Support enrolling a device under MDM for two different organizations
Contractors/Service Provider employees generally have multiple companies they work for. One the company that pays their salary, another the company that they do the work for (clients). Intune currently do not allow enrolling a device with both the companies MDM. The user need to sign out of one MDM to enroll in another and this is a painful process. Should have a easier way to enroll the device under multiple MDM
There’s actually a large security flaw with this not working. As much as It won’t allow you to add a second work and school account, it WILL allow you to add the second account directly to OneDrive. This second account is added, and is entirely UNPROTECTED. The protection should be applied and the strictest of the two password policies applied. Either that or BLOCK the second enrolment.
So MDM is the limitation of the actual device but it needs to be integrated into condtional access so the two intune and o365 tenants can federate B2B and maybe have one MDM authorative for multiple tenants
Matt Storms commented
This is a common scenario and much needed. Why not have the more restrictive of the 2 MDM policies take precedence?
Having the same issue, A way to enrol devices on 2 tenants would be great even if the 2nd profile couldn't enforce any actual restrictions that would conflict with the primary MDM Account, our scenario would be that the device is enrolled in intune and is compliant (Compliance Policy with some basic settings like bitlocker enforced, AV Installed, Passwords In Use Etc.
This would save us opening up accounts to everywhere for contractors that are employed by someone else but require access to email / sharepoint in our company.
VIKAS PANDEY commented
I am also facing this, in my case the client is Google and my company has outlook. When I tried to install company portal then it shows that Google's work profile will be deleted and vice versa.
I also need to install both on my device. Isn't there any way to have 2 work profile on same device.
MDM providers needs to follow a protocol that control their own data and restrict other data is getting exposed.
Much needed to manage work efficiently using BYOD. We cant bring multiple device to manage the work.
This is an awful / un-achievable idea. In short, what happens when both MDM's apply conflicting passcode policies to the same device; which wins?
I understand the scenario's given, but this isn't the solution to any presented.
As per another comment, this is a limitation of MDM's not Intune. Unless "all the MDM providers" get together, this isn't going to happen.
Tom Plant commented
Seems like the issue here is from non-ideal AzureAD tenant architecture (ie mergers/acquisitions, individuals creating their own tenants, using corporate management on BYOD devices). But the real world isn't perfect, so I can understand wanting a workaround. Not sure if it's technically possible though, especially relying on vendors like Apple...
Not everyone works for one company. If MS wants inTune to be the dominant product they need to allow the configuration to be more flexible and allow this
John Ward commented
I have a work account, and I am also involved with a non profit. Both need to be enrolled, This is badly needed.
Johnson George commented
This is a much awaited requirement for any multi national organizations... not sure why Microsoft is ignoring the enterprise community.
I was supporting to work emails in Outlook until two days ago. One of them must have amended a policy. This was the one place I had a combined calendar. Now I am constantly having to change between accounts. Very frustrating.
Srinivas Addepalli commented
If WhatsApp is supporting cloning the App, why can't MS do this?
Erik Glockling commented
As many others have mentioned, this is not possible. This is not a limitation of Intune, but a limitation of MDM on Android and iOS/iPadOS. You'll need to use a combination of MDM/MAM to achieve what you've requested.
Tim Fritz commented
We don't need to enroll the device in multiple company MDM. Just need to allow additional accounts be added to Outlook app. Should be a simple change to remove this restriction. We can access multiple accounts without Intune MDM profile installed. The preference would be to enroll the device in the person's home company Intune MDM but allow additional email accounts be added to Outlook. Each companies Conditional access Policy forces users to use Outlook app for company email access so unable to use native or alternate email app for the second or subsequent accounts.
I can see this may be difficult but it is much needed! If it was possible to separate the domain join from compliance. At the moment a device needs to be joined to evaluate compliance, but it should be possible to evaluate compliance independently from being joined. Compliance is just a set of tests so surely a device could be compliant with multiple domains even if not joined, then if necessary 'domain joined' could be added as a compliance test if required, rather than a pre-requisite?
This is a technical impossibility. Only due to the way the system is rolled out - if it containerised each intune setup you would be able to do this.
Elliot Smith commented
This is a technical impossibility. If it were possible, how would intune handle policy clashes that may conflict? Absolutely no OS would support this idea.
I have been looking for this feature too. Either Android or Intune should support multiple work accounts