In an organization, computers operate within the context of a device lifecycle. This lifecycle consists of a number of stages. Typically, you purchase new devices, deploy operating systems to those devices, and then add the devices to the scope of a management system.
Thereafter, you’ll use the management system to configure those devices, including deploying apps and updates to them. The management system can provide reporting capabilities and potentially the ability to provide remote help to users of the devices. When the computers can no longer run the required operating system and apps, the devices are retired and removed from the management scope.
You might use Endpoint Configuration Manager to manage this device lifecycle in an on-premises context. In the cloud, you use Microsoft Intune.
This skill covers how to:
- Configure enrollment settings
- Configure automatic and bulk enrollment, including Windows, Apple, and Android
- Enroll devices
- Configure policy sets
- Restart, retire, or wipe devices
Configure enrollment settings in Microsoft Intune
You enable MDM for devices by enrolling them. Currently, Microsoft Intune supports the following device types for enrollment:
- Apple iOS 14.0 and newer
- Apple iPadOS 14.0 and newer
- macOS 11.0 and newer
- Linux (Ubuntu Desktop 22.04 with GNOME interface or newer)
- Android 8.0 (and newer)
- Android Enterprise
- Android open source project devices (AOSP)
- Windows 10/11
- Windows 10/11 on Windows 365
- Windows 10 LTSC
- Windows 10 Teams
- Surface Hub
The enrollment process is different for each platform, and each platform has a specific set of requirements, as described in Table 3-2.
TABLE 3-2 Enrollment requirements
| Device platform | Enrollment requirements |
| Apple iOS and iPadOSApple macOS | Obtain an Apple Push Notification service certificate. This enables Microsoft Intune to communicate securely with iOS devices. Download each device’s Microsoft Intune Company Portal app from the Apple store. |
| AndroidAndroid Enterprise | Download each device’s Microsoft Intune Company Portal app from the Google Play store. |
| Windows 10/11Windows 10/11 on Windows 365Windows 10 LTSCWindows 10 TeamsSurface Hub | There are no special requirements, and Direct enrollment is usually possible in the following ways: During out-the-box-experience (OOBE) on a new computerWith Windows AutopilotFollowing a sign-in to a connected app, such as Microsoft TeamsManually via the Settings app |
For Windows devices, there is an existing trust relationship between the device operating system and Intune; therefore, you can configure and enable automatic enrollment. The following list provides a high-level explanation of the enrollment process for each platform:
- Windows 11 If users sign in to the device using their corporate credentials, their account is added to Azure Active Directory (Azure AD), and the device is then managed with Intune.
- iOS/iPadOS and macOS An MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. Install the Company Portal app from the Apple Store, open the app, and follow the Enrollment wizard.
- iOS/iPadOS Company-owned devices For bulk enrollments, you can use the following methods:
- Apple’s Device Enrollment Program (DEP)
- Apple School Manager
- Apple Configurator Setup Assistant enrollment
- Apple Configurator direct enrollment
- Intune Device Enrollment Manager account
- Android devices Users must enroll their devices by downloading the Intune Company Portal app from Google Play.
Note Annual Certificate Renewal
The Apple MDM push certificate is valid for one year and must be renewed annually to maintain iOS and macOS device management. Enrolled Apple devices cannot be contacted or managed if your certificate expires.
