Skip to content
Support
  • There are no suggestions because the search field is empty.

Mobile Management | Supporting MDM

This guide explains the differences between MDM and MAM, what IT teams can expect when supporting them, and the types of issues end users are most likely to experience.

Next: Supporting iOS and Android with MAM (App Protection Policies)

Supporting iOS and Android with MDM (Mobile Device Management)

When a device is fully enrolled into Intune using MDM, IT gains broader control over compliance, apps, and settings. This level of management is most common for corporate-owned devices, or in cases where a personal device (BYOD) is required to meet strict compliance rules.

This article explains what IT can expect from devices under MDM and outlines the most common issues you’ll be asked to support.

What to Expect

For end users:

  • Company Portal (iOS) or Intune app (Android) is installed.

  • Device asks for enrolment during setup or via the portal app.

  • Security requirements (PIN, encryption, biometric) must be configured.

  • Corporate apps may appear automatically on the device.

  • Some restrictions may apply (e.g. blocked app store, forced updates, controlled email profile).

For IT:

  • Device reports compliance status in Intune.

  • Apps can be pushed, updated, or removed.

  • Settings like Wi-Fi, VPN, or certificates can be deployed.

  • Conditional Access decisions rely on compliance reporting.

Common Issues and How to Handle Them

1. Device Fails to Enroll

  • Symptom: User can’t complete enrollment; stuck on profile install (iOS) or Intune registration (Android).

  • Likely cause: User not licensed for Intune, wrong credentials, or previous enrollment record not removed.

  • What IT should do:

    • Confirm user has a valid Intune/EMS licence.

    • Check for existing devices already enrolled (user may have hit device limits).

    • For iOS, verify the management profile is trusted and installed.

    • For Android, check Play Store services and that the Intune app is up to date.

2. Compliance Errors

  • Symptom: User blocked from apps (e.g. Outlook, Teams) with a message about device compliance.

  • Likely cause: Device doesn’t meet policy (e.g. PIN too simple, OS outdated, encryption missing).

  • What IT should do:

    • In Intune, review device compliance status for the user.

    • Ask the user to check device settings and remediate (update OS, set stronger passcode).

    • Trigger a manual sync from Company Portal / Intune app.

3. Apps Not Deploying

  • Symptom: Corporate apps expected on the device don’t appear.

  • Likely cause: Assignment not targeted correctly, or device hasn’t synced yet.

  • What IT should do:

    • Verify the app is assigned to the correct user/device group.

    • Confirm app type (store app vs line-of-business) is supported on platform.

    • Ask the user to open Company Portal (iOS) or Intune app (Android) and sync.

4. Conditional Access Blocking Access

  • Symptom: User can’t access Outlook, Teams, or OneDrive — sees an “Access blocked” or “device not compliant” message.

  • Likely cause: Device compliance not reported, or Conditional Access policies require enrollment.

  • What IT should do:

    • Confirm device is showing compliant in Intune.

    • Check last check-in time; force a sync if stale.

    • If still blocked, confirm Conditional Access rules — the device may need full compliance before access is granted.

5. Restrictions Confusing Users

  • Symptom: User reports missing features (e.g. can’t install apps, camera blocked, can’t use personal mail).

  • Likely cause: Restrictions are intentional, based on applied policy.

  • What IT should do:

    • Confirm the restriction is part of company policy.

    • Explain to the user why the restriction exists (security, compliance).

    • Escalate only if the behaviour doesn’t align with documented policy.

Key Platform Differences

iOS / iPadOS

  • Enrolment installs a management profile in Settings > General > VPN & Device Management.

  • Apps are usually delivered via the Company Portal or Apple’s Managed App Store.

  • Device syncs are less frequent; manual sync may be needed.

Android

  • Enrolment is completed through the Intune Company Portal app.

  • Corporate-owned devices may operate in a work profile or fully managed mode.

  • Play Store apps can appear under a separate “Work” tab.

IT Support Focus

  • Confirm the device is properly enrolled and syncing.

  • Check compliance policies if users are blocked from access.

  • Review app assignments and deployment status.

  • Reassure users when restrictions are expected behaviour.

 

Next: Supporting iOS and Android with MAM (App Protection Policies)