When it comes to provisioning your Windows 10 MDM based clients you need to consider a number of things:
- Do I trust the user to enrol the device?
A device can be enrolled during OOBE or afterwards via Settings. The question is if you just ship the device to the user will they actually bother to enrol it? That might sound stupid as in most cases the device will need to be enrolled to access corporate resources but you may have awkward users who want to just use the device on their own terms. If you are concerned about that you may have to issue the device via your Service Desk. Having used Apple Device Enrolment Program for many years it is a bit of a shortcoming in Windows that you cannot force the enrolment during OOBE but I can understand the difficulty in this when you don’t control the hardware.
- Does your corporate Wi-Fi network support connections from unmanaged devices?
In order to join the device to AAD you are going to need internet connectivity. In many organisations you’ll be using Wi-Fi networks that rely on either a device based certificate or AD credentials to connect. Typically, with traditional management, you will use something like auto-enrolment to issue certificates to domain joined devices which will get you connected to Wi-Fi automatically. During OOBE or with a non-domain joined W10 box you won’t have that luxury. In order to make sure this is as easy as possible you may need a separate SSID which can be used in OOBE. This SSID may be configured to only allow access to connect to AAD and Intune. After enrolment Intune can deliver a Wi-Fi profile for your corporate network and the user can switch to that network when on-site.
- Who is going to have permission to enrol?
EMS is licensed per user. You may not have purchased an EMS license for your entire workforce. Also you may only want to allow CYOD devices to enrol in MDM and not BYOD. With that in mind you will need to control who can join AAD and who gets enrolled into MDM to prevent anyone in your organisation joining any old device to your AAD and using up your EMS licences. The simplest thing to do is create an AD group for your users who you will allow to AAD join and another group for those who you want enrolled in MDM. MDM users will need to be in both groups. Use the Azure portal to configure this:
In the example above I’ve used the same group (AzureADJoin) for both but as you can see you can set it independently.
Pretty simple stuff but I’d make sure you’ve thought about all of the above before you go ploughing in to your MDM deployment so you don’t get caught out later.