MDM and MAM scopes - Considerations for pilot groups, BYOD and Company Wide enrolling

Consider locking down the MDM and MAM scope -

MDM - set to groups
- DEM users (the Device Enrollment Managers that are pre-building and deploying devices)
- Windows 10 Corporate users (Recipients of corporate Windows 10 devices to allow Autopilot).






Select - Microsoft Intune -


MDM user scope - Select - Some
Select - No groups selected


Select the user group(s) that will be allowed to auto-enroll devices (for Autopilot)
Note that in this test, I have added the DEM accounts (Device Enrollment Managers) in the group - AAD_Sec_User_Windows10_Corporate
Click - Select


Save


=======================================================================

Testing -
User04 - is a member of group - AAD_Sec_User_Windows10_Corporate
User06 - not a member of group - AAD_Sec_User_Windows10_Corporate

User04 - is a member of the group
Auto-pilot process kicks off as expected


Autopilot process also kicks off for the DEM account as it is also a member of the group

The machine has been enrolled and applications deployed




User06 - not a member
User can log on, but no apps are deployed and the device is not enrolled in Azure AD
Device is literally a Windows device with no Company Apps or policies applied.
User is NOT a local admin of the device


==========================================================================

BYOD -

Process -
Restrict MAM enrollment to only the group - AAD_Sec_User_Windows10_BYOD
Users log into their device with a Microsoft account (@outlook.com, etc)
Users register device with Company Portal app from the Microsoft Store


Use the group - AAD_Sec_User_Windows10_BYOD
Allow users in this group to Register for MAM

Three test users
- Not a member of the MAM group AAD_Sec_User_Windows10_BYOD
- Is a member of the MAM group AAD_Sec_User_Windows10_BYOD
- Is a member of the both the MAM group and the MDM group AAD_Sec_User_Windows10_BYOD and AAD_Sec_User_Windows10_Corporate

Users -
BYOD.yes - AAD_Sec_User_Windows10_BYOD




BYOD.no -




BYOD.Both - AAD_Sec_User_Windows10_BYOD -    AAD_Sec_User_Windows10_Corporate


Update the MAM scope -
MAM now only has one group - AAD_Sec_User_Windows10_BYOD


====================================================================

Updated Microsoft 365 Apps -
Added the group - AAD_Sec_User_Windows10_BYOD to the Available for enrolled devices.



Updated to show in the Company Portal.



Testing


byod.no - Azure AD registered (not managed)
Settings - Account - Access work or school - Connect - Corp email address
Configure Windows 10 Mail app
Install Office Apps for Enterprise
Activate Word - Sign out with the personal email - Sign in with the corporate email
Configure Outlook.
Configure OneDrive for Business

Company Portal - Azure AD registered (not managed)
Allow my organization to manage my device - Yes  (Default) -
Terms and Conditions -
Outlook -















byod.no
Access Company Email via Outlook
Access Company Email via the Mail app






byod.yes
Login with Outlook account
Register via Company Portal













byod.both
Login with Outlook account
Register via Company Portal