Part 17 – Configure Microsoft Intune – Corporate Device Identifiers

Import a device or multiple devices into Intune based on a CSV file. This is one of the options if you want to block personal devices. With this block, the user cannot enroll his device into Intune just like that. The device must first be identified as a corporate-owned device. How this trick works in Intune? Please continue, because this time it is about Corporate device identifiers.

Why should I assign the device as corporate-owned?

To refine management and identification. Intune can perform additional management tasks and collect additional information such as the full phone number and an inventory of apps from corporate-owned devices.

When is the device corporate-owned?

Within Intune, you have multiple options to enroll the device. You have:

  • For iOS – Device Enrollment Program (DEP), Apple School Manager or Apple Configurator.
  • For Windows – Azure Active Directory join.
  • For Samsung device only – Knox enrollment.

With these options, the device will be assigned automatically as corporate-owned, except for Knox enrollment.

There are also options to assign manually the device as corporate-owned, which are:

  • By a CSV list. (Mostly if your organization uses different types of Android device)
  • By manually to change the ownership per device to corporate.
  • Enrolled with a Device Enrollment Manager account (for all platforms)

If you have block personally owned in Enrollment restrictions, the user cannot enroll his device into Intune just like that. If the device is enrolled by DEP, Azure AD join or Knox then the device will be assigned automatically as corporate-owned. If you have a device which is not compatible with DEP, Azure AD join or Knox, then you have to use CSV file. By importing from a CSV file, the device will be assigned as corporate-owned and gives also the user permission to enroll the device.

About Knox enrollment: If you plan to use Knox Mobile Enrollment (KME) you have to know that the devices will be added as personal instead as corporate. If you want to change the ownership from personal to corporate you have to change this manually. But, you can also use the CSV option. The only thing you have to do is to export the list from KME into a CSV file. Import the file in Intune and then deliver the devices to the users. When they are enrolled, they got corporate as ownership.

Alrighty then, let’s try this out

First, we have to block personal devices.

Go to the Intune portal -> Device enrollment -> Enrollment restrictions

Click on Default

Click on Properties and then on Configure platforms.

Click on the block button beneath Personally owned. Click on the Ok button.

Click on the save button. Now it is not possible to enroll the device by the user itself, because it will identify as a personal. The enrollment must be initiated via Intune, by DEP. Knox or manually by importing the CSV file.

Let’s try on the Android device

If you don’t have the Intune Company Portal app already, please download and install the app from the App store.
Open Intune Company Portal
Sign in.
Enter here your email address/login name.
Enter here your password.
The app is connecting to Intune.
Checking for security requirements
Continue
Continue
Next
Allow
Scroll down for more options.

Activate this device administrator.

Processing, adding your device to Company Portal.
This is the message you get if enrolling the device as a personal device.

Sign out.

You are back at the sign in page.

You see that a personal device is not allowed to enroll into Intune. You must make this device a corporate-owned device. Before you do that, you have to find the serial and/or IMEI number from your device. You will need this for the following steps.

Go to the settings of your device and touch on About phone.
Touch on Status.
Touch on IMEI information.
Here you can find the IMEI numbers. If your device has more than 1 IMEI then you have to use the one which will be used for enrollment.

Note the one which you are going to use.

Now that you have the IMEI number, you have to add this into a CSV file. CSV must be based on a two-column, comma-separated-value without a header. The first one is for the serial or IMEI number. The second column is for details. Details are limited to 128 characters and are for administrative use only. Details aren’t displayed on the device. Limit of a CSV file is 5,000 rows per .csv file.

Save as a CSV file on your hard drive.

Go back to the Intune portal.

Go to the Intune portal -> Device enrollment -> Corporate device identifiers. Click on the button Add.

Choose for IMEI and browse to your CSV file. Click on the button Add.

Click on the button Refresh to refresh the list. You see your imported device in the list. Now is your device identified as a corporate device. Please continue with enrolling your device.

Let’s try

Open the Intune Company Portal app.
Sign in.
Enter here your email address/login name.
Enter here your password.
The app is connecting to Intune.
Checking for security requirements
Continue
Continue
Next
Allow
Scroll down for more options.

Activate this device administrator.

Processing, adding your device to Company Portal.
Processing, the final steps.
And the enrollment has finished with success.

Done

Now you are in the Company Portal. You see a number 1 beside the flag. Touch it, this will open notifications.
The ownership is changed to corporate. This is because of the import and identified as corporate.

After enrollment, check All devices in Intune. The device is marked as corporate.

If you go back to Device enrollment -> Corporate device identifiers, then you see that the state is changed into Enrolled.

Final

This is how Corporate Device identifiers works in Intune. This might come in handy if you are using Android devices which are not from Samsung. Samsung is the only one who using Knox for enrollment and MDM solution. With Apple and Windows is the best practice to use DEP and Azure AD join.

Thanks for reading this blog post. If you have any questions or comments, don’t hesitate to contact me by email or post a comment on this blog post.

Take care now, bye bye then.

Advertisements

25 thoughts on “Part 17 – Configure Microsoft Intune – Corporate Device Identifiers

  1. Hi Albert,

    thanks for this amazing post!
    I struggled to get Intune configured so that it scans the Discovered Apps of my Corporate owned devices.
    It was after I contacted Microsoft Intune support that I figured out that there was an important difference between enrolling the device as Personal or Corporate owned from the beginning when it comes to scanning ALL the apps on a device.
    While spending 2-3 weeks investigating the jungle full of information that Microsoft provides about Intune, Microsoft never clearly stated this difference. They only mention that the list of discovered apps could be up to 7 days out of date and some vague information about Hardware Inventory and so on…
    Given this information and the steps provided in this post, I was finally able to initially scan the Discovered apps after enrollment!

    1. Hi Keven, that is great! Thanks for reading and sharing your experience with them.

  2. Jehan

    Hi Albert,

    Thank you for the nice article. However, can you confirm that device ownership is automatically set to corporate upon enrolment of a Samsung KNOX device (using Android for Work) ? I do not notice the same behaviour here.
    Kind regards,

    1. Yes, I can confirm that. I have a Samsung A3 with Android 8.0 which is enrolled and uses automatically KNOX as work profile. Ownership of that device is corporate and I have blocked Personal Enrolled. Please check the state in Corporate Device Identifiers. If you have enrolled the device, then the state of the device in Corporate Device Identifiers should be changed to Enrolled. The thing you should know, via which way will device connects to Intune (Internet). My Samsung device has no sim card, so I have added only the serial number of that device. This was enough to identify as Corporate.

      Thanks for reading the blog and for your comment. I hope that this will help.

      1. Jehan

        Thanks for your answer. Indeed, if I pre-load the IMEI or serial number in the corporate identifier then the device will be set as “corporate”. However, this only works when I maintain this list. I need to download the list of devices from our Samsung KNOX portal then load it in the “corporate identifier”. Then only devices that enrol AFTER loading the list will be flagged as corporate. If I need to purchase a device then get its IMEI/serial to add it to the Intune portal then enrol it, I can as well purchase the device, enrol it then manually change the ownership. See my problem ? 😉

      2. Hmm, I see. You have a Samsung device which is added in KNOX portal by a reseller and you going to export the device list from the KNOX portal and manually import it into Intune as Corporate identifier? Is that correct? Why would you do this if Samsung Knox portal supports the integration with Intune, like DEP from Apple? Based on that integration, the device will be automatically set as Corporate.

        If I don’t understand you correctly and you don’t use the Knox portal, then yes. Add the device as a corporate identifier or change the ownership are the same thing and is changing manually to Corporate the quickest way. BUT, If you want to prevent a personally owned device, then you must use Corporate Device Identifier to give the device the permission to enroll, besides using Apple DEP, Azure AD join or Samsung KNOX/KME.

      3. Jehan

        The Samsung KNOX portal supports the integration with Intune but the device ownership is NOT set to corporate. 🙂

        Unless I did not find some settings somewhere.

      4. Hm, you are right. I thought that it was implemented at the begin of this year, my bad.. unfortunately, you must change the ownership manually to Corporate in Intune before distributing the device to users. Check the link.:
        https://docs.microsoft.com/en-us/intune/android-samsung-knox-mobile-enroll#distribute-devices

        There is no another way to do this on an easier method, unfortunately. Only the ways you already have told. For a bulk of Samsung devices, use the CSV file. For one or two devices, you could manually change the ownership to Corporate.

      5. Jehan

        Ok, thanks for the confirmation and for taking your time to investigate this in details.

      6. No problem at all, good luck with the implementation and enrollment of Samsung devices.

  3. RKast

    Hi Albert,
    Is this still the way to enroll devices as Corporate or is an easier method possible?
    Next, is having knox on the Android devices enough to get enrolled as corporate or do they also need to be enrolled in in the knox portal first?

    1. In what context? There are easier ways, but it depends on which kind of platform you want to use. So, you got for iOS “Device Enrollment Progam” (DEP) and for Windows 10 you got “Azure AD join”. If you enroll an Apple device with DEP, then the device will be enrolled as corporate automatically. With Windows 10 you have to join the device into Azure AD join and then the device will automatically be enrolled (if enabled in Azure AD) into Intune. The device will be added as corporate.

      With Knox, based as personal enrollment (via Company portal app) or as Knox Mobile Enrollment (KME), is always personal. You have to change ownership manually to corporate. To enroll a KNOX device is KME the easiest way. KME is like iOS DEP service but the device will not be added as corporate. That’s why you have to use the “Corporate Device Identifier” to identify the KNOX device as corporate. Via KME you can generate a list (CSV file) and with that file, you can add the devices into Intune for identifying as corporate in Corporate Device Identifiers.

      1. RKast

        Hi, in your intro it states that with Knox enrollment the device gets corporate status. Is knox enrollment different from kme? If yes what is knox enrollment and how do you do a knox enrollment? And how kme?
        Thanks

      2. Thanks for your comment, RKast. You are correct. What I mean with Knox Enrollment is by Knox Mobile Enrollment (KME) With KME you have the same enrollment process like Device Enrollment Program (DEP) with Apple devices. A reseller puts your ordered Samsung devices into KME. By this way, the device is prepared for enrollment (no admin has to put the device into Intune). So, when the user starts the device for the first time, the device will be automatically enrolled into Intune. The only disadvantage is that the device will be added as personal. You have to change the ownership manually to corporate. This is also how Apple DEP works, but then the device will be added as corporate. Is this one clear and an answer to your question? If not, let me know!

  4. RKast

    Then i’m confused 🙂 in your intro you say

    For Samsung device only – Knox enrollment.
    With these options, the device will be assigned automatically as corporate-owned.

    But if i read your reply correct with Knox/KME it does not get corporate status…

    With DEP the device get’s ‘pre’-staged and then the user can use Company Portal or the Apple Assistant to enroll the device with his account, status of the device remains corporate. So this is the same for KME but the device gets personal status or can you use the CSV method after the reseller puts the devices in KME but before handing out the devices to user and they start enrolling the devices?

    Thanks you for you replies

    1. I will change that. It must be company-owned and not corporate-owned. Sorry about that.

      That is correct and to do that you must indeed export the list from KME into a CSV file and import that one as corporate device identifier before enrolling.

      1. RKast

        Np and thanks.
        Dank je wel 😉
        As Intune consultant we got a load of enrollment methods these days.
        Maybe that the new Device Owner mode will tag the Android device as corporate 🙂

      2. No problem, RKast. Yes maybe, I hope so. we have to wait a month, then this feature will be in preview.

  5. wendi

    Hi Albert Thanks for the article 🙂 just wonder is there another way to add PC / Laptop in corporate device identifiers? I think IMEI is not available for PC..

    1. Hi Wendi, thanks for reading my blog. That’s is correct. For PC/Laptop you have to add the serialnumber.

      1. wendi

        Thanks for the reply ! ya I’ve quick read something like Windows AutoPilot(?) that we need to add serial number of the PC, have you heard about it before?? I’m still confused about it

        I wonder, will it work like IMEI? I mean, will it works like intune only accept PC enrollment with registered serial number?

      2. Hi Wendi, no problem at all 🙂 I wrote a blog about Windows Autopilot: https://albertneef.wordpress.com/2018/05/30/part-14-configure-microsoft-intune-windows-autopilot/ You should check this blog about the configuration of Autopilot. Autopilot works with hardware hash and not with an IMEI or serial number. Corporate Device Identifier is different than Windows Autopilot. Autopilot is a service which automated the enrollment of Windows 10. Corporate Device Identifier is like a whitelist for your devices. Only the devices in that list are allowed to enroll in Intune (if you block personally owned devices for enrollment) If a laptop has a sim card slot then it has an IMEI number. If the laptop initiates a connection with Intune via the sim card then IMEI will work as Corporate Device Identifier. Otherwise, you have to use the serial number if it initiates a connection via the Wifi or LAN.

      3. wendi

        Ahh, I see , will read it soon. Thank you Albert 🙂

  6. Rkast

    Hi Albert, COBO for Android is in preview now! Devices will be corp owned.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: