Intune: MDM Enrollment Experience (complete device management)
Microsoft Intune, part of Enterprise Mobility + Security (EMS), is an Azure based service that enables IT to manage devices at scale (iOS,Android,MacOS,Windows) and customize them, just like you would with an enterprise Windows PC. This provides a wealth of capability for IT to ensure devices are secure and protect intellectual property on them, but are also easy, efficient to use and do not create a burden on the end user. Let's take a look at how to enroll a device into Intune MDM from the end-user's perspective.
Note: Refer to the technical documentation for more information on how to configure Intune for MDM enrollment.
With my personal (or corporate owned) iPad I'm going to download the Company Portal app from the App Store:
Once downloaded, I'm going to launch the Company Portal app. Upon launching I will be prompted to sign-in:
Microsoft will recognize my credentials as Azure Active Directory credentials and will take me to my company's sign-in page (still inside the app):
Once I click Sign-in, Company Portal will load:
Once signed in, there will be instructions prompting me I need to get my device managed in order to access my corporate applications and data. I'm going to tap Begin.
Next, I'll be made aware of what information on the device my IT department will have visibility to, and what they won't. For me this is an important screen and step for users to develop trust with IT and the process. I'm going to tap Continue:
Next, I'll be made aware of the next few steps. First redirected to Settings where I'll be prompted to install the Management Profile and then re-directed back to the Company Portal. I'm going to tab Next:
I'm going to tap Allow for the redirect to Settings:
Upon redirect to Settings, I'm going to tab Install
Tap Install again:
I will be warned about how my IT Department will have visibility to the data on my iPad. Tab Install again:
Next, I will tap Trust,indicating I trust the source of this management profile (Microsoft) to enroll my iPad into remote management:
Once the process finishes, I'll tap Done:
Upon tapping done, I'll be redirected back to Company Portal:
It looks like enrollment is complete! I'll tap Done
Upon exiting the app, as part of my company's policy, the Microsoft Outlook app will be installed. I need to tap Install to give my consent:
In addition, my company's policy requires that I set a passcode on my iPad:
Next, I'm going to launch Outlook so I can access my email:
Notice my email profile is already configured! I'm going to tap Add Account:
And I'll be taking directly to my mailbox:
I'm curious though, what are the other policies my company is applying to my device? Let's launch settings and take a look. Clicking on General and then Management Profiles I can see the various certificates being applied:
If I go back and tap Apps I can see the required apps my company is pushing and requiring me to install:
If I go back and tap Restrictions I can see the restrictions of what my company will not allow me to perform on my iPad. It looks like they block iCloud from backing up, blocking the camera, and requiring a passcode:
Conclusion: As you can see the end user experience is straight forward and easy to enroll the device into Intune MDM. From here, depending upon how my IT Administrator configured policies I can have VPN/WiFi profiles pushed down, printers configured and a vast amount of other configurations and customizations done to the device. Pretty cool!