This guide applies to Windows devices
How Windows Enrollment Works
Windows enrollment in Iru Endpoint uses a browser-based portal that connects devices to your organization’s management system. When users access the enrollment URL, they’ll authenticate with your organization’s credentials and enter a Blueprint code that determines which policies and applications get applied to their device. The enrollment process establishes a secure connection between the Windows device and Iru Endpoint through Microsoft’s MDM framework, while the Kandji Agent handles application management and inventory collection. This gives you centralized management while keeping user flexibility.Prerequisites
1
Admin permissions
An Iru Endpoint role with permission to view Enrollment and Blueprints
2
Device requirements
Windows 11 24H2+ (Pro, Pro Education, Enterprise, Education)
3
Network access
Windows devices with internet access and Microsoft Edge browser (required for enrollment)
4
SSO configuration
(Recommended) Single sign-on (SSO) configured for secure authentication
5
Network configuration
Firewall ports opened for enrollment traffic
Configure Windows Enrollment
1
Get the Enrollment URL
Sign in to your Iru Endpoint tenant and navigate to Enrollment → Manual Enrollment. Copy the Enrollment URL - you’ll share this with users.
2
Choose the Blueprint and Copy Its Code
Under the Select Blueprint to enroll the device into section, copy the code of the Blueprint you want devices to enroll into. (Recommended) Click the Blueprint and select Require authentication.If you see a banner that says “No single sign-on connections are configured”, go to Settings → Access Settings → Single sign-on and configure SSO, then return and select Require authentication.
3
Send Enrollment Instructions to Users
Share the following with each user (email, chat, or help portal):
- The Enrollment URL from Enrollment → Manual Enrollment
- The Enrollment code for the correct Blueprint
- A short note that they’ll authenticate (if required), then follow on-screen prompts to complete enrollment
Consider creating a template email or help article with these instructions to ensure consistency across your organization.
Verify Enrollment
1
Check devices
In Iru Endpoint, open Devices
2
Locate device
Locate the newly enrolled device (search by user email, device name, or serial number)
3
Verify configuration
Confirm it shows assigned Blueprint, apps, and policies. Installations will proceed automatically
Windows Management Architecture
Windows device management in Iru Endpoint uses a hybrid approach:- Microsoft MDM Framework - Handles device enrollment, policy enforcement, and basic device management
- Kandji Agent - Proprietary agent that manages application installation and upgrade, and collects application inventory
Windows-Specific Considerations
Device Requirements
- Windows 11 24H2+ - You’ll need Windows 11 Pro, Pro Education, Enterprise, or Education (24H2 or higher) for enrollment
- Microsoft Edge browser - You’ll need Microsoft Edge for Windows enrollment (see Microsoft’s MDM enrollment documentation)
- Local administrator rights - The enrolling user must have admin access on the device
- Serial numbers - Physical devices include these automatically, but virtual machines need them defined
- Synchronized time - Make sure the device clock is synced with a reliable time source
Some advanced Windows features may not be available depending on your device configuration and Windows version.
Network Requirements
Devices must have internet connectivity for enrollment. Make sure all required ports are opened in your firewall configuration. Configure proxy settings if your network requires them.For detailed network requirements including specific domains, ports, and firewall configurations, see Using Iru on Enterprise Networks.
Security Considerations
Always use SSO authentication when possible to ensure only authorized users can enroll devices. This prevents unauthorized access to your organization’s device management system.
Windows enrollment supports both SSO authentication and basic authentication, but SSO provides better security and user experience.
Best Practices
Enable Authentication
Enable “Require authentication.” Combined with SSO, this ensures only authorized users can enroll
Pre-stage Items
Pre-stage critical items (Wi-Fi, Certificates, SCEP, Password policies) in the Blueprint so devices come online with required trust and connectivity
Test Process
Test the enrollment process with a small group before rolling out to all users
Document Process
Document the enrollment process and provide clear instructions to users
Additional Windows Management
Active Directory Integration
If your organization requires Active Directory domain join, Azure AD Join, or Hybrid Azure AD join, these must be configured separately from Iru Endpoint enrollment. Coordinate with your Active Directory team to ensure proper domain join procedures are followed.Device Sync and Management
Windows devices use multiple sync mechanisms:- Event-driven MDM commands - Changes from the Iru Endpoint Web App apply within minutes via Windows Push Notification Service (WNS)
- Daily MDM check-in - Full sync every 24 hours to remediate configuration drift
- Agent check-in - Kandji Agent checks in every 15 minutes for app updates and inventory collection
Policy Application
Windows devices automatically receive security policies and restrictions, network configuration (Wi-Fi, VPN), application deployments, and compliance monitoring. MDM vs. Agent Responsibilities:- MDM Framework - Handles Wi-Fi, Windows Firewall, BitLocker, and other system policies
- Kandji Agent - Manages Win32 application installation, updates, and inventory collection