Enrollment Lock

A feature that prevents removal of the MDM enrollment profile without administrator authorization, ensuring continuous device management.

What to Know

Enrollment Lock ensures that corporate-owned devices remain managed and cannot be removed from MDM without administrator intervention. This prevents users from uninstalling management profiles to bypass security policies, app restrictions, or compliance requirements. For organizations that rely on MDM to enforce data protection and access controls, Enrollment Lock is essential for maintaining device security posture throughout the device lifecycle.

Without Enrollment Lock, users can simply delete the enrollment profile from Settings, immediately removing all management capabilities and creating security gaps. This is particularly problematic for devices containing sensitive corporate data or those required to meet compliance standards, as unenrolled devices become invisible to IT and unprotected by organizational policies.

Common Scenarios

Enterprise IT: Corporate iPhones and iPads are deployed with Enrollment Lock to prevent employees from removing MDM profiles to install unauthorized apps, disable security controls, or avoid monitoring. If a user attempts to remove the profile, they’re prompted for a PIN that only IT possesses, ensuring devices remain managed for their entire lifecycle.

MSP: MSPs enable Enrollment Lock on all client devices to maintain continuous management and prevent clients from accidentally or intentionally removing MDM profiles. This ensures compliance with MSP service agreements and prevents devices from becoming unmanaged without proper offboarding procedures.

Education: Students frequently attempt to remove MDM profiles to bypass content filtering, install personal apps, or disable classroom management features. Enrollment Lock prevents profile removal, ensuring student devices remain under school control and that safety controls like web filtering stay active.

In Addigy

Addigy enables Enrollment Lock automatically for devices enrolled through ADE. When users attempt to remove the enrollment profile, they’re prompted for a PIN that Addigy generates and stores securely. Admins can retrieve this PIN from the device details page if legitimate removal is needed, such as when decomm issioning a device or transferring it to another user. Addigy’s reporting shows Enrollment Lock status for all devices, helping IT verify that corporate devices maintain management protection.