Device Administration Basics for Users

Tags intune mdm

At the University of Windsor, Intune combined with Azure AD provides device and application management, corporate data protection, identity management and directory services.

Azure Active Directory (Azure AD or AAD) is Microsoft's cloud-based identity and access management directory service, which allows users to sign in and access resources such as Microsoft 365 Apps, other applications like UWinsite Student and UWinsite Finance, and internal resources such as network printers and storage. 

Intune is Microsoft’s Mobile Device Management (MDM) system that the University uses to administer University-owned (corporate) and personal (BYOD) devices used by faculty, staff and students, including desktop/laptop computers (Windows 10 / macOS) and mobile devices (Android / iOS). In general, these devices will be administered with a “light touch” meaning that only minimal settings will be defined. In the case of classroom and lab computers, the administration will be “heavier” to ensure a consistent and secure environment for shared computers. On personal devices used for work or school ("Bring your Own Device" or BYOD), only University apps and data will be administered (see Privacy section below for more details).

This article covers the following topics:



When a device is under device administration, some information about the device and its registered user is shared with the University of Windsor ("the organization"). The organization will “trust” the device and its users with access to protected data, so this information is essential. The following table describes what information MDM administrators in IT Services can access.




  • Calling and web browsing history
  • E-mail and text messages
  • Contacts
  • Calendar
  • Passwords
  • Pictures, including what's in the photos app or camera roll
  • Files
  • Device model, like OptiPlex 790
  • Device manufacturer, like Dell
  • Operating system and version, like Windows 10 build 10.0.19043.1288
  • App names, like Microsoft Word: On personal BYOD devices, your organization can only see your administered University apps inventory, not your personal apps. On corporate-owned devices, your organization can see all of your app inventory.
  • Device owner
  • Device name
  • Device serial number
  • IMEI
  • Phone number: For corporate-owned devices, your full phone number can be seen. For personal BYOD devices, just the last four digits of your phone number are visible to your organization.
  • Device storage space
  • Location: Your organization can never see your device's location, unless you need to recover a lost, supervised iOS device.
  • Network information. (policy activated)

Enrolling your devices

Devices that are joined to or registered in Azure AD are also automatically enrolled in the Intune device management system. AAD joined devices are classified as corporate and AAD-registered devices are classified as personal (BYOD) in the context of device management.

When a user connects their “work or school account” on their device, it is registered in Azure AD and enrolled in Intune. This can happen in a three different ways:

  • automatically when user installs Microsoft 365 Apps (formerly Office 365) from, or
  • manually through Windows Settings (Accounts - Access work or school - Connect), or 
  • through the Company Portal app. When a device is registered, only University data and apps are being managed, and very little information about the device is collected and stored in Azure AD.

When a Windows 10/11 device is joined to Azure AD as a corporate device, it can be fully managed by the organization. This will allow users of the device to use Single Sign-On (SSO) features, and it also provides a place for them to securely store their BitLocker device encryption key. Only devices used exclusively for University business should be joined to Azure AD. Personal devices used for work (e.g. family home computers) and student-owned computers used to access University systems and data (BYOD) should be registered with Azure AD instead.

Corporate Windows 10/11 devices can be joined to AAD by an IT technician or by the user in two different ways:

  • manually through Windows Settings (Accounts - Access work or school - Connect - Join to Azure AD), or
  • automatically during the out-of-the-box (OOBE) initial setup of Windows 10/11.

Administering your devices and data

You can see and manage all of your enrolled administered devices using the Company Portal app that gets installed automatically on every Azure AD joined Windows 10/11 computer, or manually during enrollment on macOS computers and mobile iOS/iPadOS/Android devices. There is also a web version of this app available at This app allows you to:

  • See all of your University administered devices
  • Give user-friendly display names to your administered devices
  • Install additional apps on your administered devices
  • Check if your administered devices meet minimum requirements (device compliance) for full access to University apps, systems and data (conditional access)
  • Initiate device check-in to update and re-evaluate device compliance policies
  • Reset your device PIN, if enabled.
  • Reset your device operating system back to factory settings and wipe all apps and data in the event device is lost or stolen.

There are two additional portals that you can use to manage your data and apps: is the site where users can manage their security settings for MFA, and it also provides a list of enrolled devices and encryption keys.  Users can disable lost devices at this website, see the log of their sign-ins, remotely sign out from all devices, view their enterprise apps, and a list of groups they belong to. is the education version of Microsoft Store. When people login with their UWin account, they can access software that we have made available to them in the “private store” by clicking on the University of Windsor tab. Access will work for both corporate and personal (BYOD) devices, although this service is geared towards devices that are not enrolled in Intune.


Article ID: 99410
Thu 2/27/20 1:51 PM
Wed 3/8/23 2:53 PM

Related Articles (9)

This article applies to personal Windows 10 computers (i.e. computers purchased with personal funds) that are used for work or school (i.e. that use University of Windsor licensed software to access University systems and data). This scenario is described as "Bring Your Own Device" (BYOD).
This article describes how to use the Company Portal app for macOS to enroll their work or BYOD devices themselves through the Company Portal app.
In the summer of 2018, University adopted Microsoft Azure Active Directory (AAD) and Intune as a new platform for the management of computers and mobile devices. This article provides you with step-by-step instructions on how to register your personal (non-University owned) Windows 10/11 PC with University of Windsor Azure Active Directory and enroll it in Intune device management.
When accessing OneDrive or other Microsoft 365 Apps in a browser you may see a message displayed on the top of the browser window that says "Your organization doesn't allow you to download, print, or sync using this device (...) This can happen for three different reasons
If you see a message "Your company hasn't made any apps available to you on this device" or "You don't have any apps yet" it means that your computer does not meet minimum requirements as defined in the device compliance policy (i.e. your device is not compliant).
Microsoft Company Portal is an app that faculty and staff at the University of Windsor use to manage their workstations.
This article focuses on remote software management on University-owned "corporate" macOS workstations that are enrolled in Intune which allows us to remotely install Intune-managed client apps. Several apps are installed automatically enrolling Mac in Intune. Users of primary-user workstation can use Company Portal to install additional apps on demand.
In order for your work computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems.
In order for your work computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems.

Related Services / Offerings (1)

IT Services uses the Software Depot website to resell IBM SPSS / AMOS 28 to students.