This article describes the enhanced enrollment profile feature. For information about the rollout of this feature, see Configure multiple device and app management modes in a single environment.
Until the enhanced enrollment profile feature gets enabled for you, an enrollment profile only limits the number of devices a user can enroll.
An enrollment profile specifies the following:
- Device management enrollment options for Android, iOS, and Windows devices.
- App management enrollment options for Android and iOS devices.
- Other enrollment options:
Whether to limit the number of devices a user can enroll.
If the device limit is reached, an error message lets the user know that they exceeded the device registration limit.
Whether to allow a user to decline device management.
You can use enrollment profiles to combine multiple use cases and device migration paths within a single Endpoint Management console. Some use cases include:
- Mobile Device Management (MDM only)
- MDM+Mobile Application Management (MAM)
- MAM only
- Corporate-owned enrollments
- BYOD enrollments (the ability to opt out of MDM enrollment)
- Migration of Android Device Administrator enrollments to Android Enterprise enrollments (fully managed, work profile, dedicated device)
- Automatic enrollment of Windows 10 devices through Workspace app for Windows
If your current site is MDM only and you want to add MAM, you must configure a Citrix Gateway. For more information, see Citrix Gateway requirements.
When you create a delivery group, you can use the default enrollment profile named Global or specify a different enrollment profile.
Enrollment profile features by platform include the following.
For Android devices: You specify the device owner mode. For example: Fully managed, fully managed with work profile, and BYOD work profile.
New devices enroll in Android Enterprise by default. You can opt to manage the devices using legacy Android device administrator (DA) mode. New devices also enroll in app management by default.
For iOS devices: You specify the device enrollment type: Device enrollment or don’t manage devices.
New devices enroll in Apple device management by default. New devices also enroll in app management by default.
For Windows 10 devices: You specify whether to use Citrix device management for Windows. New devices enroll in device management by default.
If Endpoint Management is Workspace-enabled, you can also choose to allow devices to enroll through the Workspace app. In that case, an enrollment prompt appears when:
- Users install the Workspace app
- Unenrolled users install a native app
Global enrollment profile
The default enrollment profile is named Global. The Global profile is useful for testing until you have a chance to create enrollment profiles.
If you onboard to Endpoint Management 20.2.1 or later, the Global enrollment profile has predefined settings. The following screenshots show the default settings for the Global enrollment profile.
Enrollment profiles, delivery groups, and enrollment
Enrollment profiles and delivery groups interact as follows:
You can attach an enrollment profile to one or more delivery groups.
If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups. For example, suppose that you have the following:
- Two enrollment profiles, named “EP1” and “EP2”.
- Two delivery groups, named “DG1” and “DG2”.
- “DG1” is associated with “EP1”.
- “DG2” is associated with “EP2”.
If the enrolling user is in both the “DG1” and “DG2” delivery groups, Endpoint Management uses the “EP2” enrollment profile to determine the enrollment type for the user.
Deployment order applies only to devices in a delivery group that has an enrollment profile configured for MDM (device management).
After a device enrolls, some changes to an enrollment profile require re-enrollment:
- For a device enrolled in MDM+MAM: If you change the configuration to downgrade a device to MAM or MDM enrollment, the device must re-enroll. A downgrade might occur when you update an enrollment profile or move a device to a different delivery group.
The following changes to an enrollment profile don’t require re-enrollment:
- Adding MAM to an enrollment profile that’s configured for MDM.
- Moving a device that’s enrolled in MDM to a delivery group configured for MDM+MAM. That change impacts new device enrollments only. Existing device enrollments aren’t impacted.
- Adding MDM to an enrollment profile that’s configured for MAM.
To create an enrollment profile
In the Endpoint Management console, go to Configure > Enrollment Profiles.
On the Enrollment Info page, type a descriptive name for the profile. By default, a user can enroll unlimited devices. Select a value to limit the number of devices per user. The limit applies to the sum of MAM or MDM managed Android, iOS, and Windows devices that a user enrolls.
Complete the platform pages. For information about enrollment settings specific to the platforms, see:
On the Assignments page, attach one or more delivery groups to the enrollment profile.
A user might belong to multiple delivery groups that have different enrollment profiles. In that case, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups. To create delivery groups, go to Configure > Delivery Groups.
A list of your enrollment profiles appears on the Configure > Enrollment Profiles page. To edit the Global profile or reset it to the original defaults, select the row for the Global profile and click Reset. You can’t delete the Global profile.