge, can revoke it instantly, and knows exactly which badge is where at all times. In contrast, visitors bring their own personal ID card (e.g., driver's license). At the front desk, the visitor presents their card, which is scanned and registered in a visitor log. The visitor gets a temporary sticker that grants limited access — only to the lobby, a specific meeting room, and the guest Wi-Fi. The company does not control the visitor's ID card itself; they only control the access permissions granted to that card. If the visitor misbehaves, the company can revoke the temporary sticker, but the visitor still keeps their driver's license. This mirrors Intune enrollment: corporate devices are fully managed, enrolled via Apple Automated Device Enrollment (ADE) or Windows Autopilot, and the organization has complete control. BYOD devices are user-owned, enrolled via the Company Portal app, and the organization only manages specific app and data policies (e.g., app protection policies) without full device control. The enrollment method determines the ownership type, which in turn dictates what management capabilities Intune can apply.
What is Intune Enrollment and Why Does Ownership Matter?
Microsoft Intune is a cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) service. Enrollment is the process of registering a device with Intune so that it can receive management policies, configuration profiles, and compliance rules. The ownership type — BYOD (Bring Your Own Device) or Corporate — determines the level of control Intune can exert over the device. BYOD devices are user-owned; the organization manages only specific aspects like apps and data via App Protection Policies (APP) without full device control. Corporate devices are organization-owned; Intune can manage the entire device, enforce full compliance, and even wipe the device entirely.
How Enrollment Works Internally: The Protocol Flow
When a user enrolls a device, the following steps occur at the protocol level:
Discovery: The device contacts the Intune service via the enrollment endpoint: https://enrollment.manage.microsoft.com. For Apple devices, the endpoint is https://appleconfig.manage.microsoft.com. The device downloads a service discovery document (XML) that contains the Intune server URLs and authentication requirements.
Authentication: The user authenticates using Azure AD credentials. For BYOD, this is typically the user's work or school account. For corporate devices enrolled via Apple ADE or Windows Autopilot, authentication may be userless (device identity) or require a user. The device obtains an OAuth 2.0 token from Azure AD.
Certificate Handling: Intune issues a device management certificate (SCEP or PKCS) that establishes trust between the device and the Intune service. This certificate is used for all subsequent management communications. The certificate is scoped to the enrollment session and device identity.
Policy Download: The device downloads the assigned configuration profiles, compliance policies, and app management policies. The device then applies these policies locally.
State Reporting: The device reports its compliance status back to Intune. The reporting interval is typically 15 minutes for Android and iOS, and 8 hours for Windows 10/11 devices, but can be adjusted via policy.
Key Components and Defaults
Enrollment Restrictions: These are rules that limit which devices can enroll based on platform (iOS, Android, Windows), OS version, device manufacturer, or ownership type. Default: all platforms allowed for BYOD; corporate enrollment requires specific setup.
Device Type Restrictions: You can block personal devices (BYOD) entirely, allowing only corporate-owned devices. This is a common exam scenario.
Corporate Device Identifiers: You can pre-import IMEI numbers, serial numbers, or Apple IDs to automatically mark devices as corporate upon enrollment. If a device's identifier matches an imported list, it is tagged as corporate-owned.
Enrollment Profile: For corporate devices, you create enrollment profiles (e.g., Apple ADE profile, Windows Autopilot profile) that specify settings like user affinity (whether a user must sign in), device naming, and enrollment restrictions.
Default Enrollment Timeout: If a device does not complete enrollment within 90 days (for iOS) or 60 days (for Android), the enrollment attempt expires and the device must re-initiate.
Configuration and Verification Commands
While Intune is primarily managed via the Azure portal, PowerShell and Graph API are used for automation.
PowerShell (Microsoft Graph):
# Get all enrolled devices
Get-MgDeviceManagementManagedDevice
# Get device by ID
Get-MgDeviceManagementManagedDevice -ManagedDeviceId "12345"
# Get enrollment configurations
Get-MgDeviceManagementDeviceEnrollmentConfigurationGraph API:
GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices
GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurationsAzure Portal Verification: - Navigate to Microsoft Intune > Devices > All devices. Each device shows ownership (Corporate or Personal). - Enrollment status can be: Enrolled, Pending, Failed, or Not Contacted.
Interaction with Related Technologies
Azure AD: Enrollment creates a device object in Azure AD. The device object has a trustType attribute: AzureAD for Azure AD joined devices, ServerAd for hybrid Azure AD joined, and Workplace for workplace joined (BYOD). Intune uses this to determine management scope.
Conditional Access: Conditional Access policies can require devices to be compliant (managed by Intune) or require approved apps. Enrollment is a prerequisite for compliance policies.
App Protection Policies (APP): For BYOD devices that are not enrolled, APP can still manage apps by applying policies at the app layer. This is called MAM without enrollment (MAM-WE).
Windows Autopilot: For corporate Windows devices, Autopilot automates the out-of-box experience (OOBE) and enrolls the device into Intune automatically. The device is registered with Autopilot via its hardware hash, which is uploaded to Intune.
BYOD Enrollment Workflow Details
BYOD enrollment is initiated by the user, typically through the Company Portal app (for iOS/Android) or Settings app (for Windows). The user signs in with their work account, and the device is registered as a personal device. Intune applies only the policies that are targeted to personal devices, such as compliance policies that check encryption and jailbreak status, and app protection policies that control data sharing. The organization cannot wipe the entire device remotely; only company data can be selectively wiped.
Corporate Enrollment Workflow Details
Corporate enrollment is often automated using: - Apple Automated Device Enrollment (ADE): Devices are purchased via Apple Business Manager (ABM) and assigned to an Intune enrollment profile. When the device is turned on, it contacts Apple's activation servers, which redirect it to Intune. The device enrolls automatically without user intervention (userless) or with user affinity. - Windows Autopilot: Similar to ADE, devices are registered with Autopilot. During OOBE, the device downloads an Autopilot profile from Intune, which specifies settings like skip privacy settings, assign device name, and automatically enroll. - Android Enterprise: Corporate-owned devices can be enrolled via Zero Touch Enrollment (purchased from Google-approved resellers) or via NFC/QR code enrollment for dedicated devices. - Device Enrollment Manager (DEM): A special account that can enroll multiple corporate devices (up to 1,000 per DEM account). This is used for kiosks or shared devices.
Important Timers and Thresholds
Enrollment token expiration: For Android enrollment tokens (e.g., QR code), the token expires after 90 days by default.
Apple ADE profile expiration: If a device does not enroll within 30 days of being assigned a profile, the profile is removed and must be reassigned.
Compliance check interval: Devices check in for compliance every 8 hours by default for Windows, every 15 minutes for iOS/Android.
Retire/wipe delay: When an admin issues a retire or wipe command, the device may not receive it immediately; the command is queued and delivered on the next check-in.
Determine Ownership Strategy
Before enrollment, decide which devices will be corporate-owned and which will be BYOD. This decision impacts enrollment restrictions, compliance policies, and device wipe capabilities. For corporate devices, you need to import device identifiers (IMEI, serial numbers) or use automated enrollment programs like Apple ADE or Windows Autopilot. For BYOD, users will self-enroll via the Company Portal. This step is often overlooked, but the exam tests that ownership is determined before enrollment restrictions are configured.
Configure Enrollment Restrictions
In Intune, navigate to Devices > Enrollment > Enrollment restrictions. Create a restriction for each platform (iOS, Android, Windows, macOS). Set the 'Device ownership' to 'Allow only corporate-owned' or 'Allow only personally owned'. For BYOD, you typically allow personally owned. You can also set minimum OS version, block specific manufacturers, or require device encryption. These restrictions are evaluated at enrollment time; if a device does not meet the criteria, enrollment is blocked with an error message.
Set Up Corporate Device Identifiers
To automatically mark devices as corporate-owned, import a CSV file containing IMEI numbers or serial numbers into Intune (Devices > Enrollment > Corporate device identifiers). This ensures that even if a user attempts to enroll a corporate device as personal, it will be tagged as corporate. The exam tests that this is the correct method for pre-staging corporate devices without automated enrollment programs.
Create Enrollment Profiles
For corporate devices using automated enrollment, create an enrollment profile. For Apple ADE, this is done in Intune under Devices > iOS/iPadOS > iOS enrollment > Enrollment program tokens. Upload the token from Apple Business Manager, then create a profile with settings like user affinity (prompt for user sign-in) or device-only enrollment. For Windows Autopilot, create a deployment profile under Devices > Windows > Windows enrollment > Deployment profiles. The profile includes settings like skip OOBE pages, assign device name prefix, and enable automatic enrollment.
User Enrollment for BYOD
BYOD users enroll by installing the Company Portal app from the app store (iOS/Android) or by going to Settings > Accounts > Access work or school (Windows). They sign in with their Azure AD credentials. The device registers with Azure AD as a 'Workplace joined' device (trustType: Workplace). Intune then pushes policies. The exam tests that BYOD enrollment requires user interaction and that the device is marked as personally owned unless a corporate identifier matches.
Monitor and Verify Enrollment
After enrollment, verify the device appears in Intune under Devices > All devices. Check the 'Ownership' column to confirm it is Corporate or Personal. Also check Azure AD device list to see the trust type. If enrollment fails, review the enrollment logs on the device (e.g., Settings > Accounts > Access work or school > Info on Windows) or use Intune troubleshooting pane. Common failures: network issues, certificate problems, or restriction blocks.
Scenario 1: Large Enterprise Rolling Out Windows 11 Laptops
A multinational corporation purchases 5,000 Dell laptops directly from the manufacturer with Windows Autopilot registration. The IT team registers the devices in Intune by uploading the hardware hashes from the reseller. They create a single Autopilot deployment profile that assigns a naming convention like 'CORP-%RAND:5%' (e.g., CORP-A3F2B), skips Cortana and privacy settings, and automatically enrolls the device into Intune. The profile also enables Azure AD join. When employees receive the laptops and connect to the internet, the OOBE automatically applies the profile. The device joins Azure AD, enrolls in Intune, and receives compliance policies (BitLocker, Windows Defender) and configuration profiles (Wi-Fi, VPN). The IT team monitors enrollment success via the Intune dashboard. Common issues: devices that were not registered with Autopilot show a standard OOBE; the fix is to re-register the hardware hash. This scenario is typical for corporate-owned Windows devices.
Scenario 2: Healthcare Provider with BYOD for Nurses
A hospital allows nurses to use their personal iPhones to access patient records via a secure app. The hospital uses Intune with App Protection Policies (APP) and does not enroll the devices (MAM-WE). However, they also need to enforce that devices have a passcode and are not jailbroken. They create a compliance policy for iOS personal devices and require enrollment. Nurses enroll via Company Portal. The hospital sets enrollment restrictions to allow only personally owned iOS devices with iOS 15+. A Conditional Access policy requires compliant devices to access the medical records app. If a nurse's phone is jailbroken, it becomes non-compliant and access is blocked. The hospital can selectively wipe corporate data from the device but cannot wipe the entire phone. This is a common BYOD scenario where partial management is key.
Scenario 3: Education with Shared iPads
A school district deploys 200 iPads for student use. These are corporate-owned devices enrolled via Apple ADE with a device enrollment profile that has no user affinity (shared device mode). Students sign in with a temporary PIN to access apps. The devices are configured with a kiosk profile that restricts them to a single educational app. Intune manages the devices fully, including app updates and configuration. The school uses a Device Enrollment Manager (DEM) account to enroll additional devices manually when needed. The key challenge is managing shared devices without user-specific policies; all policies apply to the device itself.
What MS-102 Tests on This Topic
The MS-102 exam (Objective 2.4: Manage devices) tests your ability to differentiate between BYOD and corporate enrollment methods, configure enrollment restrictions, and understand the implications of ownership on management capabilities. Specific subtopics include:
Enrollment restriction configuration (block personal devices, require specific OS version)
Corporate device identifiers (IMEI/serial number import)
Apple ADE and Windows Autopilot enrollment profiles
Device Enrollment Manager (DEM) accounts
How ownership affects wipe vs. retire actions
Common Wrong Answers and Why Candidates Choose Them
1. Wrong Answer: 'BYOD devices can be fully wiped by the admin.' Why: Candidates confuse BYOD with corporate devices. The exam tests that BYOD devices can only be selectively wiped (company data), not factory reset.
2. Wrong Answer: 'Corporate devices cannot be enrolled without user interaction.' Why: Candidates may think all enrollment requires user sign-in. However, Apple ADE and Autopilot support userless enrollment where no user is prompted during OOBE.
3. Wrong Answer: 'Enrollment restrictions apply after enrollment.' Why: Restrictions are evaluated at enrollment time. If a device does not meet restrictions, enrollment is blocked immediately. The exam tests that restrictions are a gate, not a post-enforcement.
4. Wrong Answer: 'Device Enrollment Manager can enroll unlimited devices.' Why: The limit is 1,000 devices per DEM account. The exam may test this exact number.
Specific Numbers and Terms on the Exam
DEM device limit: 1,000
Default compliance check interval: 8 hours (Windows), 15 minutes (iOS/Android)
Apple ADE profile expiration: 30 days if not enrolled
Android enrollment token expiration: 90 days
Corporate device identifier import: CSV with IMEI or serial number
Autopilot profile settings: Skip privacy settings, assign device name, enable Azure AD join
Edge Cases and Exceptions
If a corporate device identifier is imported AFTER a device has already enrolled as personal, the ownership will NOT automatically change. You must manually change the ownership in Intune.
For Android Enterprise, corporate-owned devices can be enrolled via Zero Touch Enrollment (reseller integration) or via QR code/NFC for dedicated devices. The exam may ask which method is appropriate for a given scenario.
Windows Autopilot self-deploying mode is for kiosks or shared devices. It does not support user sign-in; the device is Azure AD joined without a user.
How to Eliminate Wrong Answers
If a question asks about wiping a BYOD device, eliminate any answer that says 'full wipe' or 'factory reset'. The correct answer is 'selective wipe' or 'retire'.
If a question mentions 'no user interaction during enrollment', look for Apple ADE or Autopilot userless mode.
If a question involves blocking personal devices, the solution is to create an enrollment restriction that blocks personally owned devices.
If a question involves pre-staging corporate devices without automated enrollment, the answer is to import corporate device identifiers.
BYOD enrollment is user-initiated and results in a personal device that can only be selectively wiped.
Corporate enrollment can be automated via Apple ADE or Windows Autopilot, enabling full management and factory reset.
Enrollment restrictions are evaluated at enrollment time, not after; they block non-compliant devices.
Corporate device identifiers (IMEI/serial) can pre-mark devices as corporate, but only for new enrollments.
Device Enrollment Manager (DEM) accounts are limited to 1,000 enrollments per account.
Apple ADE profiles expire after 30 days if the device does not enroll.
Android enrollment tokens expire after 90 days.
Windows Autopilot self-deploying mode supports userless enrollment for kiosks and shared devices.
These come up on the exam all the time. Here's how to tell them apart.
BYOD Enrollment
User-initiated via Company Portal or Settings
Device is marked as personally owned
Admin can only selectively wipe company data
Management is limited to app and compliance policies
Device registers as Workplace Joined in Azure AD
Corporate Enrollment
Automated via Apple ADE, Windows Autopilot, or DEM
Device is marked as corporate owned
Admin can full wipe (factory reset) the device
Full device management including OS configuration
Device can be Azure AD Joined or Hybrid Azure AD Joined
Mistake
BYOD devices can be fully wiped by the IT admin.
Correct
BYOD devices can only be selectively wiped (remove company data) or retired (remove management). A full factory reset is only possible on corporate-owned devices.
Mistake
Enrollment restrictions are applied after enrollment.
Correct
Enrollment restrictions are evaluated at the time of enrollment. If the device does not meet the restrictions, enrollment is blocked immediately.
Mistake
Corporate devices must always have a user associated.
Correct
Corporate devices can be enrolled without user affinity (userless), such as shared iPads or kiosk devices. Apple ADE and Autopilot support userless enrollment.
Mistake
Device Enrollment Manager can enroll an unlimited number of devices.
Correct
A DEM account can enroll up to 1,000 devices. This is a hard limit enforced by Intune.
Mistake
Importing a corporate device identifier automatically changes ownership of already enrolled devices.
Correct
The import only applies to new enrollments. Existing enrolled devices retain their original ownership; you must manually change it in Intune.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Create an enrollment restriction that blocks personally owned devices. Go to Devices > Enrollment > Enrollment restrictions > Create restriction > Device platform. Set 'Device ownership' to 'Allow only corporate-owned' for each platform. This will block any user attempting to enroll a personal device. Note that this does not affect already enrolled devices; they will remain enrolled until removed.
Retire removes the device from Intune management and selectively removes company data (apps, policies, certificates). The user's personal data remains. Wipe performs a factory reset, removing all data and restoring the device to its default state. Wipe is only available for corporate-owned devices. Retire is available for both ownership types, but on BYOD devices, retire also removes company data.
Yes, you can manually change the ownership in the Intune portal. Go to Devices > All devices, select the device, and choose 'Properties'. Under 'Device ownership', change from Personal to Corporate. This is useful if a corporate device was accidentally enrolled as personal. However, the change does not retroactively affect policies already applied; you may need to re-evaluate compliance.
The limit is 1,000 devices per DEM account. This is a hard limit enforced by Intune. If you need to enroll more, you must create additional DEM accounts or use automated enrollment methods like Autopilot.
Windows Autopilot self-deploying mode allows a device to enroll without any user interaction. The device is pre-registered with its hardware hash. During OOBE, the device contacts the Autopilot service, downloads the deployment profile, and automatically joins Azure AD and enrolls in Intune. No user sign-in is required. This is ideal for kiosks, digital signage, or shared devices.
If the device is turned on before an ADE profile is assigned, it will go through the standard iOS setup assistant. To enroll it later, you must factory reset the device or assign the profile and then have the user navigate to Settings > General > VPN & Device Management to trigger enrollment. However, the profile must be assigned within 30 days, or it expires.
Intune requires enrollment to manage devices. However, for app management only, you can use App Protection Policies (APP) without enrollment (MAM-WE). This is common for BYOD scenarios where you want to protect company data in apps without managing the device. But for full device configuration and compliance, enrollment is mandatory.
You've just covered Intune Enrollment Methods: BYOD, Corporate — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?