Skip to content

Enroll Your First Device

Once your GuardMDM account is set up and APNs is configured, you're ready to enroll devices. GuardMDM supports two enrollment methods: OTA (Over-the-Air) for user-initiated enrollment and ADE (Automated Device Enrollment) for zero-touch deployment.

Prerequisite: Apple Push Notification service (APNs) must be configured in your GuardMDM account before any device can enroll. See Set Up APNs if you haven't done this yet.


OTA Enrollment (User-Initiated)

OTA enrollment lets end users enroll their own devices by scanning a QR code or visiting a URL. This is the quickest way to get started with a handful of devices.

Step 1: Generate an Enrollment Token

  1. In the GuardMDM dashboard, go to Devices > Enrollment.
  2. Click Create Enrollment Token.
  3. Give the token a name (e.g., "Employee iPhones").
  4. Select the Group the enrolling device should be added to.
  5. (Optional) Set an expiration date for the token.
  6. Click Generate.

Step 2: Share the QR Code or URL

Once the token is created, you'll see:

  • QR Code — Display it on a screen, print it, or download it as an image.
  • Enrollment URL — A short link you can email or text to users.

Share whichever is more convenient for your workflow.

Step 3: Enroll on the Device

On the target iPhone, iPad, or Mac:

  1. Open Safari and navigate to the enrollment URL, or scan the QR code with the Camera app.
  2. A prompt appears: "This website is trying to download a configuration profile. Do you want to allow it?" — Tap Allow.
  3. Open the Settings app. A new profile appears under "Profile Downloaded" at the top.
  4. Tap the profile, then tap Install in the top-right corner.
  5. Follow the on-screen prompts to install the MDM profile.

The device contacts GuardMDM, completes enrollment, and appears in your dashboard within a few seconds.


ADE Enrollment (Automated)

ADE (Automated Device Enrollment, formerly DEP) lets you enroll devices automatically during first-time setup — no user interaction required beyond the initial setup assistant steps.

Prerequisites for ADE

  • An Apple Business Manager or Apple School Manager account linked to GuardMDM.
  • Devices assigned to GuardMDM in Apple Business / School Manager.
  • APNs configured in GuardMDM.

How It Works

  1. In Apple Business Manager, assign devices to your GuardMDM server.
  2. GuardMDM syncs the device list automatically.
  3. When a user turns on a new device and connects to Wi-Fi, the setup assistant detects GuardMDM as the MDM server.
  4. The device enrolls automatically during setup. The user completes only the standard setup steps (language, Wi-Fi, privacy).
  5. GuardMDM applies the assigned Blueprint immediately.

No QR codes, no URLs, no manual profile installation.


What Happens During Enrollment

When a device enrolls, GuardMDM performs several steps behind the scenes:

StepWhat happens
SCEP CertificateThe device requests a unique identity certificate via SCEP (Simple Certificate Enrollment Protocol). This certificate authenticates the device to GuardMDM for all future commands.
MDM Profile InstallationGuardMDM pushes the MDM management profile to the device. The profile contains the server URL, trust settings, and access permissions.
Push TokenThe device registers for Apple Push Notification service and sends its push token to GuardMDM. This enables real-time commands (lock, wipe, install apps) without the device polling the server.
Blueprint ApplicationGuardMDM applies the Blueprint assigned to the device's Group — configuration profiles, apps, and restrictions are pushed immediately.

Once these steps complete, the device is fully managed.


Verifying Enrollment in the Dashboard

To confirm a device enrolled successfully:

  1. Go to Devices in the GuardMDM dashboard.
  2. Find the device in the list. Its status should show "Enrolled" with a green indicator.
  3. Click the device to open its detail page. You'll see:
    • Device name, model, OS version, serial number
    • Assigned Group and Blueprint
    • Last check-in time
    • Installed profiles and apps

If a device shows "Pending" or "Offline", check that APNs is reachable and the device has internet access.


What's Next

Now that your first device is enrolled, explore what GuardMDM can do:

Released under the MIT License