Free Edition
What is MDM?
Enterprise Mobility Management
Mobile Device Management
Mobile Application Management
Mobile Security Management
Mobile Email Management
Mobile Content Management
BYOD
Compliance
- CJIS
- HIPAA
- ISO
- PCI
- GDPR
Awards & Reviews
Supported Platforms
- iOS
- Android
- Windows
- macOS
- Chrome OS
- Android Enterprise
- Samsung Knox
Related Products

How to choose enrollment techniques for your organization?

Device enrollment can be chosen based on device ownership, the required management mode, and specific deployment scenarios. This document explains the different ownership types, management modes, their use cases, and the enrollment methods applicable to each management mode.

Device Ownership

Devices can either be company-owned or personally owned, and this distinction plays a crucial role in determining the appropriate enrollment method.

Management Mode

Management Modes are classified into three types based on the device ownership. If Company-owned devices, management can be implemented in two ways: Fully Managed or Fully Managed with a work profile. In case of personal devices, management is done using a Work Profile, and such devices are refereed to as Profile Owner devices.

Fully Managed Devices

Fully Managed mode is used for company-owned devices that are entirely controlled by the organization. These devices are provisioned and configured by IT admins to ensure full compliance with corporate policies.
Use Cases:

Corporate-only devices: Used exclusively for business purposes with restricted access to personal apps or accounts.
Kiosk or dedicated devices: Locked down to a single app or a set of work apps.
Shared devices: Configured for multiple users (e.g., in hospitals or warehouses) with limited functionality and user switching enabled.
High-security environments: Devices requiring strict policy enforcement, remote wipe, and compliance monitoring.

Enrollment Methods for Fully Managed Devices

Android:

Zero-touch Enrollment: Ideal for large-scale deployments; devices are automatically enrolled during initial setup.
Knox Mobile Enrollment (KME): Used for Samsung devices to streamline provisioning.
QR Code (EMM Token) Enrollment: Allows quick enrollment by scanning a QR code during device setup.
NFC Enrollment: Used to enroll devices by tapping an NFC tag containing the enrollment details.
ADB Enrollment: Suitable for testing or small-scale setups where devices are connected via USB for manual enrollment.

Apple:

Automated Device Enrollment (ABM/ASM): Seamlessly enrols company-owned devices purchased through Apple or authorized resellers.
Apple Configurator App (on iPhone or Mac): Used to manually add and supervise devices for enrollment.

Fully Managed with a Work Profile

This mode is used for company-owned devices where both work and personal profiles are created, allowing employees to use a single device for professional and personal purposes. The organization manages and secures only the work profile, while the personal space remains private and unmanaged.
Use Cases:

Corporate-owned, personally enabled (COPE) devices: Employees can use the same device for both business and personal needs.
Data separation and privacy: Ensures corporate data stays within the work profile while personal data remains unaffected by IT controls.
Security compliance: IT can enforce policies, deploy apps, and perform remote actions only within the work profile.

Enrollment Methods for Fully Managed with a Work Profile

Android:

Zero-touch Enrollment and Knox Mobile Enrollment (KME): Enable automatic setup of both work and personal profiles on company-owned devices.
QR Code (EMM Token) Enrollment: Simplifies provisioning by creating separate work and personal profiles during setup.

Apple:

Not applicable — Apple devices do not support a “Work Profile” equivalent. Instead, use standard management or User Enrollment for BYOD scenarios.

Personally owned Devices

This mode is used for employee-owned devices (BYOD), where a secure work container is created to manage corporate apps and data without affecting personal content. IT admins can manage only the work profile, ensuring data protection while maintaining user privacy.
Use Cases:

Bring Your Own Device (BYOD) programs: Employees can access corporate apps and resources securely on their personal devices.
Enhanced data protection: Work apps and data are contained within a managed profile, preventing data sharing with personal apps.
Privacy assurance: IT has no access to personal files, apps, or usage information.
Lightweight management: Ideal for organizations promoting flexibility without owning or controlling employee devices.

Enrollment Methods for Personally Owned Devices

Android:

QR Code or Enrollment Link: Employees can scan a QR code or use an enrollment link shared by the IT admin to set up the work profile.
Self Enrollment: Users manually enroll their devices through the MDM app or portal.
User Invitations: Enrollment initiated via email or SMS invitation containing the enrollment details.

Apple:

Apple User Enrollment: Designed specifically for BYOD scenarios, offering a clear separation between personal and corporate data while preserving user privacy.
QR Code or Enrollment Link: Enables quick setup by accessing the enrollment URL or scanning a QR code.
Self Enrollment / User Invitations: Users can enroll through an invitation link sent by the administrator.

For detailed information on Device Enrollment, visit our Device Enrollment Guide and for managing Android and Apple devices, visit our Android Device Management and Apple Device Management Guide.