An enrollment profile specifies the following:
- Device management enrollment options for Android, iOS, and Windows devices.
- App management enrollment options for Android and iOS devices.
- Other enrollment options:
Whether to limit the number of devices a user can enroll.
If the device limit is reached, an error message lets the user know that they exceeded the device registration limit.
Whether to allow a user to decline device management.
You can use enrollment profiles to combine multiple use cases and device migration paths within a single Endpoint Management console. Some use cases include:
- Mobile Device Management (MDM only)
- MDM+Mobile Application Management (MAM)
- MAM only
- Corporate-owned enrollments
- BYOD enrollments (the ability to opt out of MDM enrollment)
- Migration of Android Device Administrator enrollments to Android Enterprise enrollments (fully managed, work profile, dedicated device)
- Automatic enrollment of Windows 10 and Windows 11 devices through Workspace app for Windows (preview)
If your current site is MDM only and you want to add MAM, you must configure a Citrix Gateway. For more information, see Citrix Gateway requirements.
When you create a delivery group, you can use the default enrollment profile named Global or specify a different enrollment profile.
Enrollment profile features by platform include the following.
For Android devices: You specify the management and device owner mode. For example: Company-owned device, fully managed with work profile, and BYOD work profile.
New devices enroll in Android Enterprise by default. You can opt to manage the devices using legacy Android device administrator (DA) mode. New devices also enroll in app management by default.
For information about specifying the level of security and required enrollment steps, see User accounts, roles, and enrollment.
For iOS devices: You specify the device management type: Apple User Enrollment, Apple Device enrollment, or Do not manage devices. This Apple User Enrollment mode is available as a public preview. To enable this feature, contact your support team.
If you select Apple User Enrollment, you can choose to use a custom domain for Managed Apple IDs and configure that domain.
New devices enroll in Apple device management by default. New devices also enroll in app management by default.
For Windows 10 and Windows 11 devices: You specify whether to use Citrix device management for Windows. New devices enroll in device management by default.
Global enrollment profile
The default enrollment profile is named Global. The Global profile is useful for testing until you have a chance to create enrollment profiles.
If you onboard to Endpoint Management 20.2.1 or later, the Global enrollment profile has predefined settings. The following screenshots show the default settings for the Global enrollment profile. MAM only deployments display a subset of these options.
Enrollment profiles, delivery groups, and enrollment
Enrollment profiles and delivery groups interact as follows:
You can attach an enrollment profile to one or more delivery groups.
If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups. For example, suppose that you have the following:
- Two enrollment profiles, named “EP1” and “EP2”.
- Two delivery groups, named “DG1” and “DG2”.
- “DG1” is associated with “EP1”.
- “DG2” is associated with “EP2”.
If the enrolling user is in both the “DG1” and “DG2” delivery groups, Endpoint Management uses the “EP2” enrollment profile to determine the enrollment type for the user.
Deployment order applies only to devices in a delivery group that has an enrollment profile configured for MDM (device management).
After a device enrolls, some changes to an enrollment profile require re-enrollment:
- Changing the configuration to downgrade a device from MDM+MAM to MAM or MDM enrollment. A downgrade might occur when you update an enrollment profile or move a device to a different delivery group.
- Adding MAM to an enrollment profile that’s configured for MDM.
- Adding MDM to an enrollment profile that’s configured for MAM.
Switching to a different enrollment profile does not affect existing enrolled devices. However, users must unenroll and then reenroll those devices for the changes to take effect.
To create an enrollment profile
In the Endpoint Management console, go to Configure > Enrollment Profiles.
On the Enrollment Info page, type a descriptive name for the profile. By default, a user can enroll unlimited devices. Select a value to limit the number of devices per user. The limit applies to the sum of MAM or MDM managed Android, iOS, and Windows devices that a user enrolls.
Complete the platform pages. For information about enrollment settings specific to the platforms, see:
- Android Enterprise: Creating enrollment profiles
- iOS: Supported enrollment methods
- Windows Desktop and Tablet: Supported enrollment methods
On the Assignments page, attach one or more delivery groups to the enrollment profile.
A user might belong to multiple delivery groups that have different enrollment profiles. In that case, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups. To create delivery groups, go to Configure > Delivery Groups.
A list of your enrollment profiles appears on the Configure > Enrollment Profiles page. To edit the Global profile or reset it to the original defaults, select the row for the Global profile and click Reset. You can’t delete the Global profile.