Update device-enrollment-manager-enroll.md

lenewsad · web-flow · commit 2e17f55d8a6b · 2022-05-09T16:45:43.000-04:00
DEM updates per GitHub issue
diff --git a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
@@ -31,38 +31,73 @@ ms.collection:
   - highpri
 ---
 
-# Enroll devices in Intune by using a device enrollment manager account
+# Add device enrollment managers  
 
-You can enroll up to 1,000 devices with a single Azure Active Directory account by using a device enrollment manager (DEM) account. DEM is an Intune permission that can be applied to an Azure AD user account and lets the user enroll up to 1,000 devices. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices. By design, there's a limit of 150 Device Enrollment Manager (DEM) accounts in Microsoft Intune.
+A device enrollment manager is a non-administrator user who can enroll devices in Intune. DEMS are useful to have when you need to enroll and prepare devices before handing them out to . DEM users can enroll up to 1,000 devices, while a standard non-admin account in Intune can only enroll 15.  
 
-## Limitations of devices that are enrolled with a DEM account
+A DEM account requires an Intune user or device license. To enable the feature for someone in you organization, you must assign the Intune device enrollment manager permissions to their Azure AD account.  This article provides an overview of device enrollment manager accounts, limitations, and how to manage permissions.  
 
-DEM user accounts and devices that are enrolled with a DEM user account have the following limitations:
+## Supported enrollment methods 
 
-- A DEM account user must be assigned an Intune license.
-- Wipe can't be done from the Company Portal. Wiping a device enrolled by a DEM user account can be done from the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-- Only the local device appears in the Company Portal app or website.
-- DEM user accounts cannot use Apple Volume Purchase Program (VPP) apps with Apple VPP user licenses because of per-user Apple ID requirements for app management.
-- Microsoft Intune does not support the use of DEM accounts when enrolling devices via Apple Automated Device Enrollment (ADE).  
-- DEM accounts cannot support conditional access because conditional access is intended for per-user scenarios. 
-- Devices can install VPP apps if they have Apple VPP device licenses.
-- Every device enrolled with DEM accounts needs to be properly licensed to be managed by Intune. The license could be an Intune user license or an Intune device license.
-- If you're [enrolling Android Enterprise personally-owned devices with work profile](android-work-profile-enroll.md) using a DEM account, there is a limit of 10 devices that can be enrolled per account.
-- [Enrolling Android Enterprise fully managed devices](android-fully-managed-enroll.md) with DEM accounts isn't supported.
-- [Enrolling Android Enterprise corporate owned work profile devices](android-corporate-owned-work-profile-enroll.md) with DEM accounts isn't supported.
-- Applying an Azure AD device restriction to a DEM account will prevent you from reaching the 1,000 device limit that the DEM account can enroll.
-
->[!NOTE]
->For additional details regarding enrollment capabilities for Windows and the use of DEM accounts, please refer [Intune enrollment method capabilities for Windows devices](./enrollment-method-capab.md).
-
-## Enrollment methods supported by DEM accounts
-
-You can use the following methods to enroll devices using DEM accounts:
+A device enrollment manager can use the following methods to enroll devices in Intune:    
 
 - [Windows Autopilot](../../autopilot/enrollment-autopilot.md)
 - [Windows devices bulk enrollment](windows-bulk-enroll.md)
 - DEM initiated via Company Portal
-- DEM initiated via Azure AD join
+- DEM initiated via Azure AD join  
+
+> [!TIP]
+> To compare DEM best practices and capabilities alongside other Windows enrollment methods, see [Intune enrollment method capabilities for Windows devices](./enrollment-method-capab.md).  
+
+
+## Account permissions 
+
+Users assigned the Global Administrator or Intune Service Administrator role in Azure AD can:   
+
+- Assign DEM permissions      
+- See all DEM users in the admin center  
+
+DEMs assigned read-only permissions in Azure AD can only see the DEM users they've created.    
+
+## Limitations 
+
+This section describes the limitations that comes with enrolling devices from your DEM account.      
+
+### Android Enterprise  
+You can enroll up to 10 personally-owned devices with work profiles. 
+
+The following types of devices can't be set up with a DEM account: 
+
+* Corporate-owned with a work profile
+* Fully managed  
+
+### Automated Device Enrollment  
+DEM is not compatible with Apple Automated Device Enrollment (ADE).   
+
+### Azure AD  
+Applying an Azure AD device restriction to a DEM account will prevent you from reaching the 1,000 device limit that the DEM account can enroll.  
+
+### Conditional access  
+Conditional access is only supported with DEM on devices running:  
+
+* Windows 10, version 1803 and later  
+* Windows 11     
+
+### Device limit restrictions    
+DEM enrolls Windows 10/11 devices in shared device mode, so device limit restrictions won't work on them. Instead, you can configure a hard limit for these devices in the Azure AD admin center. For more information, see [Manage device identities by using the Azure portal](/azure/active-directory/devices/device-management-azure-portal#configure-device-settings).       
+
+### Device wipe    
+Enrolled devices can't be wiped from Company Portal. You have to sign in to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to wipe a device you enrolled.  
+
+### Intune Company Portal  
+Only the local device appears in the Company Portal app or Company Portal website.   
+
+### Number of accounts  
+There's a limit of 150 Device Enrollment Manager (DEM) accounts in Microsoft Intune.  
+
+### Volume purchased apps  
+* You can't use apps purchased through Apple VPP with Apple VPP user licenses, because of per-user Apple ID requirements for app management.  
+* Devices can install VPP apps if they have Apple VPP device licenses.  
 
 ## Add a device enrollment manager
 
@@ -72,14 +107,6 @@ You can use the following methods to enroll devices using DEM accounts:
 
 3. On the **Add User** blade, enter a user principal name for the DEM user, and select **Add**. The DEM user is added to the list of DEM users.
 
-## Permissions required to create DEM accounts
-
-Global Administrator or Intune Service Administrator Azure AD roles are required to
-
-- Assign DEM permission to an Azure AD user account
-- See all DEM users
-
-If a user doesn't have the Global Administrator or Intune Service Administrator role assigned to them, but has read permissions enabled for the Device Enrollment Managers role assigned to them, they can see only the DEM users they've created.
 
 ## Remove device enrollment manager permissions
 
@@ -88,4 +115,4 @@ Removing a device enrollment manager doesn't affect enrolled devices.
 ### To remove a device enrollment manager
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Enroll devices** > **Device enrollment managers**.
-2. On the **Device enrollment managers** blade, select the DEM user, and select **Delete**.
+2. On the **Device enrollment managers** blade, select the DEM user, and select **Delete**.  
