Skip to content

OTA Enrollment

What is OTA Enrollment

OTA (Over-The-Air) enrollment allows devices to enroll in GuardMDM without being connected to a physical provisioning system or Apple Business Manager. Instead, the user opens a URL on their device, downloads and installs a management profile, and the device enrolls automatically.

OTA enrollment is the primary method for:

  • BYOD (Bring Your Own Device) — personal devices that are not in ABM
  • Remote workers — devices that cannot be physically provisioned
  • Legacy devices — devices not enrolled in Apple Business Manager
  • Testing and staging — quick enrollment for evaluation or development

Unlike ADE enrollment, OTA enrollment does not supervise the device automatically. Supervision must be applied separately if required.

Generating Enrollment Tokens

GuardMDM uses JWT (JSON Web Token) based enrollment tokens. Each token encodes the enrollment configuration and has a configurable expiration.

Creating a Token

Navigate to Enrollment > OTA > Tokens and click Generate Token.

FieldDescription
NameA label for the token (e.g. "Engineering BYOD")
ExpirationHow long the token is valid (e.g. 24 hours, 7 days, never)
Group AssignmentThe device group new devices will be added to
SCEP ProfileThe SCEP profile for certificate enrollment (optional)
Max UsesLimit on how many devices can enroll with this token (0 = unlimited)

Token Structure

The JWT token contains:

json
{
  "sub": "org_abc123",
  "name": "Engineering BYOD",
  "exp": 1719878400,
  "group_id": "grp_456",
  "scep_profile": "scep_def",
  "max_uses": 100,
  "jti": "unique-token-id"
}

The token is signed with GuardMDM's private key and verified by the enrollment endpoint.

QR Code for Easy Enrollment

Each enrollment token can be rendered as a QR code for quick scanning. This is ideal for in-person onboarding or printed materials.

To generate a QR code:

  1. Go to Enrollment > OTA > Tokens
  2. Click the QR icon next to the desired token
  3. Download the QR code image (PNG or SVG)

The QR code encodes the full enrollment URL. When scanned with the device's camera, it opens the enrollment page in Safari.

Enrollment URL for Remote Users

Each token generates a unique enrollment URL:

https://mdm.example.com/enroll?token=eyJhbGciOiJSUzI1NiIs...

This URL can be:

  • Emailed to remote users
  • Shared in a company portal
  • Embedded in an internal wiki
  • Sent via messaging apps (Slack, Teams)

The enrollment page is mobile-responsive and works on iOS, iPadOS, and macOS.

Enrollment Flow

The OTA enrollment process follows these steps:

Step-by-Step

  1. User opens the enrollment URL on their device (Safari on iOS/iPadOS, Safari or any browser on macOS)

  2. GuardMDM verifies the token — checks expiration, max uses, and signature validity

  3. Profile download — the browser downloads an .mobileconfig profile containing:

    • MDM server URL
    • Identity certificate (if SCEP is configured)
    • Trust anchors (root CA certificate)
    • Enrollment challenge (the JWT token)
  4. Profile installation — the user is prompted to go to Settings > General > VPN & Device Management and install the profile. On macOS, System Settings opens automatically.

  5. Device enrollment — after profile installation, the device contacts GuardMDM, exchanges certificates, and registers itself

  6. Policy application — GuardMDM applies the assigned group's policies, configurations, and apps to the device

User Experience on iOS/iPadOS

User Experience on macOS

SCEP Certificate Enrollment During Setup

SCEP (Simple Certificate Enrollment Protocol) allows the device to request a unique identity certificate during enrollment. This is used for:

  • Device identity — each device gets a unique certificate for authentication
  • TLS mutual authentication — devices authenticate to GuardMDM with their certificate
  • Per-device policies — certificates can encode device-specific attributes

Configuring SCEP for OTA

  1. Go to Enrollment > SCEP and create a SCEP profile
  2. Configure the SCEP server URL, CA fingerprint, and challenge type
  3. Assign the SCEP profile to the enrollment token

When SCEP is configured, the enrollment flow adds an extra step:

The SCEP challenge can be:

TypeDescription
StaticA pre-shared password embedded in the profile
DynamicA one-time challenge generated per enrollment
Token-basedThe JWT token itself acts as the challenge

Verifying Enrollment

After enrollment, verify the device is properly managed.

In GuardMDM

  1. Go to Devices and locate the newly enrolled device
  2. Check that the device status shows Managed or Enrolled
  3. Verify the assigned group, policies, and configurations are applied
  4. Check the Enrollment Log for any errors or warnings

On the Device

iOS/iPadOS:

  • Go to Settings > General > VPN & Device Management
  • The GuardMDM profile should appear with a green checkmark
  • Tap the profile to view installed configurations and restrictions

macOS:

  • Go to System Settings > Privacy & Security > Profiles
  • The GuardMDM management profile should be listed as Verified

Common Issues

IssueCauseResolution
Profile won't installToken expiredGenerate a new token
"Invalid Profile" warningToken signature invalidRegenerate the token
Device enrolls but shows "Not Managed"SCEP certificate not issuedCheck SCEP server connectivity
Enrollment hangs at "Configuring Device"Network connectivityEnsure device can reach GuardMDM
Profile is untrustedRoot CA not installedInstall root CA profile first

Next: Enrollment Verification and Troubleshooting

Released under the MIT License