Hello, I recently started working at college and one of the things on the table was a plan to leverage intune\endpoint manager in our enviroment. In the traditional usage of Endpoint Manager, where one person uses a laptop that enrolls with thier account which has the required license, everything makes sense. But I'm a bit confused on how a large deployment for people who don't follow this pattern, like lab computers where students come and go or some staff machines that no one dedicate person uses.
Based on licensing, we have approx 2.7k M365 A3 between our staff and students, so we have more licenses than computers by a large margin. The question mostly comes from how I go about loading devices into Endpoint Manager that are shared. The folks using laptops can rely on group policy and logging in but I don't want our desktops (All staff/faculty have laptops except for a few folks who use shared devices) to be directly "assigned" to a student or faculty member for example. I know of the DEM account but I'm a bit confused in how the licensing behind that works, how we can use it outside of autopilot to enroll and any other possible limits I may be missing (Such as licensing, do we need special licenses for DEM enroll devices?)
Or, am I overthinking this and I should use Endpoint Manager as a mobile/laptop device management system instead but I did want to explore using device compliance values for CA to possibly prevent access to resources as well.