Device-Based Enrollment

An enrollment method that manages the entire device rather than creating a separate managed partition, providing comprehensive device-level control.

What to Know

Device-based enrollment contrasts with User Enrollment, where managed data lives in a separate APFS volume. With device-based enrollment, MDM manages the entire device as a single unit, enabling comprehensive control over system settings, all apps (not just managed ones), hardware features, and device-wide restrictions. This is the traditional enrollment model used by Automated Device Enrollment and manual enrollment, providing maximum management capabilities at the cost of reduced user privacy. Device-based enrollment is essential for corporate-owned devices where organizations need complete visibility and control.

The distinction matters primarily when comparing enrollment options for BYOD scenarios. Device-based enrollment on personally-owned devices gives IT access to all device information and control over personal apps, which many users find invasive. User Enrollment provides an alternative by segregating managed content, but device-based enrollment remains the only option for achieving full supervised management and accessing advanced MDM features like single app mode, AirPlay restrictions, and complete app inventory visibility.

Common Scenarios

Enterprise IT: Corporate-owned MacBooks and iPhones enroll via device-based enrollment (through ADE or manual), giving IT complete device management. IT can view all installed apps, enforce system-wide restrictions like disabling AirDrop, remotely lock or wipe the entire device, and monitor device health metrics. This comprehensive control is necessary for maintaining corporate security standards and compliance on company-owned assets.

MSP: MSPs use device-based enrollment for all client-owned devices, ensuring complete management capabilities. When clients request app installation reports or device usage analytics, device-based enrollment provides visibility into all device activity, not just managed apps. This comprehensive insight enables proactive support and detailed compliance reporting that wouldn’t be possible with User Enrollment’s privacy boundaries.

Education: School-owned iPads deployed to students use device-based enrollment, allowing complete control over device functionality. Schools restrict app installation, enforce classroom mode during instruction, and deploy educational apps device-wide. The comprehensive management ensures devices remain focused on educational purposes and prevents misuse, which wouldn’t be achievable with User Enrollment’s limited management scope.

In Addigy

All Addigy enrollments except User Enrollment are device-based, providing full device management capabilities. When you enroll devices through ADE or manual enrollment, Addigy gains complete visibility into device state, installed apps, hardware information, and system configurations. Addigy’s policies apply device-wide, affecting all users and apps rather than just a managed partition.

Addigy’s device inventory clearly distinguishes between device-based enrollments and User Enrollments, showing different management capabilities available for each. Device-based enrollments support all Addigy features including full app inventory, system extension management, and comprehensive restriction policies, while User Enrollments are automatically limited to privacy-respecting managed app controls.