MDM manages the entire device after enrollment, giving IT full control including the ability to wipe the device. MAM manages only specific applications without requiring device enrollment, limiting IT control to corporate data within managed apps.
- What is enrollment
- Methods by platform
- Choosing a method
- Security risks
- Monitoring
- FAQ
Intune device enrollment is the process of registering a device with Microsoft Intune so your organization can manage it, enforce compliance policies, and control access to corporate resources. The enrollment method you pick directly affects your security posture, end-user experience, and how much management control you actually have over each device.
What is Intune device enrollment
When you enroll a device in Intune, you register it with Intune's MDM authority. Compliance policies, application deployments, and configuration profiles all apply to that device going forward. Intune recognizes two ownership models: corporate-owned devices, where IT has full device control, and personally owned (BYOD) devices, where management is limited to a work profile or specific applications.
It's worth distinguishing MDM from MAM here. MDM (Mobile Device Management) enrolls the entire device, giving IT broad control including the ability to remotely wipe it. MAM (Mobile Application Management) manages only specific applications without requiring full device enrollment.
It protects corporate data inside those apps while leaving the rest of the device untouched.
Intune enrollment requires Microsoft Entra ID integration and an appropriate Intune license. Intune Plan 1 is included with Microsoft 365 E3/E5 and Enterprise Mobility + Security (EMS) E3/E5, or you can purchase it as a standalone subscription.
Intune enrollment methods by platform
Windows enrollment methods
| Method | Ownership type | User interaction | Level of IT control |
|---|---|---|---|
| Automatic MDM enrollment (Entra ID join) | Corporate or BYOD | Minimal: user joins Microsoft Entra ID and enrollment happens automatically | Full MDM control |
| Windows Autopilot | Corporate | Zero-touch: device ships preconfigured, user signs in and policies apply | Full MDM control |
| Group Policy co-management with Configuration Manager | Corporate (existing domain-joined devices) | None: GPO triggers enrollment | Shared control between Intune and Configuration Manager |
| Device Enrollment Manager (DEM) | Corporate (shared/kiosk devices) | Admin-driven bulk enrollment | Full MDM control, no user affinity |
| Company Portal (BYOD) | Personal | User downloads Company Portal app and enrolls manually | MDM or MAM depending on policy |
| Provisioning package | Corporate | Admin creates package, applied during OOBE or post-setup | Full MDM control |
How many types of Windows enrollment are there in Intune? Intune supports six primary Windows enrollment methods, listed in the table above. The right choice depends on device ownership, existing infrastructure, and whether you need user affinity.
What is the difference between "Some" and "All" for automatic MDM enrollment? When you set the MDM user scope to "Some," only users in the groups you select get automatically enrolled when they join or register a device with Microsoft Entra ID. Set it to "All," and every user who joins or registers a device is automatically enrolled.
iOS and iPadOS enrollment methods
| Method | Ownership type | User interaction | Level of IT control |
|---|---|---|---|
| Apple Automated Device Enrollment (ADE) | Corporate | Zero-touch via Apple Business Manager | Full MDM control, supervised mode |
| Company Portal (BYOD) | Personal | User installs Company Portal and enrolls | MDM with limited wipe scope |
| Apple Configurator | Corporate | Admin uses Mac + Apple Configurator to enroll devices via USB or direct enrollment | Full MDM control |
| Web-based device enrollment | Corporate or personal | Browser-based enrollment for scenarios without Company Portal | Varies by policy |
Android enrollment methods
| Method | Ownership type | User interaction | Level of IT control |
|---|---|---|---|
| Corporate-owned fully managed | Corporate | Admin provisions via QR code, NFC, or zero-touch | Full device control |
| Corporate-owned dedicated device | Corporate (kiosk/shared) | Admin provisions, no user affinity | Locked to specific apps/tasks |
| Corporate-owned work profile | Corporate | Separate work and personal profiles, IT manages work side | Work profile under IT control |
| Personally owned work profile (BYOD) | Personal | User enrolls via Company Portal, work profile created | Only work profile managed |
macOS enrollment methods
| Method | Ownership type | User interaction | Level of IT control |
|---|---|---|---|
| Apple Automated Device Enrollment (ADE) | Corporate | Zero-touch via Apple Business Manager | Full MDM control |
| Company Portal (BYOD) | Personal | User downloads and enrolls | MDM with limited scope |
| Direct enrollment | Corporate | Admin enrolls without user affinity | MDM control, no user sign-in |
Choosing the right enrollment method
Your enrollment decision comes down to five factors.
Device ownership. Corporate-owned devices should use Autopilot, ADE, or automatic MDM enrollment for maximum control. BYOD devices typically use Company Portal enrollment or MAM-only policies that protect corporate data without touching personal content.
User experience. Zero-touch methods like Windows Autopilot and Apple ADE work best for large deployments where IT ships devices directly to users. The device arrives ready to use after the employee signs in. Manual Company Portal enrollment is fine for BYOD scenarios where users opt in to management.
Existing infrastructure. If you already use Microsoft Configuration Manager to manage on-premises devices, co-management lets you gradually shift workloads to Intune without disrupting your current setup.
Scale. DEM accounts are useful for enrolling large numbers of shared or kiosk devices where user affinity isn't needed. A single DEM account can enroll up to 1,000 devices. Provisioning packages work for bulk Windows deployments during initial device setup.
Security. Supervised mode on iOS (available through ADE) and fully managed mode on Android give IT the most control over device security settings, app restrictions, and data protection. BYOD enrollment intentionally limits IT visibility to protect user privacy.
What are the prerequisites for Intune enrollment? You need an active Intune license assigned to the user, Microsoft Entra ID integration configured, MDM authority set to Intune, enrollment restrictions configured (platform allowances and device limits per user), and for Apple devices, a valid Apple MDM push certificate uploaded to the Intune admin center.
MDM vs. MAM enrollment in Intune
MDM manages the entire device after enrollment. You can push compliance policies, deploy apps, configure Wi-Fi and VPN profiles, and remotely wipe the device if it's lost or compromised. MDM requires the device to be enrolled in Intune.
MAM manages only specific applications without requiring device enrollment. With MAM-only policies (also called MAM without enrollment), you can protect corporate data within managed apps. For example, you can prevent copy-paste from Outlook to a personal app without enrolling the device.
IT can selectively wipe corporate data from managed apps while leaving personal data intact.
Both can coexist. A device can be MDM-enrolled and still have MAM policies applied to specific apps for an extra layer of data protection. Use MDM for corporate-owned devices where you need full control, and MAM-only for BYOD scenarios where users decline full device enrollment but still need access to corporate email or files.
Security risks of unmonitored device enrollment
Enrollment monitoring is one of those things that doesn't feel urgent until something goes wrong. I've seen orgs go months without reviewing enrollment logs, and by the time they notice a problem, the damage is already done.
Unauthorized device enrollment. If an attacker compromises a user's Microsoft Entra ID credentials, they can enroll a rogue device, receive corporate policies and app deployments, and access organizational data. Without enrollment monitoring, this device looks like any other managed endpoint. That's what makes it dangerous.
DEM account abuse. DEM accounts can enroll up to 1,000 devices each. A compromised DEM account lets an attacker mass-enroll devices and extract corporate configurations, certificates, and VPN profiles at scale. One account, a thousand endpoints.
Stale enrolled devices. Devices that stay enrolled after an employee leaves retain access to corporate resources until an admin manually retires or wipes them. Unmonitored environments accumulate these stale enrollments over time, and each one is a potential entry point.
Conditional Access bypass. Without enrollment monitoring, attackers can enroll devices that appear compliant, satisfy Conditional Access policies, and gain access to protected resources like SharePoint or Exchange Online.
ADAudit Plus tracks Intune device enrollment events alongside Microsoft Entra ID sign-in activity, so you can correlate a new device enrollment with the user's sign-in location, risk level, and authentication method to spot unauthorized enrollments quickly.
Native Intune monitoring limitations
The Intune admin center logs enrollment activity, but it has gaps worth knowing about.
No real-time alerts on enrollment events. There's no built-in way to trigger an email or SMS alert the moment a new device enrolls. You find out when you check, not when it happens.
Limited log retention. Microsoft Entra ID audit logs keep data for 30 days with a P1 or P2 license. If your compliance requirements call for longer retention, you need to export logs to an external system.
No cross-platform correlation. Intune enrollment logs, Microsoft Entra ID sign-in logs, and on-premises Active Directory logon logs all live in separate consoles. Correlating a suspicious enrollment with the user's on-premises AD activity means jumping between portals manually, which is tedious enough that most admins skip it unless they already suspect something.
No scheduled enrollment reports. You can't schedule automatic delivery of enrollment activity reports to compliance teams or managers from the Intune admin center.
No behavioral baselines for enrollment patterns. The Intune admin center doesn't flag anomalies like a user enrolling devices at 2am or from a country they've never logged in from before.
Monitoring Intune enrollment with ADAudit Plus
What ADAudit Plus monitors for Intune
ADAudit Plus provides prebuilt Intune admin center auditing reports that cover enrollment and device management activity:
- The Intune Device Enrollment report tracks which devices were enrolled, enrollment details, and timing.
- The Intune Device Sync Action report monitors device sync actions initiated in Intune.
- The Delete Managed Device From Intune report captures when devices are removed from management.
- The Device Compliance Policies report tracks compliance policy changes and status.
- The Device Configuration Policies report monitors configuration policy changes.
- The Intune Device Actions report covers all remote device actions (wipe, retire, restart, lock).
- The Create App Protection Policies report tracks new MAM app protection policies.
You can also correlate enrollment events with Microsoft Entra ID sign-in data using the Cloud Directory User Logon Reports, which show sign-in location, device information, MFA status, and Entra ID risk detection signals for each logon.
Native Intune admin center vs. ADAudit Plus
| Capability | Intune admin center | ADAudit Plus |
|---|---|---|
| Enrollment event logging | Yes | Yes |
| Real-time email/SMS alerts on enrollment | No | Yes |
| Scheduled enrollment reports | No | Yes (daily, weekly, monthly) |
| Log retention beyond 30 days | Requires export to external storage | Built-in archival |
| Cross-platform correlation (on-premises AD + Entra ID + Intune) | No (separate consoles) | Yes (single console) |
| UBA-driven anomaly detection for enrollment patterns | No | Yes |
| Export formats | CSV | CSV, PDF, HTML, CSVDE, XLSX |
A one-stop solution for all your IT auditing, compliance, and security needs
Try ADAudit Plus free for 30 days. No credit card required.
FAQ
When set to "Some," automatic MDM enrollment applies only to users in the groups you select. When set to "All," every user who joins or registers a device with Microsoft Entra ID is automatically enrolled in Intune.
Yes. MAM-only policies let you protect corporate data within specific apps without enrolling the device. This is commonly used for BYOD scenarios where users decline full MDM enrollment.
You need an active Intune license assigned to the user, Microsoft Entra ID integration configured, MDM authority set to Intune, enrollment restrictions configured (platform allowances, device limits per user), and for Apple devices, a valid Apple MDM push certificate.
Nothing is replacing Intune. Microsoft rebranded Microsoft Endpoint Manager back to Microsoft Intune in 2023, consolidating Intune and Configuration Manager under the Intune brand. Intune continues as Microsoft's primary cloud-based endpoint management solution.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Get full visibility into logons
- Monitor employee attendance
- Detect attacks like Kerberoasting
- Generate logon audit trails
- And much more
