Glossary
Core MDM Concepts
MDM (Mobile Device Management) A solution that lets administrators remotely manage, secure, and enforce policies on mobile devices (iOS, macOS, Android, Windows) over the air.
APNs (Apple Push Notification service) Apple's service that delivers push notifications to Apple devices. MDM servers use APNs to wake devices and tell them to check in for new commands.
ABM / DEP (Apple Business Manager / Device Enrollment Program) Apple's device portal for organizations. ABM links devices to an MDM server automatically during first setup, bypassing manual enrollment. DEP is the underlying enrollment flow now part of ABM.
VPP (Volume Purchase Program) Apple's program for buying apps in bulk and assigning them to devices or users silently. Now integrated into ABM as Apps and Books.
SCEP (Simple Certificate Enrollment Protocol) A protocol for automating certificate issuance. MDM uses SCEP to push identity certificates to devices for network authentication (Wi-Fi, VPN, email).
OTA (Over-the-Air) Any configuration or software update delivered wirelessly, without a physical cable. MDM is an OTA management system.
ADE (Automated Device Enrollment) The modern name for DEP enrollment — the zero-touch flow where a device bought through ABM is automatically enrolled in MDM when the user first turns it on.
GuardMDM Data Model
Blueprint A reusable policy template that bundles configuration profiles, apps, restrictions, and settings. Devices assigned to a blueprint inherit everything in it.
Device Group A collection of devices grouped by a common attribute (e.g., department, OS version, location). Policies and commands can target a group instead of individual devices.
Enrollment The process of registering a device with the MDM server. During enrollment the device receives its identity certificate, push topic, and initial configuration.
Device Security States
Supervised A higher-privilege management mode for Apple devices. Supervision enables restrictions and settings unavailable on non-supervised devices (e.g., block app install, always-on VPN, Lost Mode). Required for ADE-enrolled devices.
Lost Mode A supervised-only state that locks a device to a custom lock screen message and contact number. The device periodically reports its location.
Activation Lock A Find My feature that ties a device to the owner's Apple ID. When enabled, the device cannot be erased or reactivated without the original Apple ID. MDM can bypass Activation Lock on supervised, company-owned devices.
macOS Security
FileVault macOS full-disk encryption using XTS-AES-128. When enabled, the entire startup volume is encrypted. MDM can enforce FileVault and escrow the recovery key.
SIP (System Integrity Protection) macOS security feature that restricts write access to protected system paths, even for root. MDM cannot disable SIP; it must be managed outside MDM (Recovery Mode).
Authentication & Tokens
JWT (JSON Web Token) A compact, signed token format used for API authentication. GuardMDM uses JWTs for server-to-server communication and ABM authentication.
CSR (Certificate Signing Request) A block of data sent to a Certificate Authority to request a signed identity certificate. MDM generates CSRs during SCEP enrollment to get device certificates.
Architecture
Tenant An isolated instance of GuardMDM with its own devices, users, blueprints, and settings. Each tenant is invisible to other tenants on the same server.
Multi-Tenancy The ability for a single GuardMDM instance to serve multiple independent organizations (tenants), each with full data isolation.
File Formats
plist (Property List) Apple's structured data format (XML or binary) used for configuration files, preferences, and configuration profiles. The native format for Apple MDM payloads.
Configuration Profile An XML plist (.mobileconfig) containing one or more payloads (Wi-Fi, VPN, restrictions, certificates). Devices install profiles to apply settings. The fundamental unit of policy delivery in Apple MDM.
