Once Intune is enabled and assigned to users, the organization has the option of configuring enrollment settings for the users. These options are pretty wide range and include things like: requiring accepting of the terms and conditions document before access. This will force users to accept a company-created terms and conditions before being given access to company resources. They can also restrict enrollment of certain devices. This allows organizations to effectively block enrollment of personal devices, the number of devices a user has enrolled, or only allowing a certain operating system to be enrolled. And you can even require multi-factor authentication. 

Multi-factor authentication is usually utilized for strong authentication and is a two-step verification process using at least two of three potential authentication methods. Something they know, like a password, something they have, like a phone verification from a text message, or something they are, like a biometric verification from facial recognition or a fingerprint reader. Once the settings are good to go, we are ready to look at the actual enrollment process. Device enrollment varies depending upon the devices you're looking to enroll, but starting off with Windows 10, there are three main ways of enrolling them in Microsoft Intune. Group Policy, which will automatically enroll a device connected to the on-premises Active Directory domain service, Azure AD, which automatically enrolls devices joined to Azure AD if Azure AD and the MDM are configured, and manual enrollment, which can be enrolled utilizing the settings app, the company portal, or a provisioning package. 

Let's now move on to the BYOD method. BYOD, or Bring-Your-Own-Device, is exactly that; employees utilizing their own personal devices to access company data. Enrolling a personal device in an MDM like Microsoft Intune allows the organization to manage the corporate data on the device and keep personal data separate. These devices are typically things like laptops and mobile phones with a range of operating systems. In order to enroll those devices, an organization needs to first create a security policy or a conditional access policy allowing access to company data from devices that are enrolled in Intune. Once this policy is created, any user's personal device properly enrolled will now be able to access that data, and if not, they'll be directed to enroll their device. For a Windows 10 device, the user simply needs to log into their work account via settings app or company portal and they'll be good to go. 

In order to enroll a phone, the organization needs to have set up their company portal app, and once completed, the user need only install the company portal and log in with their credentials. Once they log in, they'll be presented with steps they need to take to fully enroll their device, and once that's completed, they're all set and good to go. Now Apple devices that are provided by the organization require a bit more involvement as they require enrolling in Apple's Device Enrollment Program. This enables administrators to configure device settings of the device and automatically enroll it in an MDM solution. Once that is completed, the user then only needs to turn on the device and follow the steps to properly enroll. In the instance that an organization has many company-owned devices that they provide users, there is another enrollment tool which can be used called the Device Enrollment Manager. 

This is a tool that allows for bulk enrollment of devices without having a user associated with those devices. The main benefit of utilizing the DEM is that it provides a completely enrolled device before it ever gets to the hands of the user. If an organization has many devices that may be shared or when their user base might not necessarily be very tech-savvy, it prevents potential compliance issues from enrollment issues occurring. The DEM can enroll up to 1,000 devices at once and can only be managed by either a Microsoft 365 global admin or an Intune service administrator.