Multi-Tenant Organization
What is Multi-Tenancy
Multi-tenancy is an architecture where a single instance of GuardMDM serves multiple independent organizations (tenants). Each tenant operates as a completely separate entity within the same system, with its own:
- Devices
- Device groups
- Blueprints (configuration profiles)
- Users and administrators
- Settings and policies
This allows a single GuardMDM deployment to serve an MSP (Managed Service Provider), an enterprise with multiple business units, or any scenario where organizations need to be kept separate.
Device Limits Per Tenant
Each tenant can have a configurable device limit. When a tenant reaches its device cap, no new devices can enroll until existing ones are removed or the limit is increased. This is useful for:
- Enforcing subscription tiers in a SaaS model
- Controlling resource usage across business units
- Preventing accidental over-enrollment
The device limit is set by the super admin and can be adjusted per tenant.
Tenant Isolation
Data between tenants is completely isolated. A user or device in Tenant A cannot access any data belonging to Tenant B. This isolation covers:
- Device data — inventory, status, location, commands
- Configuration profiles — blueprints, custom XML, settings
- User accounts — admin users, enrollment users
- Groups — device groups, organizational groupings
- Logs and events — audit trails, command history, enrollment logs
This isolation is enforced at the database level and the application level. There is no shared namespace between tenants.
Super Admin
The super admin account exists outside any single tenant and has visibility across all tenants. The super admin can:
- Create, edit, and delete tenants
- Set device limits per tenant
- View all tenants' devices, groups, and blueprints
- Perform administrative actions across tenants
- Assign tenant-level admins
The super admin does not count against any tenant's device limit.
Switching Between Tenants
When logged in as a super admin, you can switch between tenants from the organization switcher in the top navigation bar. Selecting a tenant changes the context to that tenant's data — you will see only that tenant's devices, groups, blueprints, and users.
Tenant-level admins see only their own tenant and do not have a tenant switcher.
Summary
| Feature | Tenant Admin | Super Admin |
|---|---|---|
| Manage own devices, groups, blueprints | Yes | Yes (per tenant) |
| View other tenants' data | No | Yes |
| Create / delete tenants | No | Yes |
| Set device limits | No | Yes |
| Switch between tenants | No | Yes |
