Devices
What is a Managed Device
A managed device is any Apple product enrolled in GuardMDM and actively receiving configuration, policies, and apps. Once enrolled, the device establishes a persistent connection to GuardMDM, reports its status, and responds to remote commands.
Managed devices include iPhone, iPad, Mac, Apple TV, and Apple Vision Pro.
Device States
Every device in GuardMDM has one of the following states:
| State | Description |
|---|---|
| Enrolled | Device is actively connected to GuardMDM, receiving policies and reporting status. This is the normal operating state. |
| Pending | Device has been added to GuardMDM (via ABM sync or manual entry) but has not yet completed the enrollment process. It will transition to Enrolled once the user completes setup. |
| Offline | Device is enrolled but has not checked in for a period of time. It will re-sync policies and report status when it comes back online. |
| Unmanaged | Device has been removed from management — either by an admin action (wipe, unenroll) or by the user removing the MDM profile. It no longer receives policies or commands. |
Device Information Collected
When a device enrolls, GuardMDM automatically collects the following information:
- Serial number — Apple-assigned hardware identifier
- UDID (Unique Device Identifier) — Apple-assigned unique device ID
- OS version — The version of iOS, iPadOS, macOS, or tvOS running on the device
- Model name — e.g., iPhone 15 Pro, MacBook Air M3, iPad Pro 12.9-inch
- Hardware specs — Storage capacity, RAM, chip type, battery health
- Device name — The user-facing name set on the device
- Network info — IP address, Wi-Fi SSID, cellular carrier (if applicable)
This information is visible in the device detail view and can be used for inventory reporting, compliance checks, and policy targeting.
Device Identification
Devices are uniquely identified by two Apple-assigned identifiers:
- Serial number — Printed on the device enclosure and visible in the OS. Used for ABM matching, warranty lookup, and inventory tracking.
- UDID (Unique Device Identifier) — A device-specific alphanumeric string used by Apple's MDM protocol to address the device. GuardMDM uses the UDID internally for all MDM commands and enrollment management.
Both identifiers are collected automatically during enrollment and are visible in the device detail view.
Device Source
Devices can enter GuardMDM through two paths:
| Source | Description |
|---|---|
| ABM-synced | Devices purchased through Apple Business Manager (or Apple School Manager) are automatically synced to GuardMDM. They are pre-assigned to GuardMDM in ABM, which forces MDM enrollment during device setup. This is the recommended enrollment method for organization-owned devices. |
| Manually enrolled | Devices not in ABM can be enrolled by installing the MDM profile manually. This is typically used for BYOD scenarios or devices that were purchased outside the organization's Apple account. |
ABM-synced devices are automatically assigned to GuardMDM and cannot be unenrolled by the user, providing a higher level of control. Manually enrolled devices can have the MDM profile removed by the user unless additional restrictions are applied.
Supervision Status
Supervision is an Apple concept that indicates an organization owns the device and has elevated management capabilities. Supervision is established during device setup for ABM-synced devices.
Supervised devices unlock capabilities that are not available on non-supervised devices:
- Restrictions — Block app installation, prevent account changes, disable AirDrop, force content filtering, and more
- Silent app installation — Install and update apps without user interaction
- Kiosk mode — Lock the device to a single app (Single App Mode)
- Network configuration — Install VPN, Wi-Fi, and certificate profiles without user approval
- Remote device controls — Lost Mode, device location, and activation lock bypass
- OS update enforcement — Force or defer software updates
Devices enrolled via ABM are automatically supervised. Manually enrolled devices are not supervised and have access to a subset of management capabilities.
For detailed device management — viewing device details, sending remote commands, search and filter, and bulk actions — see the Device Management section.
