Are you struggling to choose the right Bring Your Own Device (BYOD) enrollment option? Let me assist you! I'll walk you through the process of selecting the most suitable option, ensuring you receive all the benefits and features you require without any hassle. To simplify things, I'll keep it straightforward. By following these guidelines, you'll be equipped to make an informed decision about the best BYOD enrollment option for you. Keep in mind that different audiences have varying needs. In this post, I will provide a detailed explanation of the various BYOD enrollment types available in Intune.
Table Of Content
BYOD: User and Device enrollment
The majority of users possess iOS/iPadOS devices known as BYOD (Bring Your Own Device). These devices can connect to organizational data and applications like email, Teams, OneDrive, and more. Users can enroll these devices without needing to reset them. There are several options available for enrolling these devices.
App Protection Policies
App Protection Policies provide a simplified method for managing the BYOD experience by allowing administrators to control applications at the app level. These policies enable you to implement specific rules via Intune that determine how apps are managed. For instance, when a user logs into a protected app with their work or school account, the app will follow the protection policy established by your organization. The details of these policies are tailored to the security preferences of each business. For more information on App Protection Policy, I have authored a blog post that explains how it operates and offers guidance on creating and assigning App Protection Policies for iOS/iPadOS.
Account-driven user enrollment
The process of enrolling a BYOD device using Account-driven user enrollment is somewhat similar to enrolling a user through User enrollment with the company portal. In this method, users do not need to download the Company Portal app from the App Store. Instead, they can enroll their device by choosing the "Sign In to Work or the School Account" option in the settings app. This option removes the necessity of downloading the company portal, thus streamlining the enrollment process. However, it is crucial to note that additional settings are required to complete this type of enrollment. To learn more about how this enrollment works, read my blog How to Configure Account-driven User Enrollment in Intune
Device Enrollment with Company portal
This pertains to the standard Bring Your Own Device (BYOD) enrollment process, which provides administrators with a wide array of management options for the device. It involves implementing device restrictions, compliance policies, and management features, without any separation between user data and corporate data. Both types of data are stored in the same location or container. For further insight into how this enrollment functions, read my blog on How to Configure Device Enrollment with the Company Portal in Intune
Web-based device enrollment
Personal iOS/iPadOS devices can be enrolled via web-based device enrollment or the Company Portal app. The web-based method is particularly advantageous as it provides a quicker and more user-friendly experience by eliminating the need to download the Company Portal app. Users can start the enrollment process directly from their preferred browser or an app that requires a compliant device, ensuring easy access. Furthermore, combining web-based device enrollment with Just-In-Time registration decreases the frequency of sign-ins during both initial enrollment and app access. To learn more about this enrollment process, read my blog on How to Configure Web-based Device Enrollment in Intune
Determine based on user choice
During registration, users can decide how much control the company will have over their device. They can choose to give full management access to the company or restrict it to corporate data only. Users are given two options: "This is my device" or "Company-owned device." Selecting "My organization owns this device" initiates the enrollment process, granting the company full control. Conversely, if they choose "I own this device," they can set their security preferences to either protect all data on their devices or just work-related apps and data. This approach allows for some independence while keeping work-related information secure. To learn more about how this enrollment works, read my blog on How to Configure Determine based on user choice Enrollment Type in Intune
Decide through the Tree
An easy-to-understand chart
Enrollment Type | Microsoft Company Portal App | Microsoft Authenticator App | Apple Managed ID | Intune Registration Type |
User Enrollment with Company Portal | Yes | Â Â Â Â Â Â Â Â Yes | Â Â Â Â Â Â Â Â Yes | Personal |
Account Driven User Enrollment | No | Â Â Â Â Â Â Â Â Â No | Yes | Personal |
Device Enrollment with Company Portal | Yes | Â Â Â Â Â Â Â Â Â No | Â Â Â Â Â Â Â Â Â No | Personal |
Web-based Device Enrollment | No | Â Â Â Â Â Â Â Â Â No | Â Â Â Â Â Â Â Â Â No | Personal |
My organization owns this device in Determined based on user choise | Yes | No | No | Corporate |
Secure entire device under I own this device in Determined based on user choise | Yes | No | No | Persoanl |
Secure work-related apps and data only when I own this device, as determined by the user's choice. | Yes | Yes | Yes | Personal |
Conclusion
Selecting the right BYOD enrollment option for your organization is key to ensuring a smooth and secure user experience while maintaining control over corporate data. Whether you choose App Protection Policies for app-level management, user enrollment via the company portal, account-driven user enrollment, or web-based device enrollment, each option offers distinct advantages based on your organization's needs and user preferences. By carefully considering factors like data separation, ease of enrollment, and management features, you can make an informed decision that best aligns with your security policies and user convenience. Hopefully, the information provided here will help guide your choice, ensuring a seamless and secure BYOD experience for both administrators and users.