Profile-Based Enrollment

An enrollment method where users manually install a configuration profile containing MDM enrollment settings. Typically results in unsupervised devices.

What to Know

Profile-based enrollment is synonymous with manual enrollment and represents the traditional method of enrolling devices that aren’t part of Automated Device Enrollment. Users download and install an enrollment profile, initiating the MDM enrollment process. This method is critical for BYOD scenarios, contractor devices, or any situation where devices weren’t purchased through Apple’s volume purchase programs. While convenient and flexible, profile-based enrollment cannot place devices under supervision, limiting available management features.

The enrollment profile contains all necessary MDM server information and trust certificates, but because it’s user-installed rather than automatically deployed, devices enrolled this way remain unsupervised. Users retain the ability to remove the MDM profile, ending management at any time. Organizations must clearly communicate expectations and policies around profile removal, especially in BYOD scenarios where personal device ownership intersects with corporate management needs.

Common Scenarios

Enterprise IT: Contractors and temporary employees receive enrollment links for their personal devices to access corporate resources. They download the enrollment profile from a web portal, install it, and gain access to company email, VPN, and internal apps. The profile enforces minimum security requirements like passcode complexity and encryption, but respects that the device is personally owned and limits invasive management.

MSP: When taking over management of an existing client with legacy devices not in Apple Business Manager, MSPs use profile-based enrollment to quickly establish management. The MSP sends enrollment links to all users, who install profiles on their existing devices. This allows immediate policy enforcement and app deployment while planning for eventual hardware refresh to ADE-capable devices.

Education: Faculty members with personal devices enroll via profile-based enrollment to access institutional Wi-Fi, email, and learning management systems. The enrollment profile installs necessary certificates and VPN configurations while maintaining clear boundaries between personal and institutional data. Faculty can remove the profile when they leave the institution or during summer break.

In Addigy

Addigy treats profile-based enrollment identically to manual enrollment—both terms refer to the same process. Users access Addigy’s enrollment portal through a provided URL, authenticate if required, and download an enrollment profile specific to their account. After installation, the device appears in Addigy with an unsupervised designation, and Addigy automatically limits available management actions to those compatible with unsupervised devices.

Addigy’s profile-based enrollment supports customization through enrollment policies that apply immediately after enrollment completes. You can configure authentication requirements, install Wi-Fi and VPN profiles during enrollment, and assign devices to specific policies based on user groups or device type, ensuring even manually enrolled devices receive appropriate baseline configurations.