Part 17 – Configure Microsoft Intune – Corporate Device Identifiers

Import a device or multiple devices into Intune based on a CSV file. This is one of the options if you want to block personal devices. With this block, the user cannot enroll his device into Intune just like that. The device must first be identified as a corporate-owned device. How this trick works in Intune? Please continue, because this time it is about Corporate device identifiers.

Why should I assign the device as corporate-owned?

To refine management and identification. Intune can perform additional management tasks and collect additional information such as the full phone number and an inventory of apps from corporate-owned devices.

When is the device corporate-owned?

Within Intune, you have multiple options to enroll the device. You have:

  • For iOS – Device Enrollment Program (DEP), Apple School Manager or Apple Configurator.
  • For Windows – Azure Active Directory join.
  • For Samsung device only – Knox enrollment.

With these options, the device will be assigned automatically as corporate-owned.

There are also options to assign manually the device as corporate-owned, which are:

  • By a CSV list. (Mostly if your organization uses different types of Android device)
  • By manually to change the ownership per device to corporate.
  • Enrolled with a Device Enrollment Manager account (for all platforms)

If you have block personally owned in Enrollment restrictions, the user cannot enroll his device into Intune just like that. If the device is enrolled by DEP, Azure AD join or Knox then the device will be assigned automatically as corporate-owned. If you have a device which is not compatible with DEP, Azure AD join or Knox, then you have to use CSV file. By importing from a CSV file, the device will be assigned as corporate-owned and gives also the user permission to enroll the device.

Alrighty then, let’s try this out

First, we have to block personal devices.

Go to the Intune portal -> Device enrollment -> Enrollment restrictions

Click on Default

Click on Properties and then on Configure platforms.

Click on the block button beneath Personally owned. Click on the Ok button.

Click on the save button. Now it is not possible to enroll the device by the user itself, because it will identify as a personal. The enrollment must be initiated via Intune, by DEP. Knox or manually by importing the CSV file.

Let’s try on the Android device

If you don’t have the Intune Company Portal app already, please download and install the app from the App store.
Open Intune Company Portal
Sign in.
Enter here your email address/login name.
Enter here your password.
The app is connecting to Intune.
Checking for security requirements
Continue
Continue
Next
Allow
Scroll down for more options.

Activate this device administrator.

Processing, adding your device to Company Portal.
This is the message you get if enrolling the device as a personal device.

Sign out.

You are back at the sign in page.

You see that a personal device is not allowed to enroll into Intune. You must make this device a corporate-owned device. Before you do that, you have to find the serial and/or IMEI number from your device. You will need this for the following steps.

Go to the settings of your device and touch on About phone.
Touch on Status.
Touch on IMEI information.
Here you can find the IMEI numbers. If your device has more than 1 IMEI then you have to use the one which will be used for enrollment.

Note the one which you are going to use.

Now that you have the IMEI number, you have to add this into a CSV file. CSV must be based on a two-column, comma-separated-value without a header. The first one is for the serial or IMEI number. The second column is for details. Details are limited to 128 characters and are for administrative use only. Details aren’t displayed on the device. Limit of a CSV file is 5,000 rows per .csv file.

Save as a CSV file on your hard drive.

Go back to the Intune portal.

Go to the Intune portal -> Device enrollment -> Corporate device identifiers. Click on the button Add.

Choose for IMEI and browse to your CSV file. Click on the button Add.

Click on the button Refresh to refresh the list. You see your imported device in the list. Now is your device identified as a corporate device. Please continue with enrolling your device.

Let’s try

Open the Intune Company Portal app.
Sign in.
Enter here your email address/login name.
Enter here your password.
The app is connecting to Intune.
Checking for security requirements
Continue
Continue
Next
Allow
Scroll down for more options.

Activate this device administrator.

Processing, adding your device to Company Portal.
Processing, the final steps.
And the enrollment has finished with success.

Done

Now you are in the Company Portal. You see a number 1 beside the flag. Touch it, this will open notifications.
The ownership is changed to corporate. This is because of the import and identified as corporate.

After enrollment, check All devices in Intune. The device is marked as corporate.

If you go back to Device enrollment -> Corporate device identifiers, then you see that the state is changed into Enrolled.

Final

This is how Corporate Device identifiers works in Intune. This might come in handy if you are using Android devices which are not from Samsung. Samsung is the only one who using Knox for enrollment and MDM solution. With Apple and Windows is the best practice to use DEP and Azure AD join.

Thanks for reading this blog post. If you have any questions or comments, don’t hesitate to contact me by email or post a comment on this blog post.

Take care now, bye bye then.

Advertisements

8 thoughts on “Part 17 – Configure Microsoft Intune – Corporate Device Identifiers

  1. Hi Albert,

    thanks for this amazing post!
    I struggled to get Intune configured so that it scans the Discovered Apps of my Corporate owned devices.
    It was after I contacted Microsoft Intune support that I figured out that there was an important difference between enrolling the device as Personal or Corporate owned from the beginning when it comes to scanning ALL the apps on a device.
    While spending 2-3 weeks investigating the jungle full of information that Microsoft provides about Intune, Microsoft never clearly stated this difference. They only mention that the list of discovered apps could be up to 7 days out of date and some vague information about Hardware Inventory and so on…
    Given this information and the steps provided in this post, I was finally able to initially scan the Discovered apps after enrollment!

  2. Hi Albert,

    Thank you for the nice article. However, can you confirm that device ownership is automatically set to corporate upon enrolment of a Samsung KNOX device (using Android for Work) ? I do not notice the same behaviour here.
    Kind regards,

    1. Yes, I can confirm that. I have a Samsung A3 with Android 8.0 which is enrolled and uses automatically KNOX as work profile. Ownership of that device is corporate and I have blocked Personal Enrolled. Please check the state in Corporate Device Identifiers. If you have enrolled the device, then the state of the device in Corporate Device Identifiers should be changed to Enrolled. The thing you should know, via which way will device connects to Intune (Internet). My Samsung device has no sim card, so I have added only the serial number of that device. This was enough to identify as Corporate.

      Thanks for reading the blog and for your comment. I hope that this will help.

      1. Thanks for your answer. Indeed, if I pre-load the IMEI or serial number in the corporate identifier then the device will be set as “corporate”. However, this only works when I maintain this list. I need to download the list of devices from our Samsung KNOX portal then load it in the “corporate identifier”. Then only devices that enrol AFTER loading the list will be flagged as corporate. If I need to purchase a device then get its IMEI/serial to add it to the Intune portal then enrol it, I can as well purchase the device, enrol it then manually change the ownership. See my problem ? 😉

      2. Hmm, I see. You have a Samsung device which is added in KNOX portal by a reseller and you going to export the device list from the KNOX portal and manually import it into Intune as Corporate identifier? Is that correct? Why would you do this if Samsung Knox portal supports the integration with Intune, like DEP from Apple? Based on that integration, the device will be automatically set as Corporate.

        If I don’t understand you correctly and you don’t use the Knox portal, then yes. Add the device as a corporate identifier or change the ownership are the same thing and is changing manually to Corporate the quickest way. BUT, If you want to prevent a personally owned device, then you must use Corporate Device Identifier to give the device the permission to enroll, besides using Apple DEP, Azure AD join or Samsung KNOX/KME.

      3. The Samsung KNOX portal supports the integration with Intune but the device ownership is NOT set to corporate. 🙂

        Unless I did not find some settings somewhere.

      4. Hm, you are right. I thought that it was implemented at the begin of this year, my bad.. unfortunately, you must change the ownership manually to Corporate in Intune before distributing the device to users. Check the link.:
        https://docs.microsoft.com/en-us/intune/android-samsung-knox-mobile-enroll#distribute-devices

        There is no another way to do this on an easier method, unfortunately. Only the ways you already have told. For a bulk of Samsung devices, use the CSV file. For one or two devices, you could manually change the ownership to Corporate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.