Skip to main content

Set Intune's Enrollment Scopes Wrong and Every Personal Phone Becomes a Managed Device

Nick Ross3 min read
Autoenrollment Settings in Microsoft Intune

TL;DR

  • As of May 2021, the out-of-the-box Intune default sets the MDM scope to all and the MAM scope to none, which means every device a user enrolls, corporate or personal, comes in under full MDM.
  • MAM lets you protect corporate data on personal or BYOD devices without enrolling the whole device, so a user's phone can reach corporate data without risking a full remote wipe.
  • On older tenants, configure auto-enrollment under Microsoft Intune in Mobility, not under Microsoft Intune Enrollment.
  • When both scopes are set to all, the corporate or personal classification decides the outcome: MAM wins for personal devices, MDM wins for corporate devices.

The fastest way to start a fight with a client's staff is to remote-wipe a personal phone. The second fastest is to leave Intune on its defaults, because those defaults quietly set you up to manage every device anyone signs in with, including the cell phones nobody wanted under management. The auto-enrollment settings in Endpoint Manager look like a minor checkbox. They are actually the line between a clean BYOD strategy and a tenant full of over-managed personal devices.

MAM is what makes the clean version possible. Mobile Application Management protects corporate data on personal or BYOD devices without enrolling the device into full MDM, so administration stays scoped to company-owned hardware. For the user, it means a personal phone can still reach corporate data without the fear that everything on it could be wiped remotely.

What Intune's default scopes actually do

Out of the box on new tenants, the default settings put the MDM scope at all and the MAM scope at none. One caveat for older tenants: you may see both Microsoft Intune and Microsoft Intune Enrollment under Mobility in the Azure AD admin center. Configure your auto-enrollment under Microsoft Intune, not under Microsoft Intune Enrollment.

Intune mobility settings showing MDM and MAM user scope
Mobility configuration in the Azure AD admin center

So what does that default mean in practice? Any time any user enrolls a device, corporate or personal, they enroll into the full MDM solution. That gives you full control over the device, with all of the following:

  • Remote wipe capabilities
  • Policy configuration
  • Patch management
  • Device restrictions
  • App deployment

Users can enroll on their own in several ways. The easiest is organic: when they sign into a client version of an Office application on Windows, iOS, Android, or macOS, they are prompted to enroll the device into Intune as long as they hold the right license. Here is what a Windows user sees.

Windows enrollment prompt shown when signing into an Office app

The advantage of this organic path is that you do not have to rely on a local admin opening Settings > Access work or school account to enroll the device. On Android and iOS the experience differs slightly: the user is redirected to the app store to download the Company Portal app and enroll in MDM.

In theory this is great, every device touching corporate data ends up managed. But do you actually want that? Plenty of users do not want their personal cell phones under management, and we strongly encourage managing only corporate-owned devices. That is exactly what MAM policies are for. To use them well, you first have to understand how a device gets classified.

How a device gets labeled corporate or personal

The corporate or personal label in Intune ultimately decides which enrollment scope, MDM or MAM, a user gets when both scopes are set to all. Microsoft publishes extensive detail on the classification (opens in new tab), but at the highest level for MSPs it comes down to this:

Corporate devices:

  • Devices enrolled via a program (Autopilot, DEM, ADE)
  • Hybrid joined devices enrolled via GPO
  • Azure AD joined devices

All other devices come in as personal. If you want personal devices protected with MAM, create app protection policies for every platform you want to support. On Windows these are also known as Windows Information Protection (WIP) policies, which can block cut, copy, paste, and save-as to non-managed applications. On iOS and Android you can layer on extra controls, such as a PIN to access corporate apps like Teams.

App protection policies listed across supported platforms

The precedence rule to commit to memory

This is the part worth pinning to the wall, because it is what determines the actual outcome when both scopes are enabled for the same users:

For BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users, or the same groups of users. The device will use Windows Information Protection (WIP) policies, if you configured them, rather than being MDM enrolled.

For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.

Once those concepts click, you are far better prepared to roll Intune out across customer environments. For remote workers, you may need to enroll their existing laptops under the MDM scope, then use Autopilot for every device procured going forward.

Frequently asked questions

What is the difference between MDM and MAM enrollment?

MDM gives you control over the whole device, including remote wipe, policy configuration, patch management, device restrictions, and app deployment. MAM protects only corporate data inside managed apps without enrolling the device, so it suits personal or BYOD phones where a full device wipe is not acceptable.

Do I have to set up Access work or school for users to enroll?

No. With auto-enrollment configured, a user enrolls organically the moment they sign into a client Office application on Windows, iOS, Android, or macOS, as long as they hold the right license. You do not have to rely on a local admin opening Settings and the Access work or school account page.

How do I protect a personal device without managing the whole phone?

Create app protection policies for every platform you want to support. On Windows these are Windows Information Protection (WIP) policies that block cut, copy, paste, and save-as to non-managed apps. On iOS and Android you can add controls like a PIN to open corporate apps such as Teams.

Scopes set once. Did they stay that way?

Auto-enrollment scopes are the kind of setting that gets changed during a project and never changed back. CloudCapsule checks 250+ Microsoft 365 controls per tenant in about 60 seconds, so a quiet reversion does not become a surprise.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading