Day-8: Microsoft Intune Foundations β MDM, MAM & Device Enrollment
π― Objective of Day-8
By the end of Day-8, you should be able to:
- Explain Intune confidently to technical & non-technical teams
- Understand how devices are enrolled and managed
- Identify common enrollment failures
- Prepare tenant correctly for policy implementation
1οΈβ£ What is Microsoft Intune?
Microsoft Intune is a cloud-based endpoint management solution that allows organizations to:
- Manage devices
- Enforce security policies
- Control applications
- Protect organizational data
π Intune works with Entra ID, not independently.
2οΈβ£ Intune High-Level Architecture
User
β
Device
β
Entra ID (Identity)
β
Microsoft Intune (Management)
β
Conditional Access (Enforcement)
β Entra ID = Who you are
β Intune = Is your device trusted?
β Conditional Access = Should access be allowed?
3οΈβ£ MDM vs MAM (Critical Concept)
πΉ MDM β Mobile Device Management
Controls:
- Entire device
- OS settings
- Password policies
- Encryption
- Compliance state
Used for:
- Corporate laptops
- Company-owned mobiles
πΉ MAM β Mobile Application Management
Controls:
- Only applications
- Corporate data inside apps
Examples:
- Restrict copy-paste from Outlook
- Prevent saving files locally
Used for:
- BYOD devices
π Interview line:
MDM manages devices, MAM manages data.
4οΈβ£ Platforms Supported by Intune
- Windows 10 / 11
- macOS
- iOS / iPadOS
- Android
- Linux (limited support)
5οΈβ£ Verify Intune Access (Admin Check)
Steps:
- Go to https://intune.microsoft.com
- Check if Devices and Tenant administration are visible
- If not visible β license or role issue
6οΈβ£ Check MDM Authority
Steps:
- Intune Admin Center
- Tenant Administration
- MDM Authority
β Must be Microsoft Intune
π Wrong authority = enrollment failures.
7οΈβ£ Intune Licensing (Reality Check)
Intune works on user-based licensing, not device-based.
Common licenses:
- M365 Business Premium
- EMS E3/E5
- M365 E3/E5
π No license = no enrollment.
8οΈβ£ Device Enrollment Methods
πΉ Windows Devices
- Azure AD Join
- Automatic MDM Enrollment
- Hybrid Azure AD Join
πΉ Mobile Devices
- Company Portal App
- User authentication
- Device registered in Intune
9οΈβ£ Configure Automatic Enrollment
Steps:
- Entra Admin Center
- Devices β Mobility (MDM and MAM)
- Microsoft Intune
- Enable MDM auto-enrollment
- Select users/groups
π Enrollment Restrictions
Admins can restrict:
- Device type
- OS version
- Ownership
Steps:
- Intune β Devices
- Enrollment restrictions
- Configure platform rules
1οΈβ£1οΈβ£ Common Enrollment Failure Reasons
- No Intune license
- MDM enrollment disabled
- Device already registered
- Unsupported OS
- Device limit reached
π 80% failures = licensing or scope misconfiguration.
1οΈβ£2οΈβ£ Security Impact of Intune
Without Intune:
- Any device can access data
- No compliance enforcement
With Intune:
- Device posture checked
- Conditional access enforced
- Data protected
β End of Day-8 Outcome
You can now:
β Explain Intune clearly
β Design enrollment strategies
β Troubleshoot enrollment failures
β Prepare tenant for policies
π Day-9 Preview
Day-9: Device Compliance & Configuration Policies
- Password & encryption rules
- Compliance vs Configuration
- How Intune marks devices βCompliantβ
- Real admin troubleshooting scenarios