How to enroll your device into Microsoft Intune MDM

Sep 23, 2021 10:59:18 AM / by Vu Long Tran

This is a step by step guide on how to enroll your device into Microsoft Intune MDM. This may be a Windows 10 device, Android device, or Apple device. 

What is Microsoft Intune MDM?

Microsoft Intune is an MDM (Mobile Device Management) / EMM (Enterprise mobility management) provider, and this solution allows companies to administrate and manage mobile devices, such as smartphones, tablet computers and laptops. These devices can be a managed company device, unmanaged company device and/or their own device.


Devices covered


Enrol your Windows 10 device

On your Windows 10 device that you want to set as a Trusted Device.

  • Microsoft Intune <> Microsoft Windows 10 device

We need to set up two things to fully set this up. 

  1. Add corporate account to this device
  2. Connect this device to work

1. Add corporate account to this device

Search and open "Manage your account".

Click on "Access work or school". 

This is found under Settings> Accounts> Access work or school. 

Under the "Access work or school" section, click on "Connect".

You will be prompted for your login details. Enter your test user's details here. 

As I configured my Okta to be the Identity Provider for Microsoft Office 365 via WS-Federation Single Sign On (SSO) integration, it will prompt me for my Okta username and password. I will log in with the corresponding test user that I have in Okta and Microsoft Azure Active Directory. 

It will then register my Windows 10 device. 

Once completed, it will give you a confirmation. "You're all ready!"

Then you will see your account listed under the "Connect" button. 


2. Connect this device to work

We will need to install Microsoft Intune "Company Portal" to further set up our device for corporate use.

Go to your "Microsoft Store". Click "Get" to install. 

Under the "Devices" section, click on "This device hasn't been set up for corporate use yet. Select this message to begin setup."

Click on "This device hasn't been set up for corporate use yet. Select this message to begin setup."

It will prompt you to "Connect this device to work", click "Next". 

Click "Connect".

You will then be prompted for your 1) Email address, and 2) MDM Management endpoint/ MDM Server URL/ MDM discovery URL as - https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc 

You will then be prompted to log into Microsoft Intune, which we will do via Okta, our identity provider, which we have configured to manage our identity from Okta to Microsoft Office 365/ Microsoft Azure Active Directory.

Log in.

Once we have signed in successfully, we can move to the next step.

Click "Got it"

Then we just wait for our device to connect with Microsoft Intune. We can do other things while we are waiting.

When we are done, we will get an "You're all set!" message.

If we go back to our Microsoft Endpoint Manager, we can now see our Windows 10 device managed by Microsoft Intune and Okta. 

Under Devices> Windows> Windows devices

You are all set now! 

Well done!
We have successfully activated Okta's Device Trust function which will determine devices to be trusted based on the presence of a trust signal from Microsoft Intune (MDM enrollment)

Setting up enrolment for your mobile devices

If you need to manage Android and/or Apple devices with Microsoft Intune, then we need to configure Microsoft Intune to be able to connect with Google Android Enterprise and/or Apple Business Manager. That is:

  • Microsoft Intune <> Google Android Enterprise
  • Microsoft Intune <> Apple Business Manager

To kick this off, in Microsoft Endpoint Manager, we can go our "Devices" Overview and click on "Enroll devices".

Microsoft Endpoint Manager> Devices


Configure Microsoft Intune to enroll Android devices

In order to manage Android devices, we need to connect Microsoft Intune with Google Android Enterprise. 

To do this, we:

Microsoft Endpoint Manager> Devices > Enroll devices> Android enrolment

 Click on "Managed Google Play".

Under "I grant Microsoft permission to send both user and device information to Google. Learn more", tick "I agree".

Then click on "Launch Google to connect now".

A pop up web browser will pop up where you can click the "Get started" button. 

Enter your business name and click Next.

Fill in your Data Protection Officer and EU Representative details

Tick "I have read and agree to the Managed Google Play agreement."

You will then receive a "Set up complete" message. 

You can close the window or click on the "Complete Registration" button which will close the window.

If you go back to Microsoft Endpoint Manager, you will see that your Google details have been authorised in Microsoft Intune now.

It will say a Status = Set up (green tick).

You will then be able to manage your Android devices from Microsoft Intune using your Google Account. 

You will now have options to manage your Android devices, depending on your preferences and if you are managing corporate issuedAndroid devices or personal Android devices.

As we are testing, let's use the "Corporate-owned, fully managed user devices" option. 

Click on "Corporate-owned, fully managed user devices".

Where it says "Allow users to enrol corporate-owned user devices", click "Yes". 

This will give you the following which you can use depending on Android OS and version of your device. 

  • an enrolment token (a random string) and
  • a QR code for your Intune tenant.
This single enrolment token is valid for all your users and won't expire.



Configure Microsoft Intune to enrol Apple iOS

In order to manage Apple devices, we need to connect Microsoft Intune with Apple. 

Specifically, Apple will only let you manage Apple devices if you have an Apple Business Manager account. 

Once you have that, you can follow the following steps:

Microsoft Endpoint Manager> Devices > Enroll devices> Apple enrolment

Click on "Apple enrolment".

Click on "Apple MDM Push certificate". 

Check the tickbox for "I agree". 

Click on "Download your CSR" to download your Intune CSR certificate signing request certificate to your computer.

  • Create your Apple MDM push Certificate. More information on Apple MDM push certificate.
    An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you used when you first created the push certificate.
  • Apple ID - Enter the Apple ID used to create your Apple MDM push certificate.
  • Browse to your Apple MDM push certificate to upload.
  • Click "Upload" when you're ready.




Click "Upload" when you're ready.



Topics: microsoft

Vu Long Tran

Written by Vu Long Tran

Solutions Engineer APAC. ex-@Forrester consultant. Writing on #cloud #howto guides and #tech tinkering!