Enrollment Profile

A specially-signed configuration file that contains the MDM server URL, enrollment credentials, and initial device settings required to enroll a device in management.

What to Know

The enrollment profile is the critical first communication between a device and an MDM server. Without it, a device cannot establish trust with the MDM system or receive management commands. The profile is cryptographically signed to verify its authenticity and prevent tampering, ensuring devices only enroll with legitimate MDM servers. It contains essential connection details including the server URL, enrollment credentials, and the initial trust anchor certificate that enables secure communication.

Different enrollment methods use enrollment profiles in different ways. In Automated Device Enrollment, the profile is delivered automatically during Setup Assistant. For manual enrollment, users download and install the profile themselves, typically via a web portal or email. The profile’s security and delivery method directly impact enrollment success rates and the overall security posture of managed devices.

Common Scenarios

Enterprise IT: Corporate IT departments generate enrollment profiles for BYOD programs or devices that can’t use ADE. Users visit an internal enrollment portal, authenticate with their corporate credentials, and download a personalized enrollment profile. The profile may include identity certificates, Wi-Fi settings, and VPN configurations that apply during enrollment.

MSP: MSPs create client-specific enrollment profiles for manual enrollment scenarios, such as legacy devices or quick deployments. The profile is distributed via email or a secure link, allowing remote users to enroll without requiring direct IT intervention. MSPs often include branding and client-specific configurations in the profile to streamline setup.

Education: Schools distribute enrollment profiles for shared devices that weren’t purchased through Apple School Manager. Lab managers or technicians install the profile on each device manually, or students scan a QR code that installs the profile, enabling centralized management of previously unmanaged devices.

In Addigy

Addigy generates enrollment profiles automatically when you initiate manual enrollment. Users can access the enrollment profile through the Addigy enrollment URL, which authenticates the user and delivers a signed profile specific to their account. The profile includes Addigy’s MDM server URL, enrollment credentials, and initial settings defined in your enrollment configuration.

For ADE enrollments, Addigy delivers the enrollment profile automatically during Setup Assistant without user interaction. Addigy also supports creating custom enrollment profiles with additional payloads such as Wi-Fi, certificates, or VPN configurations, allowing you to pre-configure network access before full policy deployment completes.