Skip to content

MDM Setup Guide: Managing Business Devices with Microsoft Intune

MDM Setup Guide: Managing Business Devices with Microsoft Intune

Last updated: 26th March 2026

As your business fleet of smartphones and tablets grows beyond a handful of devices, managing them individually becomes unsustainable. Forgotten passcodes, outdated software, unsecured devices connecting to company email, employees leaving with corporate data still on their phones — the risks multiply with every handset you deploy. Mobile Device Management (MDM) solves these problems by giving your IT team centralised control over every device in your organisation, and Microsoft Intune has emerged as the go-to MDM platform for businesses already invested in the Microsoft 365 ecosystem. This guide walks through what MDM is, how to set up Intune from scratch, and how to enrol, secure, and manage both iOS and Android devices.

Quick Answer: Microsoft Intune is a cloud-based MDM/MAM platform included in Microsoft 365 Business Premium, Enterprise E3/E5, and available standalone. It lets you enrol company phones and tablets, push security policies (passcodes, encryption, VPN), deploy apps remotely, and wipe lost devices — all from a single web console. Setup takes 1–2 hours for basic deployment; full rollout with conditional access and compliance policies typically takes 1–2 weeks.

What Is MDM and Why Do Businesses Need It?

Business mobile cyber security

Mobile Device Management (MDM) is a category of software that allows IT administrators to remotely manage, monitor, and secure mobile devices (smartphones, tablets, and sometimes laptops) from a centralised console. The core capabilities of MDM include:

  • Device enrollment — registering devices so they appear in your management console
  • Policy enforcement — pushing rules such as passcode requirements, encryption, and screen timeout
  • App management — deploying, updating, and removing apps remotely
  • Compliance monitoring — checking that devices meet your security standards before granting access to company resources
  • Remote actions — locking, wiping, or locating lost or stolen devices

For UK businesses, MDM is increasingly important for regulatory compliance. If your organisation handles personal data (and virtually all do under UK GDPR), you have a legal obligation to protect that data — including on mobile devices. An MDM solution provides auditable evidence that you are taking reasonable steps to secure mobile endpoints.

Why Microsoft Intune?

Microsoft Intune is the MDM and Mobile Application Management (MAM) component of the Microsoft Endpoint Manager suite. It is cloud-native (no on-premises servers required), integrates deeply with Microsoft 365 and Azure Active Directory (now Entra ID), and supports iOS, Android, Windows, and macOS devices. For businesses already using Microsoft 365 — which the majority of UK SMEs do — Intune is the natural choice because:

  • It is included in Microsoft 365 Business Premium at no additional cost
  • It integrates with Entra ID conditional access policies
  • It works with Apple Business Manager and Android Enterprise for zero-touch enrollment
  • It supports both fully managed (corporate-owned) and BYOD scenarios
  • It has a unified management console for phones, tablets, and PCs

Stop overpaying for business mobiles

We compare every UK network to find you the best deal. Free, no-obligation quote in 60 seconds.

✓ No obligation✓ All UK networks✓ 5,000+ businesses

Step-by-Step: Setting Up Microsoft Intune

Prerequisites

Before you begin, ensure you have:

  1. A Microsoft 365 subscription that includes Intune (Business Premium, Enterprise E3/E5, or standalone Intune Plan 1/Plan 2).
  2. Global Administrator or Intune Administrator role in your Microsoft 365 tenant.
  3. An Apple Push Notification (APN) certificate (required for managing iOS devices) — this is free but must be renewed annually.
  4. An Android Enterprise account linked to your tenant (required for Android management).

Step 1: Access the Intune Admin Centre

Navigate to intune.microsoft.com and sign in with your administrator account. This is the Microsoft Intune admin centre — the central console for all device management operations.

Step 2: Configure the Apple Push Certificate (for iOS)

  1. In the Intune admin centre, go to Devices → Enrollment → Apple → Apple MDM Push Certificate.
  2. Download the Intune CSR (Certificate Signing Request) file.
  3. Go to the Apple Push Certificates Portal (identity.apple.com/pushcert) and sign in with your company Apple ID (use a shared IT Apple ID, not a personal one).
  4. Upload the CSR and download the resulting APN certificate (.pem file).
  5. Upload the APN certificate back into Intune.
  6. The certificate is now active and valid for one year. Set a calendar reminder to renew it before expiry — if it lapses, you lose the ability to manage all enrolled iOS devices.

Step 3: Connect Android Enterprise

  1. In the Intune admin centre, go to Devices → Enrollment → Android → Managed Google Play.
  2. Click I agree to connect your tenant to Managed Google Play.
  3. Sign in with a Google account (again, use a shared IT account, not personal).
  4. Complete the setup. Intune will now be able to manage Android devices via Android Enterprise.

Step 4: Create Enrollment Profiles

Enrollment profiles determine how devices join your MDM. The two most common scenarios are:

Corporate-owned devices (fully managed): IT has full control. All device settings, apps, and data are managed. Use Apple Business Manager’s Automated Device Enrollment for iOS or Android Enterprise’s Zero-Touch Enrollment for Android.

BYOD (Bring Your Own Device): Employees enrol their personal phones. Intune manages only the work profile/partition — personal apps and data remain private. This is the more common scenario for UK SMEs.

Enrolling iOS Devices in Intune

Using business mobile device

Method 1: Automated Device Enrollment (ADE) — Corporate-Owned

  1. Purchase devices through Apple Business Manager (ABM) or a participating reseller — the devices will automatically appear in your ABM portal.
  2. Assign devices to your Intune MDM server within ABM.
  3. In Intune, create an iOS enrollment profile under Devices → Enrollment → Apple → Enrollment Program Tokens.
  4. Configure the Setup Assistant screens (skip unnecessary steps to speed up deployment).
  5. When the employee powers on the device and connects to Wi-Fi, it automatically enrols in Intune, downloads your policies, and installs assigned apps. No manual steps required.

Method 2: Company Portal App — BYOD

  1. The employee downloads the Microsoft Intune Company Portal app from the App Store.
  2. They sign in with their Microsoft 365 work account.
  3. The app walks them through enrollment, including installing the MDM management profile.
  4. Once enrolled, Intune applies your compliance policies to the device. On BYOD, Intune only manages the work partition — personal apps and photos remain untouched.

Enrolling Android Devices in Intune

Method 1: Zero-Touch Enrollment — Corporate-Owned

  1. Purchase Android devices from a participating reseller who supports Zero-Touch Enrollment.
  2. Devices appear in the Android Enterprise zero-touch portal.
  3. Assign devices to your Intune MDM profile.
  4. When the employee powers on and connects to Wi-Fi, the device automatically enrols and configures itself. No manual intervention needed.

Method 2: Work Profile Enrollment — BYOD

  1. The employee downloads Microsoft Intune Company Portal from the Google Play Store.
  2. They sign in with their Microsoft 365 account.
  3. The app creates a separate Work Profile on the device. Work apps (Outlook, Teams, OneDrive) run in the work profile with their own sandboxed data storage.
  4. Personal apps remain in the personal profile — Intune cannot see or manage them.

Need Help Deploying Intune Across Your Business?

Connection Technologies offers full MDM deployment services — from Intune licensing and configuration to device enrollment and ongoing management. We handle the tech so you can focus on running your business.

Get Your Free Quote →

Pushing Security Policies

Once devices are enrolled, the real power of MDM comes from policy enforcement. Here are the key policies every business should configure:

Device Passcode Policy

Require a minimum 6-digit PIN or alphanumeric password. Set maximum failed attempts before the device wipes (10 is a common setting). Require biometric authentication (Face ID, fingerprint) as a convenience option.

Encryption Policy

iOS devices are encrypted by default when a passcode is set. Android devices should have encryption enforced via policy — Intune can verify compliance and block access to company resources if encryption is disabled.

VPN Configuration

Push VPN profiles to devices so employees automatically connect to your corporate VPN when accessing internal resources. Intune supports per-app VPN on both iOS and Android, meaning only work apps route through the VPN while personal traffic goes direct.

Wi-Fi Configuration

Deploy Wi-Fi profiles so devices automatically connect to your office network with the correct credentials. This eliminates the need for employees to manually enter Wi-Fi passwords and ensures they connect to the correct (secured) network.

App Deployment via Company Portal

Intune’s app management capabilities let you push apps to enrolled devices without any action from the user. The process differs slightly between iOS and Android:

iOS App Deployment

  1. In the Intune admin centre, go to Apps → iOS/iPadOS → Add.
  2. Select iOS store app for public App Store apps, or Line-of-business app for in-house apps (.ipa files).
  3. Search for and select the app (e.g., Microsoft Outlook, a CRM app, a company-specific tool).
  4. Assign the app to a device group as Required (auto-installs) or Available (appears in Company Portal for the user to install).

Android App Deployment

  1. Go to Apps → Android → Add.
  2. Select Managed Google Play app and search for the app.
  3. Approve the app for your organisation.
  4. Assign to device groups as Required or Available.

Compliance Policies and Conditional Access

Compliance policies define the minimum security standards a device must meet. Conditional access policies then use compliance status as a gate — only compliant devices can access company resources like Exchange email, SharePoint, and Teams.

Example Compliance Policy

  • Device must have a passcode of 6+ characters
  • Device must be encrypted
  • Operating system must be within the last two major versions (e.g., iOS 17 or 18, Android 14 or 15)
  • Device must not be jailbroken or rooted
  • Real-time protection must be active (Android)

Conditional Access in Practice

With conditional access configured, if an employee’s device falls out of compliance (e.g., they disable their passcode or the OS is too old), Intune blocks their access to company email and data until the issue is resolved. The user receives a notification explaining what needs to be fixed, and access is restored automatically once they comply. This automated enforcement dramatically reduces the security burden on your IT team.

MDM Platform Comparison

Microsoft Intune is not the only MDM option. Here is how it compares to the other major platforms:

FeatureMicrosoft IntuneVMware Workspace ONEJamf ProIvanti (MobileIron)
Supported PlatformsiOS, Android, Windows, macOS, LinuxiOS, Android, Windows, macOSmacOS, iOS onlyiOS, Android, Windows, macOS
Cloud-NativeYes (fully cloud)Hybrid (cloud or on-prem)Cloud or on-premHybrid
Microsoft 365 IntegrationNative (Entra ID, Conditional Access)Via connectorsLimited (macOS/iOS focus)Via connectors
Zero-Touch EnrollmentApple ADE + Android Zero-TouchApple ADE + Android Zero-TouchApple ADE onlyApple ADE + Android Zero-Touch
App ManagementFull (including MAM-only without enrollment)FullmacOS/iOS app managementFull
Conditional AccessNative (Azure AD/Entra ID)Separate configuration requiredVia Azure AD connectorSeparate configuration
Pricing (approx. per device/month)Included in M365 Business Premium (£18.70/user) or standalone from £5.60/userFrom £4–£10/deviceFrom £6.50/deviceFrom £5–£12/device
Best ForBusinesses using Microsoft 365Large enterprises with complex hybrid needsApple-only environmentsEnterprises needing on-prem + cloud flexibility

For the majority of UK SMEs and mid-market businesses, Microsoft Intune offers the best balance of capability, cost, and integration. If your business exclusively uses Apple devices, Jamf Pro is a strong alternative. VMware Workspace ONE and Ivanti are better suited to large enterprises with complex, multi-platform environments.

Common Intune Deployment Challenges and Solutions

APN Certificate Expiry

The Apple Push Notification certificate expires after one year. If it lapses, you lose management of all iOS devices and must re-enrol them manually. Set a recurring calendar reminder 30 days before expiry and renew via the Apple Push Certificates Portal.

Android Fragmentation

Android devices from different manufacturers run different versions of Android with varying levels of Android Enterprise support. Stick to Samsung, Google Pixel, or other devices certified for Android Enterprise to ensure full compatibility with Intune policies.

User Resistance to BYOD Enrollment

Employees may be reluctant to enrol personal devices in MDM, fearing that IT can see their personal data. Educate them that BYOD enrollment (work profile) creates a sandboxed container — Intune cannot see personal apps, photos, messages, or browsing history. Document this in a clear, jargon-free policy and share it before rollout.

Compliance Policy Lockouts

Overly aggressive compliance policies can lock users out of email and apps. Start with a “report only” mode to identify how many devices would fail compliance before enforcing. Tighten policies gradually and communicate each change to users in advance.

Intune Licensing Options for UK Businesses

Intune is available through several licensing paths:

  • Microsoft 365 Business Premium (£18.70/user/month) — includes Intune Plan 1, plus Office apps, Exchange, Teams, and advanced security features. The best value for SMEs.
  • Microsoft 365 E3/E5 — includes Intune Plan 1 (E3) or Plan 2 (E5), designed for larger organisations.
  • Intune Plan 1 standalone (from £5.60/user/month) — for businesses that do not need the full Microsoft 365 suite.
  • Intune Plan 2 add-on — adds advanced endpoint management features such as Microsoft Tunnel VPN and firmware-over-the-air updates.
  • Intune Suite — bundles Intune Plan 2 with additional capabilities including endpoint privilege management and advanced analytics.

Related Help Guides

Frequently Asked Questions

What is MDM (Mobile Device Management)?
MDM is software that allows businesses to remotely manage, monitor, and secure mobile devices from a central console. It covers device enrollment, policy enforcement (passcodes, encryption), app deployment, compliance monitoring, and remote wipe of lost or stolen devices.
Is Microsoft Intune free with Microsoft 365?
Intune Plan 1 is included at no extra cost with Microsoft 365 Business Premium (£18.70/user/month) and Microsoft 365 E3/E5 licences. If you already have one of these subscriptions, you can start using Intune immediately without additional licensing costs.
Can Intune manage both company-owned and personal (BYOD) devices?
Yes. Intune supports fully managed mode for corporate-owned devices (IT has complete control) and work profile mode for BYOD (Intune only manages a sandboxed work partition — personal data remains private and invisible to IT).
How long does it take to set up Intune?
Basic setup (connecting Apple and Android, creating enrollment profiles, and configuring initial policies) takes 1–2 hours. A full production deployment — including compliance policies, conditional access, app deployment, and user communications — typically takes 1–2 weeks for a business with 50–200 devices.
What happens when an employee leaves the company?
For corporate-owned devices, Intune can perform a full device wipe, returning it to factory settings ready for reissue. For BYOD devices, Intune performs a selective wipe — removing only work apps, data, and profiles while leaving personal content untouched.
Can Intune push Wi-Fi and VPN settings to devices?
Yes. Intune can deploy Wi-Fi profiles (including certificates for WPA2-Enterprise), VPN profiles (including per-app VPN), and email profiles to enrolled devices. This means employees connect to your office network and VPN automatically without entering credentials manually.
Is Intune suitable for small businesses?
Yes. While Intune scales to manage thousands of devices in enterprise environments, it is equally effective for small businesses with 5–50 devices. If you are already paying for Microsoft 365 Business Premium, Intune is included — there is no minimum device count or additional cost.
Can Connection Technologies help deploy and manage Intune?
Yes. We offer full Intune deployment services — from initial configuration and policy design to device enrollment and ongoing management. Whether you are starting from scratch or migrating from another MDM platform, our team handles the technical setup so your IT staff can focus on higher-value work.
Does Connection Technologies supply the devices as well as MDM?
Absolutely. We supply business mobile handsets on plans from EE, O2, Three, and Vodafone — pre-enrolled in Intune and ready to use out of the box. This means devices arrive at your office fully configured with your policies, apps, and Wi-Fi profiles already applied.
Why choose Connection Technologies for MDM and business mobile together?
Most businesses manage mobile plans and MDM separately, dealing with two vendors and two support teams. Connection Technologies brings both together — we source the best mobile plans across all UK networks and deploy Intune (or your preferred MDM) as part of the same service. One account manager, one bill, one support number. Call us on 0333 015 2615 or request a free quote.

Secure Your Business Fleet with Intune

Connection Technologies deploys and manages Microsoft Intune alongside business mobile plans from every major UK network. Get devices that arrive configured, secured, and ready to work.

Compare Deals Now →

Or call us on 0333 015 2615

Related Reading

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap
Get a Free Quote 0333 015 2615

Getting the right deal?

We compare every UK network so you don't have to. Get a free quote in 60 seconds — no obligation.

Compare Deals Now →

Or call 0333 015 2615