A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect.

What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win.  The opposite is true of corporate devices.

MAM or MDM Enrolment by Device Ownership

User In Scope Of

Corporate

Personal

MAM and MDM

MAM

MDM

Intune devices are considered personal by default and only if they meet some criteria do they change to corporate:

  • AD or AAD joined
  • Changed manually in Intune
  • An IMEI or serial number CSV is imported
  • Enrolled using a DEM account
  • Enrolled using DEP, Apple School or Business Manager, or Apple Configurator

In the example below, if any users in the tenant self enrol their BYOD device using Connect, they will be enrolling in MAM.  This is likely the configuration you want.

This is also true of enrolment using the Company Portal app, even if you select allow my organisation to manage this device.

The user will be told their device hasn’t been set up for corporate use yet and although it prompts them to change that, it will give them an error when trying to authenticate again that their device is already being managed by an organisation.

Returning to Access work or school, there is an option to Enrol only in device management.  This will enrol in MDM; kind of like a manual and not-so-obvious route around MAM if a user is scoped for both.