Microsoft Intune supports both corporate owned and BYOD (personal) devices. This support extends to both the MDM and MAM solutions that are offered today. When devices are enrolled into the solution, they are automatically classified as either corporate or personal. As an MSP, it is important to understand how these devices get classified so that the proper autoenrollment scopes can be applied to these devices. In this article, I will be covering this topic in depth for full clarity.
Key Objectives
One of the main steps in planning for Intune deployment is understanding what devices will be supported from a management perspective. As a best practice, you should try to only enroll corporate owned devices under MDM and then scope BYOD devices for MAM policies. This allows you to extend security and compliance into personally owned devices while still giving end users the flexibility to access corporate data. If the autoenrollment settings are scope to all for both MDM and MAM, the way a device is classified as corporate or personal is extremely important.
Azure AD Enrollment
Another concept to grasp is how Windows devices are enrolled in Azure AD.
Azure AD Registered:
- Registered to Azure AD without requiring organizational account to sign in to the device
- Commonly occurs when signing into corporate resources with Azure AD credentials
Azure AD Joined:
- Joined only to Azure AD requiring organizational account to sign in to the device
- Commonly occurs through OOBE or through local admin join via Access Work or School settings
Hybrid Azure AD Joined:
- Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device.
- Commonly occurs through AD connect configuration
Corporate and Personal
Taking the information above, there is clear distinctions that can be made for classification:
Corporate:
- Azure AD Joined Devices
- Hybrid Azure AD Joined Devices
- Devices procured through a bulk enrollment program
- Windows = Autopilot, DEM
- Apple = ADE, DEM
- Hybrid devices enrolled via GPO
Personal:
- Azure AD Registered
- Domain joined but not Hybrid Joined
Conclusion
I hope this article brought some clarity to corporate vs personal devices in Intune. Remember that for personal devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. For more details about this classification across all supported platforms, check out the following support article from Microsoft.