Microsoft 365 Device Onboarding Guide

Table of Contents

1. Overview
2. Pre-Requisites
3. Critical: Backup Your Device First
4. Windows Device Enrollment
5. Company-Owned Android Enrollment
6. Personal Android (BYOD) Enrollment
7. iPhone/iPad (MAM) Enrollment
8. Post-Enrollment Verification
9. Troubleshooting
10. FAQs
11. Support Contact

1. Overview {#overview}

This knowledge base article provides comprehensive guidance for enrolling devices into your organization's Microsoft 365 environment using Microsoft Intune and Azure Active Directory (Microsoft Entra ID).

Supported Device Types:

• ✅ Windows 10/11 (Company-owned)
• ✅ Android (Company-owned - Fully Managed)
• ✅ Android (Personal - BYOD Work Profile)
• ✅ iOS/iPadOS (Personal - MAM only, no device enrollment)

What Gets Protected:

• Corporate email and calendars
• OneDrive for Business files
• Microsoft Teams conversations
• Office documents (Word, Excel, PowerPoint)
• Corporate apps and data

2. Pre-Requisites {#pre-requisites}

Before enrolling any device, ensure:

For Users:

• ✅ Microsoft 365 account credentials (email@company.com)
• ✅ Multi-Factor Authentication (MFA) set up
• ✅ Microsoft Authenticator app installed on mobile device
• ✅ Stable internet connection
• ✅ Device meets minimum requirements
• ✅ Contact IT to verify your account is ready for enrollment

For Administrators:

• ✅ User added to appropriate security groups
• ✅ Wait 15-30 minutes after configuring user account before enrollment
• ✅ Intune licenses assigned to user
• ✅ Conditional Access policies configured
• ✅ Enrollment restrictions configured based on user role

Minimum Device Requirements:

Device Type
Minimum Version
Additional Requirements
Windows
Windows 10 version 1809 or later
TPM 2.0 for BitLocker
Android
Android 8.0 or later
Google Play Services installed
iOS/iPadOS
iOS 14.0 or later
Not jailbroken

3. ? Critical: Backup Your Device First {#backup}

⚠️ BACKUP REQUIREMENTS BY DEVICE TYPE

Device Type
Factory Reset Required?
Backup Status
Windows
❌ No
✅ Recommended
Company Android
✅ YES - MANDATORY
⚠️ CRITICAL - All data erased!
Personal Android
❌ No
✅ Recommended
iPhone/iPad
❌ No
✅ Recommended

How to Backup:

Android Devices:

Settings → Google → Backup → Enable "Back up to Google Drive"
- Backup photos to Google Photos
- Export contacts: Contacts app → Settings → Export
- Save important files to Google Drive or computer

iPhone/iPad:

Settings → [Your Name] → iCloud → iCloud Backup → Back Up Now
- Ensure photos backed up to iCloud
- Export contacts if needed

Windows:

- Files will auto-backup to OneDrive after enrollment
- Manually backup important files to external drive as precaution
- Export browser bookmarks and passwords

4. Windows Device Enrollment {#windows}

Overview

• Full device management with Azure AD Join
• Automatic BitLocker encryption
• OneDrive backup of Desktop, Documents, Pictures
• USB and security controls based on IT policy
• No factory reset required

Before You Start:

• ✅ Contact IT Support to verify your account is configured for enrollment
• ✅ Backup important files (optional but recommended)
• ✅ Ensure stable internet connection
• ✅ Have Authenticator app ready for MFA

Enrollment Method 1: New Windows Device

During initial Windows setup:

1. Select "Set up for work or school"
2. Sign in with: user@company.com
3. Complete Multi-Factor Authentication
4. Device automatically joins Azure AD
5. Restart when prompted
6. Wait 30-60 minutes for policies to apply

Enrollment Method 2: Existing Windows Device

Step-by-step process:

1. Go to: Settings → Accounts → Access work or school
2. Click: Connect
3. Select: "Join this device to Azure Active Directory"
4. Sign in: user@company.com
5. Complete MFA verification
6. Click: Join
7. Restart device
8. Sign in with work credentials
9. Wait 30-60 minutes for policies

What Happens After Enrollment:

Security (Automatic - 1-2 hours):

• ✅ BitLocker full-disk encryption enabled
• ✅ Windows Defender configured with real-time protection
• ✅ Firewall rules enforced
• ✅ Microsoft Defender for Endpoint onboarded
• ✅ Local admin password automatically managed

Data Protection:

• ✅ OneDrive Known Folder Move: Desktop, Documents, Pictures auto-backup
• ✅ Personal OneDrive blocked
• ✅ Microsoft Store disabled (apps via Company Portal only)
• ✅ Sensitivity labels applied to documents

Device Controls:

• ✅ USB and peripheral controls based on your role
• ✅ Essential devices allowed (keyboard, mouse, display)
• ✅ Security policies enforced

Verification Steps:

After enrollment, verify success:

1. Go to: Settings → Accounts → Access work or school
2. Should see: "Connected to [Company Name]'s Azure AD"
3. Click: Info button to view managed settings
4. Check: OneDrive sync status (files backing up)
5. Verify: BitLocker encryption active (may take 2-4 hours)

User Email Template:

Subject: Action Required - Enroll Your Windows Device

Hi [User Name],

Please enroll your Windows device to access company resources.

BEFORE YOU START:
- Contact IT to confirm your account is ready (if not already done)
- Backup important files (optional but recommended)
- Ensure internet connection
- Have Authenticator app ready

STEPS:
1. Settings → Accounts → Access work or school
2. Click "Connect" → "Join this device to Azure Active Directory"
3. Sign in: [user@company.com]
4. Complete MFA verification
5. Click "Join" and restart

AFTER RESTART:
- Wait 30-60 minutes for security setup
- Desktop, Documents, Pictures will backup to OneDrive automatically
- Don't interrupt Windows updates
- Device will be encrypted for security

Questions? Contact IT Support: [support contact]

5. Company-Owned Android Device Enrollment {#android-corporate}

Overview

• ENTIRE DEVICE managed (corporate-owned only)
• FACTORY RESET REQUIRED - All data erased permanently
• Android Enterprise Fully Managed enrollment
• Corporate apps deployed automatically
• Full remote wipe capability

? CRITICAL WARNING

⚠️ FACTORY RESET IS MANDATORY

• ALL data will be permanently erased
• Backup contacts, photos, files BEFORE starting
• Transfer personal data to personal device or cloud
• Once reset, data CANNOT be recovered

Before You Start:

• ✅ BACKUP EVERYTHING - All data will be lost
• ✅ Contact IT to obtain QR code or enrollment token
• ✅ Ensure device is charged (50%+ battery)
• ✅ Have stable Wi-Fi connection
• ✅ Have work credentials and Authenticator ready

Enrollment Steps:

Step 1: Backup Your Data (CRITICAL)

MUST DO BEFORE FACTORY RESET:
1. Settings → Google → Backup → Enable backup
2. Backup photos to Google Photos
3. Export contacts to Google account
4. Save important files to Google Drive
5. Note down any important app data

Step 2: Factory Reset

Settings → System → Reset options → Erase all data (factory reset)
- Confirm action
- Wait for device to restart
- Device will boot to setup screen

Step 3: QR Code Enrollment (Recommended)

Contact IT for QR code before starting

1. Start device setup
2. Connect to Wi-Fi
3. On Google sign-in screen: TAP 6 TIMES anywhere on screen
4. Tap "Next" when prompted to scan QR code
5. Use another device/camera to scan displayed QR code
6. Device downloads Android Device Policy app automatically
7. Sign in: user@company.com
8. Complete MFA verification
9. Follow on-screen prompts
10. Wait for setup to complete (10-15 minutes)

Step 4: Alternative - Token Method

If QR code doesn't work:

1. During setup, tap 6 times on Google sign-in screen
2. Enter: afw#setup
3. Wait for Android Device Policy to install
4. Enter enrollment token (provided by IT)
5. Sign in with work credentials
6. Complete MFA
7. Follow on-screen instructions

Step 5: Post-Enrollment (15-30 minutes)

• Company Portal installs automatically
• Corporate apps deploy: Outlook, Teams, OneDrive, Office apps
• Device encryption enforced
• Compliance policies applied
• Do not interrupt this process

What Gets Applied:

Security:

• ✅ Full device encryption
• ✅ Minimum 4-digit PIN required
• ✅ Google Play Protect scanning
• ✅ Rooted devices blocked
• ✅ Play Integrity verification

Management:

• ✅ Corporate apps auto-installed
• ✅ App updates controlled by IT
• ✅ Device settings managed
• ✅ Remote locate/wipe capability
• ✅ Lost device protection

User Email Template:

Subject: URGENT - Set Up Your Company Phone (Factory Reset Required)

Hi [User Name],

Your company Android phone requires enrollment.

⚠️ CRITICAL - READ FIRST:
- Device MUST be factory reset
- ALL DATA WILL BE PERMANENTLY ERASED
- BACKUP EVERYTHING NOW before proceeding
- Contact IT for QR code: [IT contact]

BACKUP STEPS (DO THIS FIRST):
1. Settings → Google → Backup → Enable
2. Backup photos to Google Photos
3. Export contacts
4. Save files to Google Drive

ENROLLMENT STEPS:
1. Factory reset: Settings → System → Reset → Erase all data
2. During setup, connect to Wi-Fi
3. On Google sign-in: TAP 6 TIMES
4. Scan QR code (get from IT)
5. Sign in: [user@company.com]
6. Complete MFA
7. Wait 30 minutes for setup

WHAT TO EXPECT:
- Device fully managed by company
- Work apps installed automatically
- Device encrypted for security
- Can be remotely wiped if lost/stolen

DO NOT PROCEED until you've backed up everything!

Questions? Contact IT: [support contact]

6. Personal Android (BYOD) Enrollment {#android-byod}

Overview

• Work Profile ONLY managed (separate container)
• Personal apps and data remain 100% PRIVATE
• IT CANNOT see, access, or manage personal side
• Work apps have briefcase icon ?
• NO factory reset required
• Work profile can be removed anytime

Before You Start:

• ✅ Backup device (optional but recommended)
• ✅ Ensure Android 8.0 or later
• ✅ Have work credentials ready
• ✅ Install Authenticator app if not already installed

Enrollment Steps:

Step 1: Install Company Portal App

1. Open Google Play Store
2. Search: "Intune Company Portal"
3. Install the app
4. Do NOT open yet

Step 2: Set Up Work Profile

1. Open Company Portal app
2. Tap "Sign In"
3. Enter: user@company.com
4. Complete MFA authentication
5. Tap "Begin" when prompted to set up work profile
6. Tap "Continue" to create work profile
7. Set work profile password (can be different from device password)
8. Accept permissions for work profile
9. Wait for work apps to install (10-15 minutes)

Step 3: Install Work Apps

1. Look for Play Store with briefcase icon ? (Work Play Store)
2. Work apps will appear automatically:
   - Microsoft Outlook
   - Microsoft Teams
   - OneDrive for Business
   - Word, Excel, PowerPoint
3. Additional apps available in Work Play Store

What Gets Applied:

Work Profile (Managed):

• ✅ Separate password required
• ✅ Copy/paste between work and personal BLOCKED
• ✅ Screenshots of work apps BLOCKED
• ✅ Work data encrypted
• ✅ Google Play Protect scans work apps
• ✅ Rooted devices blocked from work access

Personal Side (Untouched):

• ✅ Personal apps not managed
• ✅ Personal data remains completely private
• ✅ IT cannot see personal content
• ✅ Personal apps function normally
• ✅ Only work profile can be wiped (not entire device)

How to Identify Work Apps:

• All work apps have briefcase icon ?
• Two separate versions: Personal Gmail vs Work Outlook ?
• Work Play Store has briefcase icon ?
• Work apps grouped in separate folder

Removing Work Access:

If you leave company or want to remove work access:

Settings → Accounts → Work Profile → Remove work profile
- Only work apps/data deleted
- Personal data completely unaffected

User Email Template:

Subject: Add Work Profile to Your Personal Android Phone

Hi [User Name],

You can now access company email and apps on your personal phone while keeping your personal data completely private.

✅ YOUR PRIVACY:
- Personal apps and data remain 100% private
- IT CANNOT see your personal information
- Only work apps (briefcase icon ?) are managed
- No factory reset required

OPTIONAL BUT RECOMMENDED:
- Backup your phone first (Settings → Google → Backup)

SETUP STEPS:
1. Open Google Play Store
2. Install "Intune Company Portal"
3. Open Company Portal → Sign In
4. Enter: [user@company.com]
5. Complete MFA
6. Tap "Begin" to create work profile
7. Set work profile password
8. Wait for work apps to install (15 minutes)

AFTER SETUP:
- Work apps have briefcase icon ?
- Use Work Play Store ? for more work apps
- Use work Outlook for business email
- Personal apps stay completely separate

REMOVING WORK ACCESS:
If needed, just delete work profile - personal data stays intact!

Questions? Contact IT: [support contact]

7. iPhone/iPad (MAM) Enrollment {#ios}

Overview

• Work Apps ONLY managed (Outlook, Teams, OneDrive)
• NO device enrollment or Company Portal required
• Uses Mobile Application Management (MAM) only
• Personal apps and data remain 100% PRIVATE
• IT CANNOT see, access, or manage personal content
• Corporate data can be wiped without affecting personal data
• App PIN required (separate from device passcode)

Before You Start:

• ✅ Backup iPhone/iPad (recommended)
• ✅ Ensure iOS 14.0 or later
• ✅ Have work credentials ready
• ✅ Device must NOT be jailbroken

Enrollment Steps:

Step 1: Install Microsoft Apps

1. Open App Store
2. Search and install these apps:
   - Microsoft Outlook (required)
   - Microsoft Teams (required)
   - OneDrive (required)
   - Microsoft Word (optional)
   - Microsoft Excel (optional)
   - Microsoft PowerPoint (optional)
   - Microsoft Edge (optional)

Step 2: Sign In to Outlook

1. Open Outlook app
2. Tap "Get Started" or "Add Account"
3. Enter: user@company.com
4. Complete MFA authentication
5. When prompted: CREATE APP PIN (4+ digits)
   - This is separate from your device passcode
   - Use different PIN than device for security
6. Enable Touch ID/Face ID (optional but recommended)
7. Accept app protection policies
8. Wait for email to sync

Step 3: Set Up Other Apps

1. Open Teams app
   - Sign in with same work account
   - Use SAME APP PIN created in Outlook
   - Enable Touch ID/Face ID

2. Open OneDrive app
   - Sign in with same work account
   - Use SAME APP PIN
   - Enable Touch ID/Face ID

3. Repeat for Word, Excel, PowerPoint, Edge
   - Same work account
   - Same APP PIN across all apps

What Gets Applied:

Work Apps (Protected):

• ? App PIN required (every 30 minutes of inactivity)
• ? Touch ID/Face ID enabled for convenience
• ? Work data encrypted within apps
• ? Screenshots of work content BLOCKED
• ? Cannot copy work data to personal apps
• ? Cannot backup work data to iCloud
• ☁️ Work files stored in OneDrive only
• ? Work email in Outlook only
• ? App PIN must be changed every 90 days

Personal Side (Untouched):

• ✅ Personal apps function normally
• ✅ Personal data remains completely private
• ✅ Device settings not managed
• ✅ IT cannot see personal content
• ✅ No restrictions on personal iPhone features
• ✅ Personal iCloud backup works normally

App PIN Requirements:

• Minimum 4 digits (6+ recommended)
• Required every 30 minutes of inactivity
• Must be changed every 90 days
• 5 failed attempts = PIN reset required
• Should be different from device passcode

Offline Access:

• Work apps accessible for 24 hours offline
• After 24 hours: Must connect to internet to refresh
• After 90 days offline: Corporate data wiped from apps

Important Notes:

• Jailbroken devices BLOCKED - Cannot access work apps
• Work apps check for jailbreak on every launch
• Must connect to internet every 24 hours
• App PIN different from device passcode

User Email Template:

Subject: Access Company Email on Your iPhone/iPad

Hi [User Name],

You can now access work email and apps on your iPhone/iPad while keeping your personal data completely private.

✅ YOUR PRIVACY:
- Personal apps and data remain 100% private
- IT CANNOT access your photos, messages, or personal apps
- No device-level management
- Only work apps are protected
- Remove work apps anytime

OPTIONAL BUT RECOMMENDED:
- Backup iPhone: Settings → [Your Name] → iCloud → Backup

SETUP STEPS:
1. App Store → Install:
   - Microsoft Outlook (required)
   - Microsoft Teams (required)
   - OneDrive (required)

2. Open Outlook app
3. Add Account → [user@company.com]
4. Complete MFA
5. CREATE APP PIN (4+ digits) - remember this!
6. Enable Touch ID/Face ID (optional)

7. Open Teams → Sign in → Use SAME APP PIN
8. Open OneDrive → Sign in → Use SAME APP PIN

WHAT YOU'LL NOTICE:
- Work apps require APP PIN to open (every 30 min)
- Touch ID/Face ID can unlock work apps
- Cannot copy work emails to personal notes
- Cannot screenshot work documents
- Work files stay in OneDrive (not iCloud)

YOUR PRIVACY:
- Personal apps completely private
- No device restrictions
- Remove work apps anytime

IMPORTANT:
- App PIN required every 30 minutes
- Change App PIN every 90 days
- Must connect to internet every 24 hours
- Jailbroken devices cannot access work apps

Questions? Contact IT: [support contact]

8. Post-Enrollment Verification {#verification}

For Users - How to Verify Enrollment:

Windows:

1. Settings → Accounts → Access work or school
2. Should see: "Connected to [Company]'s Azure AD"
3. Click "Info" → View management details
4. Check OneDrive sync icon in taskbar (files syncing)
5. Try accessing Outlook/Teams (should work seamlessly)

Company-Owned Android:

1. Settings → Accounts → Check work account present
2. Open Company Portal → View device compliance
3. Check for briefcase icon on corporate apps
4. Try opening Outlook (should work without additional login)
5. Verify device encryption: Settings → Security → Encryption

Personal Android (BYOD):

1. Look for briefcase icon ? on work apps
2. Try opening work Outlook ? (requires work password)
3. Open Company Portal → View compliance status
4. Verify two Play Stores: Personal and Work ?
5. Test copy/paste between personal and work (should be blocked)

iPhone/iPad:

1. Open Outlook → Should require App PIN
2. Try screenshot in Outlook (should be blocked)
3. Check Touch ID/Face ID works to unlock work apps
4. Verify cannot copy work email to personal Notes
5. Open OneDrive → Files accessible

For Administrators - Verification Checklist:

Windows Devices:

•  Device appears in Intune: Devices → Windows devices
•  Compliance status: Compliant
•  Encryption status: Encrypted
•  BitLocker recovery key backed up
•  Last check-in: Within 24 hours
•  Policies applied: All assigned policies showing "Succeeded"
•  Microsoft Defender: Onboarded and active

Android Devices (Corporate):

•  Device appears in Intune: Devices → Android devices
•  Enrollment type: "Corporate-owned fully managed"
•  Compliance status: Compliant
•  Encryption: Enabled
•  Root status: Not rooted
•  Play Integrity: Pass
•  Corporate apps: Installed

Android Devices (BYOD):

•  Device appears in Intune: Devices → Android devices
•  Enrollment type: "Personally-owned work profile"
•  Compliance status: Compliant
•  Root status: Not rooted
•  Work profile: Active
•  App protection policy: Applied

iPhone/iPad (MAM):

•  User appears in: Apps → App protection status
•  Managed apps: Outlook, Teams, OneDrive showing as "Protected"
•  App protection policy: Applied
•  Last check-in: Within 24 hours
•  Jailbreak status: Not jailbroken
•  App PIN: Configured

9. Troubleshooting {#troubleshooting}

Windows Issues

Issue: Device Won't Enroll

Symptoms: Error during Azure AD join, enrollment fails

Solutions:

1. Verify user account configured by IT (contact support)
2. Check internet connectivity (stable Wi-Fi or Ethernet)
3. Ensure Windows is updated (Settings → Update & Security)
4. Try: Sign out → Restart → Sign back in
5. Disable VPN during enrollment
6. Check date/time is correct (auto-sync enabled)

Issue: Policies Not Applying

Symptoms: BitLocker not enabled, OneDrive not syncing

Solutions:

1. Wait 2 hours for initial policy sync
2. Manual sync: Settings → Accounts → Access work or school → Select account → Info → Sync
3. Restart device
4. Check device shows as "Compliant" in Intune (ask IT)
5. Verify all Windows updates installed

Issue: BitLocker Not Encrypting

Symptoms: Drive still unencrypted after 4+ hours

Solutions:

1. Verify device has TPM 2.0 chip (run: tpm.msc)
2. Check if BitLocker supported on device
3. Encryption may take 4-8 hours depending on drive size
4. Don't turn off device during encryption
5. Contact IT if still not encrypted after 24 hours

Issue: USB Still Works (Should Be Blocked)

Symptoms: USB drives accessible when should be restricted

Solutions:

1. Verify with IT that USB restriction is configured for your role
2. Wait 2 hours for policy application
3. Restart device
4. Try different USB port
5. Manual policy sync (see above)

Company-Owned Android Issues

Issue: QR Code Won't Scan

Symptoms: Camera not recognizing QR code

Solutions:

1. Ensure device is factory reset (must start fresh)
2. Clean camera lens
3. Adjust brightness of QR code display
4. Move device closer/farther from QR code
5. Try manual token entry: Tap 6 times → Enter token manually
6. Use different device to display QR code
7. Contact IT for new QR code (may be expired)

Issue: Device Won't Complete Setup

Symptoms: Stuck on "Setting up device" screen

Solutions:

1. Check Wi-Fi is stable and fast
2. Don't let device screen turn off during setup
3. Ensure device charged (50%+)
4. Wait 30 minutes - setup can be slow
5. Try different Wi-Fi network
6. Factory reset and try again
7. Contact IT - account may not be configured correctly

Issue: Apps Not Installing

Symptoms: Company Portal empty, no apps deploying

Solutions:

1. Wait 60 minutes for full app deployment
2. Check device storage (need 2GB+ free space)
3. Manual sync: Settings → Accounts → Tap work account → Sync
4. Check internet connection
5. Restart device
6. Contact IT - app deployment may have issues

Issue: "Device Not Compliant" Error

Symptoms: Can't access apps, compliance error message

Solutions:

1. Check device not rooted (Settings → About phone)
2. Verify Google Play Protect enabled
3. Update Google Play Services
4. Manual sync (see above)
5. Wait 30 minutes for compliance check
6. Contact IT

Personal Android (BYOD) Issues

Issue: Work Profile Won't Create

Symptoms: Error creating work profile during setup

Solutions:

1. Verify Android version 8.0 or later (Settings → About phone)
2. Check device supports work profiles (most do)
3. Restart device
4. Uninstall Company Portal → Reinstall → Try again
5. Ensure stable internet connection
6. Contact IT - account may not be configured
7. Check device not rooted

Issue: Can't Copy/Paste Between Personal and Work

Symptoms: Copy/paste not working between containers

Explanation:

• This is by design - security feature
• Prevents data leakage between personal and work
• Use work apps for work documents only
• Use personal apps for personal content
• Cannot be disabled - this is intentional

Workaround:

• Save work files to OneDrive, open in personal browser if needed for copying
• Use work apps exclusively for work tasks

Issue: Work Apps Not in Work Play Store

Symptoms: Play Store ? empty or apps missing

Solutions:

1. Wait 30 minutes after enrollment
2. Manual sync Company Portal app
3. Check internet connectivity
4. Verify work profile is active (Settings → Accounts)
5. Restart device
6. Contact IT - app assignment may be missing

Issue: Can't Find Work Play Store

Symptoms: No briefcase icon ? on Play Store

Solutions:

1. Look in app drawer for "Play Store" with briefcase ?
2. Work profile may not be created correctly
3. Settings → Accounts → Check for work profile
4. May need to re-enroll work profile
5. Contact IT

iPhone/iPad Issues

Issue: App Won't Accept Work Email

Symptoms: Cannot sign in to Outlook/Teams with work account

Solutions:

1. Verify work email address is correct
2. Check MFA is set up (Authenticator app)
3. Try signing in on different Microsoft app (Teams usually works)
4. Ensure iOS 14.0 or later
5. Check internet connection
6. Delete app → Reinstall → Try again
7. Wait 30 minutes if account just created
8. Contact IT - account may not be configured correctly

Issue: No App PIN Prompt

Symptoms: Apps don't ask for App PIN during sign-in

Solutions:

1. Wait 1 hour for policies to apply after first sign-in
2. Close app completely (swipe up) → Reopen
3. Sign out of app → Sign back in
4. Reinstall app
5. Check device not jailbroken (will block policies)
6. Contact IT - app protection policy may not be assigned

Issue: "Device Not Compliant" Error

Symptoms: Cannot access work apps, compliance error

Solutions:

1. Check device not jailbroken (this blocks access)
2. If jailbroken: Must restore to factory iOS
3. Verify iOS version updated (Settings → General → Software Update)
4. Restart iPhone/iPad
5. Sign out of app → Sign back in
6. Wait 30 minutes for compliance check
7. Contact IT

Issue: Forgot App PIN

Symptoms: Cannot unlock work apps, forgot PIN

Solutions:

1. After 5 failed attempts, will be prompted to reset PIN
2. Sign out of Outlook → Sign back in → Create new PIN
3. New PIN will work across all work apps
4. Write down PIN this time (securely)
5. Consider using Touch ID/Face ID instead

Issue: App Says "Check Back Later"

Symptoms: Work apps show "Check back later" message

Solutions:

1. Device offline too long (24+ hours)
2. Connect to internet (Wi-Fi or cellular)
3. Open app → Wait for policy refresh (15-30 minutes)
4. Force close app → Reopen
5. Sign out → Sign back in
6. Check date/time is correct
7. Contact IT if persists

Issue: Cannot Take Screenshots

Symptoms: Screenshot button doesn't work in work apps

Explanation:

• This is by design - security feature
• Screenshots blocked in Outlook, Teams, OneDrive, Office apps
• Prevents corporate data leakage
• Cannot be disabled - this is intentional

Workaround:

• Use export/share features within the app
• Save document to OneDrive, open in personal browser if needed

General Issues (All Devices)

Issue: MFA Not Working

Symptoms: Can't complete multi-factor authentication

Solutions:

1. Ensure Authenticator app installed
2. Go to https://aka.ms/mfasetup to configure MFA
3. Check phone number/email for MFA is correct
4. Try backup MFA method (SMS, phone call)
5. Check time/date on device is correct
6. Contact IT to reset MFA settings

Issue: Policies Taking Too Long

Symptoms: Enrollment complete but policies not applying

Timeline:

• Initial policy application: 1-2 hours (normal)
• BitLocker encryption: 4-8 hours (normal)
• App deployments: 30-60 minutes (normal)

Solutions:

1. Wait recommended time first
2. Manual sync available on all platforms
3. Restart device to force policy check
4. Check device appears as "Compliant" in Intune (ask IT)
5. If 24+ hours: Contact IT

Issue: "Not Enough Licenses" Error

Symptoms: Error about licenses during enrollment

Solutions:

1. Contact IT immediately
2. User needs Intune license assigned
3. IT admin must assign license from Microsoft 365 admin center
4. Wait 30 minutes after license assigned
5. Try enrollment again

Issue: Account Not Ready

Symptoms: Various errors indicating account not configured

Solutions:

1. Contact IT to verify account configured for device enrollment
2. User may need to be added to security groups
3. Wait 30 minutes after IT configures account
4. Verify MFA is set up correctly
5. Check user has correct licenses assigned
6. Try enrollment again after IT confirms ready

10. Frequently Asked Questions (FAQs) {#faqs}

General Questions

Q: Do I need to enroll my personal device? A: It depends on your organization's policy. Personal Android and iOS devices can be enrolled using BYOD (Bring Your Own Device) options that keep your personal data completely private. Contact IT to confirm requirements.

Q: Can IT see my personal data? A:

• Windows (Company-owned): This is a company device, so IT has full management
• Company Android: This is a company device, so IT has full management
• Personal Android (BYOD): NO - only the work profile container is managed
• iPhone/iPad (MAM): NO - only work apps are managed, personal data is private

Q: What happens if I leave the company? A:

• Windows: Device may be wiped or returned to IT
• Company Android: Device must be returned and will be wiped
• Personal Android: Only work profile removed, personal data stays
• iPhone/iPad: Only work apps and data removed, personal data stays

Q: Can I use my device offline? A:

• Windows: Yes, but must connect every few days for policy updates
• Android: Yes, but work profile requires check-in every 24 hours
• iPhone/iPad: Yes, but apps require internet connection every 24 hours

Q: How long does enrollment take? A:

• Initial enrollment: 10-30 minutes
• Full policy application: 1-2 hours
• BitLocker encryption (Windows): 4-8 hours

Windows-Specific Questions

Q: Will enrollment slow down my computer? A: No. Enrollment adds security features (BitLocker, Defender) that run in the background with minimal performance impact. Most users notice no difference.

Q: Can I still install my own software? A: Microsoft Store is disabled. Software must be installed via Company Portal or by IT admin. Request specific software through IT support.

Q: What happens to my personal files? A: If this is a company device, all files should be work-related. Desktop, Documents, and Pictures will backup to OneDrive for Business automatically.

Q: Can I use external USB drives? A: Depends on your role. Some users have USB access, others have it blocked for security. Contact IT if you need USB access for legitimate business needs.

Q: What if I forget my password? A: Use the password reset option at the login screen or go to https://aka.ms/sspr to reset your password.

Q: Can I unenroll my device? A: If this is a company device, no - it must remain enrolled. Contact IT if you have concerns.

Android-Specific Questions

Q: What's the difference between company-owned and BYOD enrollment? A:

• Company-owned: Entire device managed, factory reset required, full IT control
• BYOD: Only work profile managed, no factory reset, personal data private

Q: Can I remove the work profile from my personal Android? A: Yes! Settings → Accounts → Work Profile → Remove. This only removes work apps/data, personal data stays intact.

Q: Why can't I copy/paste between personal and work apps? A: This is a security feature to prevent corporate data from leaking to personal apps. It's intentional and cannot be disabled.

Q: Can I use the same apps for work and personal? A: On BYOD devices, you'll have two versions - personal Gmail and work Outlook ?, for example. This keeps work and personal separate.

Q: What if I root my device? A: Rooted devices are automatically blocked from accessing corporate resources for security reasons. You must unroot to access work apps.

Q: Can I factory reset my company phone myself? A: Contact IT first. Company phones may have device protection that prevents unauthorized resets.

Q: How do I know which apps are work apps? A: On BYOD devices, all work apps have a briefcase icon ?. On company devices, all apps are considered work apps.

iPhone/iPad-Specific Questions

Q: Why don't I need Company Portal on iPhone? A: iPhones use Mobile Application Management (MAM) which protects apps directly without device enrollment or Company Portal.

Q: Can I use personal Outlook instead of work Outlook? A: No. You must use the work Outlook app signed in with your work account. Personal and work accounts should be in separate apps.

Q: Why do I need an App PIN if I have Face ID? A: App PIN is required for security. Face ID is a convenience feature to avoid typing PIN every time, but you must set up PIN first.

Q: Can I remove work apps anytime? A: Yes! Simply delete the apps from your iPhone. Corporate data is removed with them, personal data stays intact.

Q: What if I restore my iPhone from backup? A: You'll need to reinstall work apps and sign in again. App PIN will need to be recreated.

Q: Can IT wipe my iPhone? A: No. IT can only wipe corporate data from work apps. They cannot wipe your entire iPhone or access personal data.

Q: Why can't I take screenshots in Outlook? A: This is a security feature to prevent corporate data leakage through screenshots. It's intentional and cannot be disabled.

Q: Do I need to be online all the time? A: No, but work apps need to check in every 24 hours. After 24 hours offline, apps will require internet connection to refresh access.

Security & Privacy Questions

Q: Can IT read my emails? A: IT administrators can access corporate email and data if required for business purposes, investigations, or legal compliance. Personal emails on personal devices remain private.

Q: Can IT track my location? A:

• Windows/Company Android: Device location may be tracked if lost/stolen for recovery
• Personal Android (BYOD): Only work profile, not entire device location
• iPhone/iPad (MAM): No location tracking

Q: Can IT see my browsing history? A:

• Windows (Company device): Potentially yes, as it's a company device
• Personal devices (BYOD/MAM): Only work apps are monitored, personal browsing private

Q: Is my data encrypted? A: Yes! All enrolled devices use encryption:

• Windows: BitLocker full-disk encryption
• Android: Full device or work profile encryption
• iPhone/iPad: App-level encryption

Q: What happens if my device is lost or stolen? A:

• Company devices: Can be remotely located and wiped
• Personal devices (BYOD/MAM): Only work data wiped, personal data stays
• Contact IT immediately if device is lost!

Q: Can IT install apps on my personal device? A:

• Personal Android (BYOD): Only in work profile, not on personal side
• iPhone/iPad (MAM): No, you control which apps you install

Compliance & Policy Questions

Q: What happens if my device becomes non-compliant? A: You'll receive notifications to fix the issue. If not resolved:

• Access to corporate email/apps may be blocked
• Device may be marked as restricted
• Contact IT for help resolving compliance issues

Q: Why do I need MFA? A: Multi-Factor Authentication (MFA) adds critical security by requiring two forms of verification. This prevents unauthorized access even if your password is compromised.

Q: How often do I need to change my password? A: Depends on your organization's policy. Typically every 90 days. You'll receive notifications when password change is required.

Q: Can I disable security features? A: No. Security features (encryption, antivirus, firewall, App PIN) are enforced by policy and cannot be disabled by users.

Q: What if I disagree with a policy? A: Contact IT or management to discuss your concerns. Policies are set based on security requirements and compliance needs.

Technical Questions

Q: What is Azure AD / Microsoft Entra ID? A: Microsoft's cloud-based identity and access management service. It's how you securely sign in to Microsoft 365 and other corporate resources.

Q: What is Intune / MDM? A: Microsoft Intune is Mobile Device Management (MDM) that securely manages devices and apps, applies policies, and protects corporate data.

Q: What is MAM? A: Mobile Application Management (MAM) protects corporate data within apps (like Outlook on iPhone) without managing the entire device.

Q: What is a work profile? A: On Android BYOD devices, a work profile is a separate container for work apps and data, keeping it isolated from personal apps.

Q: What is BitLocker? A: Windows encryption technology that protects data by encrypting the entire drive. Required on all managed Windows devices.

Q: What is Conditional Access? A: Security policies that check conditions (location, device compliance, risk level) before allowing access to corporate resources.

Troubleshooting Questions

Q: Enrollment failed - what do I do? A:

1. Verify your account is ready (contact IT)
2. Check internet connection
3. Ensure device meets minimum requirements
4. Wait 30 minutes if account just created
5. Try again, if still fails contact IT with error message

Q: Policies aren't applying - how long should I wait? A: Initial policies take 1-2 hours. BitLocker encryption may take 4-8 hours. If nothing after 24 hours, contact IT.

Q: Who do I contact for help? A: Contact IT Support (see Support Contact section below). Have ready:

• Your name and email
• Device type (Windows/Android/iPhone)
• Error message or issue description
• When the issue started

Q: Can I enroll multiple devices? A: Yes, most users can enroll 2-3 devices. Exact limits depend on your organization's policy. Contact IT if you need to enroll additional devices.

Q: What if my personal device is too old? A: Devices must meet minimum requirements (Windows 10+, Android 8+, iOS 14+). Older devices cannot be enrolled for security reasons.

11. Support Contact {#support}

For Users - Getting Help

Before Contacting Support:

1. Check this KB article for your issue
2. Try basic troubleshooting (restart, check internet)
3. Wait recommended time for policies (1-2 hours)
4. Note any error messages

When Contacting Support, Provide:

• Your full name and work email
• Device type (Windows 10/11, Android, iPhone/iPad)
• Enrollment status (new enrollment, already enrolled, etc.)
• Detailed description of issue
• Error messages or screenshots (if available)
• When issue started
• What troubleshooting steps you've tried

IT Support Contact:

• Email: [Insert IT support email]
• Phone: [Insert support phone number]
• Support Hours: [Insert support hours]
• Support Portal: [Insert helpdesk portal URL if available]
• Teams: [Insert Teams channel if applicable]

Expected Response Times:

• Critical issues (cannot access email): 2-4 hours
• High priority (device enrollment issues): Same business day
• Normal priority (policy questions): 1-2 business days
• Low priority (feature requests): 3-5 business days

For Administrators - Escalation

Microsoft 365 Admin Center:

• URL: https://admin.microsoft.com
• Access: Global Administrator, User Administrator

Microsoft Intune Admin Center:

• URL: https://intune.microsoft.com
• Access: Intune Administrator, Endpoint Security Administrator

Microsoft 365 Defender Portal:

• URL: https://security.microsoft.com
• Access: Security Administrator, Security Reader

Microsoft Entra ID Admin Center:

• URL: https://entra.microsoft.com
• Access: Global Administrator, User Administrator

Microsoft Support:

• Microsoft 365 Support: https://admin.microsoft.com/AdminPortal/Home#/support
• Intune Support: Create ticket through Intune Admin Center
• Premier Support: [Insert premier support contact if applicable]

Documentation Resources:

• Microsoft Intune Documentation: https://docs.microsoft.com/en-us/mem/intune/
• Microsoft 365 Documentation: https://docs.microsoft.com/en-us/microsoft-365/
• Azure AD Documentation: https://docs.microsoft.com/en-us/azure/active-directory/

Community Support:

• Microsoft Tech Community: https://techcommunity.microsoft.com/
• Intune Forums: https://techcommunity.microsoft.com/t5/microsoft-intune/ct-p/Microsoft-Intune

Deployment Partner Support

CloudAid365 / Foetron Consultancy Services

• For deployment assistance and consultation
• Contact: [Insert partner contact information]
• Website: [Insert partner website]
• Email: [Insert partner support email]

Document Information

Document Details:

• KB Article ID: CA365-KB-2025-001
• Version: 1.0
• Published: October 8, 2025
• Last Updated: October 8, 2025
• Next Review: January 8, 2026

Document Classification:

• Public - External Distribution Approved
• Suitable for end-user distribution

Related Articles:

• CA365-KB-2025-002: Microsoft 365 Security Best Practices
• CA365-KB-2025-003: Multi-Factor Authentication Setup Guide
• CA365-KB-2025-004: OneDrive for Business User Guide
• CA365-KB-2025-005: Microsoft Teams User Guide

Change Log:

Version
Date
Author
Changes
1.0
October 8, 2025
CloudAid365 Support Team
Initial publication

Quick Reference Cards

Windows Enrollment - Quick Steps

1. Settings → Accounts → Access work or school
2. Connect → Join this device to Azure Active Directory
3. Sign in: user@company.com
4. Complete MFA
5. Join → Restart
6. Wait 30-60 minutes

Company Android - Quick Steps

1. BACKUP EVERYTHING (data will be erased)
2. Factory reset device
3. During setup, tap 6 times on Google sign-in
4. Scan QR code (from IT)
5. Sign in: user@company.com
6. Complete MFA
7. Wait 30 minutes

Personal Android - Quick Steps

1. Install Intune Company Portal from Play Store
2. Open → Sign In
3. Enter: user@company.com
4. Complete MFA
5. Create work profile
6. Set work profile password
7. Wait 15 minutes for apps

iPhone/iPad - Quick Steps

1. Install Outlook, Teams, OneDrive from App Store
2. Open Outlook → Add Account
3. Enter: user@company.com
4. Complete MFA
5. Create App PIN (4+ digits)
6. Enable Touch ID/Face ID
7. Repeat for Teams and OneDrive (same PIN)

Appendix: Technical Specifications

Supported Platforms

Windows:

• Windows 10 version 1809 or later
• Windows 11 (all versions)
• TPM 2.0 required for BitLocker
• UEFI firmware (for Secure Boot)

Android:

• Android 8.0 (Oreo) or later
• Google Play Services required
• Android Enterprise supported
• Samsung Knox supported
• Not rooted/unlocked bootloader

iOS/iPadOS:

• iOS/iPadOS 14.0 or later
• iOS/iPadOS 15.0+ recommended
• Not jailbroken
• iCloud account recommended

Network Requirements

Required URLs (must be accessible):

• *.microsoft.com
• *.microsoftonline.com
• *.windows.net
• *.manage.microsoft.com
• *.protection.outlook.com
• login.microsoftonline.com
• *.google.com (for Android)
• *.apple.com (for iOS)

Ports:

• 443 (HTTPS) - Required
• 80 (HTTP) - Required for redirects
• 5223 (Apple Push Notification) - iOS only

Bandwidth:

• Minimum: 1 Mbps per device
• Recommended: 5 Mbps per device for initial enrollment

Security Features Applied

Windows:

• BitLocker 256-bit AES encryption
• Windows Defender Antivirus (real-time)
• Windows Defender Firewall
• Microsoft Defender for Endpoint (EDR)
• Windows LAPS (local admin password management)
• Conditional Access enforcement
• USB device control
• Application control

Android:

• AES-256 encryption (device or work profile)
• Google Play Protect
• Device integrity verification (Play Integrity API)
• Root detection
• App protection policies
• VPN configuration
• Conditional Access enforcement

iOS/iPadOS:

• App-level encryption (256-bit AES)
• Jailbreak detection
• App PIN (minimum 4 digits)
• Touch ID/Face ID support
• Selective wipe capability
• Data loss prevention
• Conditional Access enforcement

End of Knowledge Base Article