Forum Discussion

AMR_01's avatar
AMR_01
Copper Contributor
Jan 05, 2022

Device enrolment issue/question

Hi Community, I have walked in a role where Intune/endpoint manager has been set up. This a cloud native environment no on premise nor config manager. I want to know if there is a way to enrol a devi...
Intune enrolment query
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Hi... I didnt read that part about azure ad joined devices that arent enrolled into intune. Thats something to look into...
My first guess would be the MDM scope , I am explaining the whole process and differences between aadj/aadr and mdm/mam scope

https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/

Were those license purchased before the devices were azure ad joined ? if so you will need to enroll them manually into mdm /intune

https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/

Dr_Snooze's avatar
Dr_Snooze
Brass Contributor
Jan 06, 2022
I can confirm the OP's complaint. I have several BYOD devices in my tenant that are AAD Registered, show Intune as the MDM authority in my Azure portal, but do NOT appear in my Intune portal. They are accessing company information, but are completely unmanaged and also Not compliant. My tenant has been set up from the outset to force enroll all devices, and all users are properly licensed, but these devices have fallen through the cracks. MSFT Support is telling me that everyone has to enroll via Settings -> Accounts -> Work or school account, but I've enrolled computers with nothing more than a login to Teams. That leaves aside the fact that my ability to dictate how people enroll their BYOD devices from home is severely limited. For me, it's a big problem that I have to compare my Azure device list to my Intune list to find what might be missing.

To the OP, if you want to get up-to-speed on Intune very quickly, I highly recommend Scott Duffey's _Learning Microsoft Endpoint Manager_

https://www.barnesandnoble.com/w/learning-microsoft-endpoint-manager-scott-duffey/1139064650?ean=9780645127904
  • Dr_Snooze's avatar
    Dr_Snooze
    Brass Contributor
    Jan 06, 2022

    The problem appears to be related to the "Use this account everywhere on your device" screen, which pops up during initial logon.

     

    If you uncheck the "Allow my organization to manage this device" checkbox, the device will register with Azure AD and not with Intune. Sometimes Azure AD will show Intune managed, and sometimes not. I'm not sure why. I can almost guarantee that the OP's second device was enrolled in this way. 

     

    MSFT should look at this process more carefully. There are holes for off-site devices to fall through, and when they do, it's very hard to recover them or even know they've been lost without doing a side-by-side comparison of your Azure devices vs. your Intune devices. 

     

    OP, you can send the user this link to force enroll the device into Intune (probably best to do it from Edge):

           ms-device-enrollment:?mode=mdm 

     

    It might show as a personally-owned device, however. You can change that designation in the Intune portal, but I'm not sure if that will make you able to push policies to the device. I'm testing it right now. 

     

    Intune enrollment into company-owned device status can really only be done during the Out-Of-Box-Experience (OOBE) initial logon. If you don't choose the business fork, there isn't a lot you can do without reformatting and trying again. There are, however, something like 17 different methods for enrolling into Intune and I'm no super-expert. Auto-Pilot is great if you have a vendor willing and able to load device IDs into Intune for you. If not, then it's almost more of a hassle than anything else. 

     

    Best of luck to you. 

    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Jan 07, 2022

      Dr_Snooze 

       

      It depends... When you are making use of conditional access and only require compliant devices to access the data... You even don't get that screen, you will be prompted that you don't have access... But let's say I disable that conditional access policy, I will be prompted

       

      It also depends on how the mam/mdm scope is configured, like I mentioned in the blog I posted. the mam scope will take precedence if both mam and mdm are configured to all. When the mam scope isn't configured your aadr device will be enrolled into intune

       

      Azure ad and intune are totally 2 separate environments... An azure ad joined devices doesn't necessarily needs to be mdm managed and an azure ad registered device can be intune enrolled..

       

      • Dr_Snooze's avatar
        Dr_Snooze
        Brass Contributor
        Jan 07, 2022

        Rudy_Ooms_MVP 

         

        "the mam scope will take precedence if both mam and mdm are configured to all"

         

        It's important to note that there is a giant hole in coverage here. In my tenant, I have MDM scope set to All and MAM scope set to None. Still, if someone unchecks that box, the device disappears into the dark (no MDM and no MAM either, because MAM's not set up). It all depends on what the user does with that checkbox when they are asked if they want to allow their employer to manage their personal device. Most everyone is going to uncheck it. I would. Microsoft has set me up for failure for the outset.

         

        Conditional Access is the obvious solution here, but generates its own set of problems, and those problems turn into trouble tickets very quickly. 

         

        Ditto MAM. It's an extremely intrusive solution (and frankly, WIP via Intune doesn't work very well at this point). 

         

        In my opinion, this is a structural flaw in Intune. Devices accessing company data, should not simply disappear into a misty nether realm of non-management. I should at least be able to find them without doing a lengthy side-by-side audit of device lists. 

  • AMR_01's avatar
    AMR_01
    Copper Contributor
    Jan 13, 2022
    Thanks for the advice - leaving device owners to enrol their devices is where all my issues start from 🙂

Resources