Unenrolled

A device state indicating the device has no active MDM enrollment and is not under management control.

What to Know

Unenrolled devices lose all MDM-applied configurations, profiles, and managed apps. Depending on profile settings, managed data may be removed during unenrollment. For corporate-owned devices, unenrollment represents a security and compliance risk since IT can no longer enforce policies, deploy updates, or remotely wipe the device. Unenrollment can be intentional (IT removes a device, user leaves the organization) or unintentional (user removes profile, certificate expires).

Common Scenarios

Enterprise IT: Devices are intentionally unenrolled when employees leave, hardware is retired, or devices are reassigned. Unintentional unenrollment occurs when users remove profiles from unsupervised devices or when MDM certificates expire. IT should audit for unexpected unenrollments and enforce policies that prevent profile removal on corporate-owned devices.

MSP: Client offboarding workflows should include formal unenrollment steps to remove devices from billing and management. MSPs should alert clients when devices unenroll unexpectedly, as this can indicate user tampering, device theft, or technical issues requiring attention.

Education: Student devices should remain enrolled for the duration of the academic year or ownership period. Unenrollment during the school year typically indicates device loss, damage, or student attempts to bypass restrictions. Schools should monitor unenrollment events and investigate anomalies.

In Addigy

When a device unenrolls, Addigy marks it as inactive and stops sending commands or profiles. Admins can view unenrollment history and re-enroll devices by sending a new enrollment profile. Addigy retains device records after unenrollment for historical reporting and can alert admins when devices unexpectedly drop out of management.