BrowsePopularContact UsAbout Us

How to Add a BYOD Device to Intune Device Management

Bringing your own device into a workplace environment managed by Microsoft Intune is increasingly common — and for good reason. Organizations want visibility and security over the devices accessing their data, while employees want to use hardware they're already comfortable with. Intune's BYOD enrollment process threads that needle, but how it works in practice depends heavily on your device type, operating system, and how your IT admin has configured the tenant.

Here's what you need to understand before you start.

What Is BYOD Enrollment in Intune?

Microsoft Intune is a cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) platform, part of Microsoft Endpoint Manager. When a device is enrolled in Intune, the organization can push policies, enforce compliance rules, and manage which apps are installed — all without necessarily taking full control of the device.

For personal devices, Intune supports two main management models:

  • MDM enrollment — The device is fully registered with Intune. Your organization can enforce security policies across the whole device, including requiring PINs, encrypting storage, and remotely wiping the device if lost.
  • MAM without enrollment (MAM-WE) — Only specific apps (like Outlook or Teams) are managed. Your personal data stays untouched. This is the lighter-touch option that many organizations now prefer for true BYOD scenarios.

Which model applies to you depends entirely on how your IT administrator has configured Intune policies. You may not have a choice — but understanding the distinction matters when you see what access you're granting.

What You'll Need Before Enrolling

Before starting enrollment, confirm you have:

  • A work or school Microsoft account (provided by your organization)
  • A supported OS version — Intune supports iOS 16+, Android 8.0+, Windows 10/11, and macOS 13+ as general baselines, though your organization may require more recent versions
  • The Company Portal app (for iOS, Android, macOS) or access to Windows Settings (for Windows devices)
  • Permission from your IT admin — some tenants require admin approval or a device enrollment limit configuration before personal devices can be added

How to Enroll: Step-by-Step by Platform 📱

iOS and iPadOS

  1. Open the App Store and download Microsoft Intune Company Portal
  2. Sign in with your work or school account
  3. Follow the on-screen prompts — you'll be asked to install a Management Profile via Settings
  4. Go to Settings → General → VPN & Device Management and tap Install on the profile
  5. Return to Company Portal and complete enrollment

During this process, iOS will display what the management profile can and cannot see. Read it — it's accurate.

Android

Android BYOD enrollment has an additional distinction. Most personal Android devices enroll as Android Enterprise personally-owned with work profile. This creates a separate, sandboxed partition on your device for work apps and data, keeping your personal apps completely isolated.

  1. Download Microsoft Intune Company Portal from the Google Play Store
  2. Sign in with your work account
  3. When prompted, choose "This device is personally owned"
  4. Allow the work profile to be created
  5. Complete setup — work apps will appear in a separate section of your app drawer, often marked with a briefcase icon

Windows 10/11

  1. Open Settings → Accounts → Access work or school
  2. Click Connect and enter your work email address
  3. Choose "Enroll only in device management" if prompted (this registers with Intune without joining Azure AD)
  4. Sign in and follow the prompts

Alternatively, some organizations use the Company Portal app for Windows, available in the Microsoft Store, which provides a more guided experience.

macOS

  1. Download Company Portal from the Mac App Store
  2. Sign in with your work account
  3. Follow prompts to download and install a Management Profile
  4. Approve it in System Settings → Privacy & Security → Profiles

What Does Your Organization Actually See? 🔍

This is the question most people have. The answer depends on enrollment type:

Enrollment TypeWhat IT Can SeeWhat IT Cannot See
Full MDM (personal device)Device model, OS version, installed apps list, compliance statusPersonal photos, messages, browsing history
Work Profile (Android)Work profile apps and data onlyPersonal apps, personal data
MAM only (no enrollment)App-level activity within managed appsEverything outside those apps

Microsoft publishes detailed documentation on what Intune can and cannot collect — your IT admin can also confirm this in writing if your organization has a formal BYOD policy.

Factors That Affect the Enrollment Experience

Not every BYOD enrollment is identical. Several variables shape what you'll encounter:

  • Conditional Access policies — Your org may block access to email or SharePoint until your device passes a compliance check (minimum OS version, screen lock enabled, encryption on)
  • Device enrollment restrictions — Some tenants cap how many personal devices one user can enroll, or block certain platforms entirely
  • MFA requirements — Expect to verify your identity through Microsoft Authenticator or another second factor
  • Jailbroken or rooted devices — Intune compliance policies typically flag and block these automatically
  • Existing MDM profiles — If your device is already managed by another MDM solution, you may need to remove that profile first

When MAM-Only Is the Right Conversation to Have

Some employees don't need or want full device enrollment — and some IT departments prefer the separation. If your organization supports MAM without enrollment, you can access managed apps like Outlook, Teams, and OneDrive without installing a device-wide management profile. The trade-off is that fewer security policies can be enforced at the device level, which some organizations aren't comfortable with.

Whether MAM-only is available to you, and whether it grants access to the same resources as full enrollment, is a policy decision sitting entirely on your IT admin's side.

The technical steps for BYOD enrollment in Intune are well-documented and broadly consistent across platforms. What varies — sometimes significantly — is what your specific organization has configured, which platforms they support, how strict their compliance baselines are, and whether they prefer full MDM or a lighter MAM approach. Those answers live in your IT department's tenant configuration, not in any general guide.