Enroll Your First Device
Once your GuardMDM account is set up and APNs is configured, you're ready to enroll devices. GuardMDM supports two enrollment methods: OTA (Over-the-Air) for user-initiated enrollment and ADE (Automated Device Enrollment) for zero-touch deployment.
Prerequisite: Apple Push Notification service (APNs) must be configured in your GuardMDM account before any device can enroll. See Set Up APNs if you haven't done this yet.
OTA Enrollment (User-Initiated)
OTA enrollment lets end users enroll their own devices by scanning a QR code or visiting a URL. This is the quickest way to get started with a handful of devices.
Step 1: Generate an Enrollment Token
- In the GuardMDM dashboard, go to Devices > Enrollment.
- Click Create Enrollment Token.
- Give the token a name (e.g., "Employee iPhones").
- Select the Group the enrolling device should be added to.
- (Optional) Set an expiration date for the token.
- Click Generate.
Step 2: Share the QR Code or URL
Once the token is created, you'll see:
- QR Code — Display it on a screen, print it, or download it as an image.
- Enrollment URL — A short link you can email or text to users.
Share whichever is more convenient for your workflow.
Step 3: Enroll on the Device
On the target iPhone, iPad, or Mac:
- Open Safari and navigate to the enrollment URL, or scan the QR code with the Camera app.
- A prompt appears: "This website is trying to download a configuration profile. Do you want to allow it?" — Tap Allow.
- Open the Settings app. A new profile appears under "Profile Downloaded" at the top.
- Tap the profile, then tap Install in the top-right corner.
- Follow the on-screen prompts to install the MDM profile.
The device contacts GuardMDM, completes enrollment, and appears in your dashboard within a few seconds.
ADE Enrollment (Automated)
ADE (Automated Device Enrollment, formerly DEP) lets you enroll devices automatically during first-time setup — no user interaction required beyond the initial setup assistant steps.
Prerequisites for ADE
- An Apple Business Manager or Apple School Manager account linked to GuardMDM.
- Devices assigned to GuardMDM in Apple Business / School Manager.
- APNs configured in GuardMDM.
How It Works
- In Apple Business Manager, assign devices to your GuardMDM server.
- GuardMDM syncs the device list automatically.
- When a user turns on a new device and connects to Wi-Fi, the setup assistant detects GuardMDM as the MDM server.
- The device enrolls automatically during setup. The user completes only the standard setup steps (language, Wi-Fi, privacy).
- GuardMDM applies the assigned Blueprint immediately.
No QR codes, no URLs, no manual profile installation.
What Happens During Enrollment
When a device enrolls, GuardMDM performs several steps behind the scenes:
| Step | What happens |
|---|---|
| SCEP Certificate | The device requests a unique identity certificate via SCEP (Simple Certificate Enrollment Protocol). This certificate authenticates the device to GuardMDM for all future commands. |
| MDM Profile Installation | GuardMDM pushes the MDM management profile to the device. The profile contains the server URL, trust settings, and access permissions. |
| Push Token | The device registers for Apple Push Notification service and sends its push token to GuardMDM. This enables real-time commands (lock, wipe, install apps) without the device polling the server. |
| Blueprint Application | GuardMDM applies the Blueprint assigned to the device's Group — configuration profiles, apps, and restrictions are pushed immediately. |
Once these steps complete, the device is fully managed.
Verifying Enrollment in the Dashboard
To confirm a device enrolled successfully:
- Go to Devices in the GuardMDM dashboard.
- Find the device in the list. Its status should show "Enrolled" with a green indicator.
- Click the device to open its detail page. You'll see:
- Device name, model, OS version, serial number
- Assigned Group and Blueprint
- Last check-in time
- Installed profiles and apps
If a device shows "Pending" or "Offline", check that APNs is reachable and the device has internet access.
What's Next
Now that your first device is enrolled, explore what GuardMDM can do:
- Explore Device Management — Remote commands, profiles, and app management
- Create Blueprints — Build reusable configuration templates
- Manage Groups — Organize devices and apply Blueprints at scale
- Set Up ADE — Configure Automated Device Enrollment for zero-touch deployment
