top of page
Search

How to Configure Enrollment Type in Intune based on User Choice

Writer: Anand PAnand P
Mar 14, 20244 min read

Updated: Feb 19

Throughout the enrollment process, users have the option to determine how much control the company will exert over the device. They can opt to let the company manage the entire device or restrict management to just the corporate data on the device.


To decide, the user is given two options: "I own this device" or "(Company) owns this device". If the user chooses "My organization owns this device", the device enrollment process will start, granting the company complete control over the device.


As another option, if the user chooses "I own the device", they have the ability to determine the required security level. They can opt to either "secure the entire device" or only "secure work-related apps and data". This provides the user with a degree of autonomy while still safeguarding work-related data.


Table of Content



Steps to Configure Determine based on user choice Enrollment Type


Step 1: Log in to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS



Step 2: Select iOS/iPadOS enrollment and select enrollment types.



Step 3: Click on Create Profile and choose iOS/iPadOS to set up an enrollment-type profile.



Step 4: Provide the required name for the enrollment type and, if necessary, a description (for demonstration, I only entered a name since it's mandatory) and click on Next to proceed


Step 5: Choose the option for Determine based on user choice enrollment and press Next



Step 6: Choose a group or all users as needed; in this instance, I will select a group. Tap Select to add the group or users, then tap Next to proceed



Step 7: Check the settings and click Create to finish creating the profile.



Now the profile is created

Let's see the end-user experience


Since the enrollment type is determined-based, users will first see two options, with additional options becoming available depending on their selection.

Note you will see your Tenant name instead of Organization

The first two options under Who owns this device are


  1. Organization owns this device

  2. I own this device



If the user selects the first one Organization owns this device then there are no other options users will continue to enroll the device.


If the user selects the second option I own this device then the user will get two options to select under


How do you want the organization to secure your device after it's enrolled?


  1. Secure entire device

  2. Secure work-related apps and data only


What happens when the user selects Organization owns this device


Step 1: Download and open the Company Portal app, sign in with your work account and password, and complete MFA if needed.



Tap on Continue on the first page, If the user selects the first option "Secure entire device" the entire device will be protected, and the admin can manage the remote actions on the device level, tap on Continue, and install the management profile by following the prompts.



Administrators have the capability to manage the device remotely, allowing them to perform actions such as wiping and retiring the device. These enrollment types categorize the device as Corporate under ownership, but they do not activate extra remote management and restrictions associated with supervised device enrollment, even though it is registered as Corporate.



Let's see the enrollment experiance if the user selects I own this device and Secure entire device


Step 1: Download and launch the Company Portal app, log in using your work account and password, and finish MFA if necessary.



Kindly press "Continue" on the initial page. Opting for the "Secure entire device" selection will ensure the whole device is secured, allowing the admin to oversee remote actions at the device level. Once you've made this choice, click on "Continue" and adhere to the instructions to install the management profile.



The administrator can manage devices and perform remote actions like wiping or retiring them. This type of enrollment allows for the complete wiping of the device, including both personal and corporate data.


Let's see the enrollment experiance if the user selects I own this device and Secure work-related apps and data only


This enrollment process generally includes setting up distinct partitions or containers for Work and Personal data, aiding administrators in safeguarding work-related information. Work data is confined to the work container or partition, while personal profiles remain within their designated partition. Administrators can only manage Organization accounts, settings, and information provisioned with Intune. Personal account information and settings cannot be managed.


This enrollment is similar to User-Enrollment with the Company portal to understand more about this enrollment please go through my post Configuring User Enrollment with Company Portal in Intune


Note: Apple Managed ID is required as prerequisite

Step 1: Download the Intune Company Portal and Microsoft Authenticator from the App Store (these will be needed during enrollment). Tap on Sign in, enter your work account and password, and complete MFA if required.



To start the enrollment process, just click the "Begin" button. If Microsoft Authenticator isn't installed yet, you'll be asked to download it. After downloading, go back to the enrollment page and click "Continue" to move forward. This will lead you through setting up your profile and Apple-managed ID authentication. Once you've completed all the required steps, your device will be enrolled in Intune successfully.



Administrators can only manage organizational data remotely for enrolled devices, as options like wipe are grayed out. These devices can only be retired.



Conclusion


The "Determine based on user choice" enrollment type provides users with a flexible and secure way to manage their devices in a BYOD scenario. By offering two distinct ownership options, "Organization owns this device" and "I own this device," organizations can balance control and privacy. Users who opt for "I own this device" have further flexibility, choosing whether to secure the entire device or just the work-related apps and data. This approach enables administrators to enforce security policies and remotely manage devices, while also respecting users' personal data preferences. With clear instructions and a straightforward process for both users and administrators, this enrollment type ensures a seamless integration of personal devices into the organization's management system, enhancing both security and user autonomy.






 
 
 
2023-02-01_17-26-41.jpg
About Me

Thank you for taking the time to visit my website. My name is Anand P, and I work as a Senior Engineer in IT. This blog is dedicated to providing articles on various Microsoft technologies such as Intune, Azure AD, Microsoft Defender for Endpoint, Azure, EMS, M365, Security, and more. Most of the content on this blog is based on the solutions and issues I encounter in my everyday work, and I use this platform as a technical notebook to keep track of my findings. Please note that any views expressed in my posts on this site are solely my own. Also, any code, scripts, demos, or examples provided in the blog posts are only for illustration. I hope you find my blog posts informative and useful.

Never Miss a Post. Subscribe Now!

Thanks for submitting!

  • LinkedIn
  • YouTube

Copyright © 2024 by Cloud Tek Space.

bottom of page