Device synchronization in Intune is the heartbeat of mobile device management. Without it, your fleet exists in a fog of stale information: you don't know which devices are compliant, which policies have been applied, or whether a security fix has actually landed. This article walks you through the mechanics of Intune device sync, why refresh cycles matter in production, and exactly how to configure and verify them — with platform-accurate guidance and no fabricated OMA-URIs.
How Intune Device Sync Actually Works
At its core, Intune sync is a pull mechanism. Your device — whether iOS, Android, Windows, or macOS — wakes up at a configured interval, connects to Intune, and does three things:
- "Here's my current state" — compliance status, hardware inventory, app inventory, OS version, battery, free storage, enrolled user, security settings
- "What policies should I have?" — requesting applicable configuration profiles, compliance policies, and app assignments
- "Do you have any commands for me?" — looking for remote actions like wipe, reset passcode, or send notification
The Intune service responds with any changed policies, new assignments, and pending actions. Separately, push notifications (Apple APNs for iOS/macOS, Google FCM for Android) can wake a device immediately when Intune has an urgent command — these are event-driven and independent of the scheduled sync heartbeat.
Default Sync Intervals by Platform
| Platform | Default Interval | Directly Configurable? | Mechanism |
|---|---|---|---|
| iOS / iPadOS | ~1 hour (MDM protocol) | No (Apple-controlled) | Apple MDM + APNs push |
| Android Enterprise | ~8 hours | No direct numeric control | Google FCM push + DPC agent |
| Windows 10/11 | ~8 hrs (post-initial retries) | Yes — DMClient CSP | OMA-URI via Intune profile |
| macOS | ~1 hour (MDM protocol) | No (Apple-controlled) | Apple MDM + APNs push |
iOS / iPadOS — Sync Mechanics Corrected
iOS MDM is built on Apple's MDM protocol and communicates via Apple Push Notification service (APNs). Intune cannot control iOS check-in frequency via OMA-URI configuration profiles — OMA-URI is a Windows-only MDM standard.
./Vendor/MSFT/MDM/Intune/Synchronization/CheckInFrequency as a custom iOS OMA-URI. This CSP path does not exist in Microsoft's documentation and will have no effect on iOS devices. Intune may show the profile as "Succeeded" (because it processed the deployment) while silently ignoring the unknown key. Don't create this profile.
What you can actually do to improve iOS sync responsiveness:
-
Force immediate sync from the Intune console
Navigate to Devices > All Devices, select the iOS device, then Remote Actions > Sync. Intune sends a silent APNs push notification. The device wakes up and completes the sync within 1–5 minutes. This is the primary tool for urgent sync needs.
-
Verify your APNs certificate
The APNs certificate is the delivery mechanism for all iOS push-triggered syncs. A single expired certificate breaks push sync for your entire iOS fleet. Check its expiry under Tenant Administration > Connectors and tokens > Apple MDM Push certificate and renew annually before expiry.
-
Leverage Conditional Access for compliance re-checks
Conditional Access policies trigger a compliance re-evaluation when a device attempts to access a protected resource. This effectively forces a sync and is the recommended architecture for high-security environments that need near-real-time compliance enforcement on iOS.
-
Train users on Company Portal sync
The Intune Company Portal app for iOS has a manual sync button under the device details screen. Document this for self-remediation workflows — particularly useful when a user needs to quickly resolve a compliance block.
Android Enterprise — Sync Mechanics Corrected
Android Enterprise devices use Google Firebase Cloud Messaging (FCM) as the push transport. The Intune DPC agent receives FCM messages from Intune and acts on commands. Background check-in occurs via the DPC agent on its own schedule.
-
Force sync from the console
Devices > All Devices > select Android device > Remote Actions > Sync. This sends an FCM push to wake the device and initiate check-in. Expect a 1–10 minute response time depending on FCM delivery.
-
Verify FCM connectivity
FCM requires outbound access to Google's infrastructure. Enterprise environments with strict egress rules may block FCM (TCP ports 5228–5230, hosts
*.googleapis.com,*.firebase.google.com). Confirm these endpoints are reachable from device networks. -
Use compliance policies to drive behavior
A well-configured compliance policy ensures the device re-evaluates its state at each check-in. Non-compliant devices are evaluated more frequently by Intune's grace-period logic. Configure a compliance grace period to control how quickly non-compliant devices escalate to access block.
-
Monitor via Graph API
Android devices that haven't synced in 24+ hours warrant investigation. Query
lastSyncDateTimevia Graph API (see section below) to identify stale devices and trigger forced syncs programmatically.
Windows 10/11 — Configuring Polling Interval Corrected
Windows is the only platform with granular, documented, numeric control of the MDM polling interval. This is done via the DMClient CSP deployed as a Custom OMA-URI configuration profile.
10 means 10 minutes. Some guides write "Value: 600 // 600 seconds = 10 minutes" — this is incorrect. Setting 600 would mean 600 minutes (10 hours), producing the opposite of the intended effect.
-
Create a Custom OMA-URI Configuration Profile
Navigate to Devices > Windows > Configuration > Create > New policy. Choose platform Windows 10 and later, profile type Custom.
-
Add DMClient polling OMA-URI settings
The DMClient CSP polling model uses multiple retry tiers. For a sustained 10-minute interval, configure these settings (all values are in minutes, ProviderID in Intune is
MS DM Server):// Tier 1: First retry set Name: Poll-FirstInterval OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/Poll/IntervalForFirstSetOfRetries Type: Integer Value: 10 // 10 MINUTES (not seconds) Name: Poll-FirstCount OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/Poll/NumberOfFirstRetries Type: Integer Value: 0 // 0 = unlimited retries at this tier // Sustained interval (after initial tier exhausted) Name: Poll-SustainedInterval OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/Poll/IntervalForRemainingScheduledRetries Type: Integer Value: 10 // 10 MINUTES — the sustained polling frequency
-
Assign to pilot group and verify
Assign to a small Windows device security group first. Force a sync on a test device (Settings > Accounts > Access work or school > Info > Sync). Verify the new interval is active via Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider (Event ID 208 = successful sync).
HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\ or related MDM keys. Always use the OMA-URI Configuration Profile path. Manual edits are overwritten on next policy refresh and can leave the device in an inconsistent enrollment state.
macOS — Sync Mechanics Corrected
macOS MDM is identical in architecture to iOS — it uses Apple's MDM protocol with APNs push notifications. macOS does not support OMA-URI (a Windows-only standard). Creating an OMA-URI profile for macOS in Intune will deploy successfully but have zero effect on sync behavior.
macOS enrolled devices check in with the Intune MDM server approximately every 1 hour. APNs push can trigger an immediate check-in when Intune sends a command.
-
Force sync from console
Select the macOS device in Devices > All Devices and choose Remote Actions > Sync. Intune sends an APNs push; the device typically responds within minutes.
-
Validate APNs certificate
The same Apple MDM Push certificate covers both iOS and macOS. One expired certificate = broken push sync for your entire Apple fleet. Review Tenant Administration > Connectors and tokens > Apple MDM Push certificate regularly.
-
Troubleshoot on-device with mdmclient
If a macOS device is not syncing, validate MDM enrollment state via Terminal:
sudo /usr/libexec/mdmclient QueryDeviceInformation // confirm enrollment log show --predicate 'subsystem == "com.apple.mdmclient"' --last 1h // recent MDM activity
SSL/TLS errors in the MDM log indicate a system clock mismatch — verify the device time is NTP-synced.
Windows 11 Config Refresh — Policy Re-Enforcement Win 11 Only
Config Refresh is a Windows 11 feature that is frequently (and incorrectly) described as an MDM sync interval setting. The screenshot below shows it in action — here's exactly what it does and doesn't do.
lastSyncDateTime.Config Refresh re-applies existing, already-downloaded CSP policies at the configured interval — even without internet connectivity. If a local admin or script tampers with a managed setting between sync cycles, Config Refresh reverts it back. This is distinct from MDM sync, which downloads and applies new or updated policies from Intune.
| Feature | DMClient Polling Interval | Config Refresh |
|---|---|---|
| Purpose | MDM check-in, download new policies | Re-apply existing local policies |
| Requires internet? | Yes | No |
| Downloads new policies? | Yes | No |
| Updates lastSyncDateTime? | Yes | No |
| Platform | Windows 10/11 | Windows 11 22H2+ (KB5031455) only |
| Minimum interval | 1 minute (DMClient CSP) | 30 minutes |
| Configured via | Custom OMA-URI (DMClient CSP) | Settings Catalog — Config Refresh |
-
Create a Settings Catalog profile
Go to Devices > Windows > Configuration > Create > New policy. Choose platform Windows 10 and later, profile type Settings catalog.
-
Add Config Refresh settings
Click + Add settings and search for "Config Refresh". Add both settings from the Config Refresh category:
Config refresh: Enabled Refresh cadence: 30 // minimum = 30 min; options: 30, 60, 90, 120
-
Assign to Windows 11 devices and monitor
Assign to a Windows 11 device group. On Windows 10 or Windows 11 versions prior to 22H2 (KB5031455), the profile is received but the setting has no effect. Verify OS version targeting to avoid false confidence.
Forcing an Immediate Sync
Regardless of configured intervals, you can trigger an immediate sync from the Intune console:
| Platform | Console Path | Mechanism |
|---|---|---|
| iOS / iPadOS | Device > Remote Actions > Sync | APNs push notification |
| Android | Device > Remote Actions > Sync | FCM push notification |
| Windows | Device > Remote Actions > Sync — or — Settings > Accounts > Access work or school > Info > Sync | Direct MDM trigger / user-initiated |
| macOS | Device > Remote Actions > Sync | APNs push notification |
Via Microsoft Graph API:
POST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId}/syncDevice // No body required — returns 204 No Content on success
Monitoring Sync Status with Microsoft Graph
Query the last sync time and compliance state for any device via the Graph API:
GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId} // Key response fields: "lastSyncDateTime": "2026-05-08T14:32:15Z", "complianceState": "compliant", "managementAgent": "mdm", "deviceRegistrationState": "registered", "operatingSystem": "Windows"
Get all devices with selected fields in a single call:
GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=id,deviceName,lastSyncDateTime,complianceState,osVersion,operatingSystem
PowerShell report — devices not synced in the last 30 minutes:
$threshold = [datetime]::UtcNow.AddMinutes(-30) $uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$select=id,deviceName,lastSyncDateTime,complianceState,operatingSystem" $devices = Invoke-MgGraphRequest -Uri $uri -Method GET $stale = $devices.Value | Where-Object { [datetime]$_.lastSyncDateTime -lt $threshold } $stale | Select-Object deviceName, operatingSystem, lastSyncDateTime, complianceState | Sort-Object lastSyncDateTime
What Can Go Wrong: Sync Failures and Troubleshooting
Production Checklist Before Deploying Aggressive Sync
| Requirement | Validation | Done? |
|---|---|---|
| Pilot group defined | 50–100 devices with good network and battery health | ☐ |
| APNs cert valid (Apple) | Check expiry under Tenant Admin > Connectors and tokens | ☐ |
| FCM endpoints reachable (Android) | *.googleapis.com, *.firebase.google.com ports 5228–5230 | ☐ |
| Network capacity verified | Firewall/proxy not rate-limiting sync traffic to *.manage.microsoft.com | ☐ |
| DMClient unit verified (Windows) | Confirm OMA-URI values are in MINUTES, not seconds | ☐ |
| Monitoring alert configured | Alert when lastSyncDateTime > 30 minutes stale in Graph API | ☐ |
| Rollback plan documented | Can revert DMClient polling profile in <5 minutes via policy change | ☐ |
| Help desk trained | Support team knows sync behavior, APNs/FCM dependency, and console sync action | ☐ |
Graph API Automation — Force Sync on Stale Devices
// Find devices not synced in 30+ minutes and force a sync Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All" $threshold = [datetime]::UtcNow.AddMinutes(-30).ToUniversalTime().ToString("o") $uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$filter=lastSyncDateTime lt $threshold&`$select=id,deviceName,lastSyncDateTime,operatingSystem" $staleDevices = (Invoke-MgGraphRequest -Uri $uri -Method GET).Value foreach ($device in $staleDevices) { Write-Host "Syncing: $($device.deviceName) [$($device.operatingSystem)] — last sync: $($device.lastSyncDateTime)" $syncUri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$($device.id)/syncDevice" Invoke-MgGraphRequest -Uri $syncUri -Method POST Start-Sleep -Milliseconds 200 // throttle to avoid Graph rate limits } Write-Host "Triggered sync for $($staleDevices.Count) device(s)"
Key Takeaways
- Sync is pull, not push: Devices request updates on a schedule. APNs/FCM push can wake devices immediately for urgent commands, but routine sync is always device-initiated.
- Only Windows is directly configurable: iOS, macOS, and Android use Apple/Google-controlled protocols. There is no supported OMA-URI to override check-in frequency on Apple platforms.
- Windows DMClient values are in minutes: Setting
IntervalForRemainingScheduledRetriesto10means 10 minutes. Setting it to 600 means 600 minutes (10 hours). - Config Refresh ≠ MDM sync: Config Refresh (Windows 11 22H2+ only) re-applies already-downloaded policies locally. It does not trigger a cloud check-in or update
lastSyncDateTime. Deploy it alongside DMClient polling, not instead of it. - APNs certificate is critical: One expired Apple MDM Push certificate breaks push-triggered sync for your entire iOS and macOS fleet. Monitor it proactively.
- Verify via Graph API: Don't rely on the console alone. Use
lastSyncDateTimeandcomplianceStatefrom Microsoft Graph to build monitoring dashboards and automated remediation. - Clock skew is the silent killer: TLS failures caused by device clock drift can prevent sync entirely. Ensure NTP is configured and reachable on all managed networks.
