OTA Enrollment
What is OTA Enrollment
OTA (Over-The-Air) enrollment allows devices to enroll in GuardMDM without being connected to a physical provisioning system or Apple Business Manager. Instead, the user opens a URL on their device, downloads and installs a management profile, and the device enrolls automatically.
OTA enrollment is the primary method for:
- BYOD (Bring Your Own Device) — personal devices that are not in ABM
- Remote workers — devices that cannot be physically provisioned
- Legacy devices — devices not enrolled in Apple Business Manager
- Testing and staging — quick enrollment for evaluation or development
Unlike ADE enrollment, OTA enrollment does not supervise the device automatically. Supervision must be applied separately if required.
Generating Enrollment Tokens
GuardMDM uses JWT (JSON Web Token) based enrollment tokens. Each token encodes the enrollment configuration and has a configurable expiration.
Creating a Token
Navigate to Enrollment > OTA > Tokens and click Generate Token.
| Field | Description |
|---|---|
| Name | A label for the token (e.g. "Engineering BYOD") |
| Expiration | How long the token is valid (e.g. 24 hours, 7 days, never) |
| Group Assignment | The device group new devices will be added to |
| SCEP Profile | The SCEP profile for certificate enrollment (optional) |
| Max Uses | Limit on how many devices can enroll with this token (0 = unlimited) |
Token Structure
The JWT token contains:
{
"sub": "org_abc123",
"name": "Engineering BYOD",
"exp": 1719878400,
"group_id": "grp_456",
"scep_profile": "scep_def",
"max_uses": 100,
"jti": "unique-token-id"
}The token is signed with GuardMDM's private key and verified by the enrollment endpoint.
QR Code for Easy Enrollment
Each enrollment token can be rendered as a QR code for quick scanning. This is ideal for in-person onboarding or printed materials.
To generate a QR code:
- Go to Enrollment > OTA > Tokens
- Click the QR icon next to the desired token
- Download the QR code image (PNG or SVG)
The QR code encodes the full enrollment URL. When scanned with the device's camera, it opens the enrollment page in Safari.
Enrollment URL for Remote Users
Each token generates a unique enrollment URL:
https://mdm.example.com/enroll?token=eyJhbGciOiJSUzI1NiIs...This URL can be:
- Emailed to remote users
- Shared in a company portal
- Embedded in an internal wiki
- Sent via messaging apps (Slack, Teams)
The enrollment page is mobile-responsive and works on iOS, iPadOS, and macOS.
Enrollment Flow
The OTA enrollment process follows these steps:
Step-by-Step
User opens the enrollment URL on their device (Safari on iOS/iPadOS, Safari or any browser on macOS)
GuardMDM verifies the token — checks expiration, max uses, and signature validity
Profile download — the browser downloads an
.mobileconfigprofile containing:- MDM server URL
- Identity certificate (if SCEP is configured)
- Trust anchors (root CA certificate)
- Enrollment challenge (the JWT token)
Profile installation — the user is prompted to go to Settings > General > VPN & Device Management and install the profile. On macOS, System Settings opens automatically.
Device enrollment — after profile installation, the device contacts GuardMDM, exchanges certificates, and registers itself
Policy application — GuardMDM applies the assigned group's policies, configurations, and apps to the device
User Experience on iOS/iPadOS
User Experience on macOS
SCEP Certificate Enrollment During Setup
SCEP (Simple Certificate Enrollment Protocol) allows the device to request a unique identity certificate during enrollment. This is used for:
- Device identity — each device gets a unique certificate for authentication
- TLS mutual authentication — devices authenticate to GuardMDM with their certificate
- Per-device policies — certificates can encode device-specific attributes
Configuring SCEP for OTA
- Go to Enrollment > SCEP and create a SCEP profile
- Configure the SCEP server URL, CA fingerprint, and challenge type
- Assign the SCEP profile to the enrollment token
When SCEP is configured, the enrollment flow adds an extra step:
The SCEP challenge can be:
| Type | Description |
|---|---|
| Static | A pre-shared password embedded in the profile |
| Dynamic | A one-time challenge generated per enrollment |
| Token-based | The JWT token itself acts as the challenge |
Verifying Enrollment
After enrollment, verify the device is properly managed.
In GuardMDM
- Go to Devices and locate the newly enrolled device
- Check that the device status shows Managed or Enrolled
- Verify the assigned group, policies, and configurations are applied
- Check the Enrollment Log for any errors or warnings
On the Device
iOS/iPadOS:
- Go to Settings > General > VPN & Device Management
- The GuardMDM profile should appear with a green checkmark
- Tap the profile to view installed configurations and restrictions
macOS:
- Go to System Settings > Privacy & Security > Profiles
- The GuardMDM management profile should be listed as Verified
Common Issues
| Issue | Cause | Resolution |
|---|---|---|
| Profile won't install | Token expired | Generate a new token |
| "Invalid Profile" warning | Token signature invalid | Regenerate the token |
| Device enrolls but shows "Not Managed" | SCEP certificate not issued | Check SCEP server connectivity |
| Enrollment hangs at "Configuring Device" | Network connectivity | Ensure device can reach GuardMDM |
| Profile is untrusted | Root CA not installed | Install root CA profile first |
