On this page

MDM Rollout

Mobile Device Management rollout provisions centralised control over organisational endpoints through agent enrollment, policy application, and compliance monitoring. This task establishes the technical infrastructure for device security, application deployment, and remote management capabilities across iOS, Android, Windows, and macOS platforms.

Prerequisites

Requirement	Detail
MDM platform	Selected and provisioned (Intune, Jamf, Kandji, Workspace ONE, or open source alternative)
Identity provider	Configured with MDM integration; SCIM provisioning recommended
Apple Business Manager	Enrolled with MDM server token configured (for iOS/macOS)
Android Enterprise	Organisation registered with managed Google Play configured
Certificates	Apple Push Notification service (APNs) certificate valid; SCEP or certificate authority configured
Policies	Device compliance, configuration profiles, and application policies defined and approved
Device inventory	Current inventory with ownership classification (corporate vs BYOD)
Network access	Enrollment URLs accessible from all network locations including field offices
Permissions	MDM administrator role; Intune Administrator or equivalent
Time estimate	4-8 weeks for full rollout depending on device count

Verify APNs certificate validity before beginning enrollment:

# Check APNs certificate expiry (if exported locally)
openssl x509 -in apple_mdm_push_cert.pem -noout -dates

# Expected output shows certificate validity period
# notBefore=Jan  5 00:00:00 2025 GMT
# notAfter=Jan  5 23:59:59 2026 GMT

APNs certificate expiry

APNs certificates expire annually. Set calendar reminders 30 days before expiry. Certificate renewal requires the same Apple ID used for initial creation. Loss of this Apple ID forces complete iOS re-enrollment.

Confirm network connectivity from a test device to required endpoints:

# Test connectivity to Microsoft Intune endpoints (Windows)
Test-NetConnection -ComputerName enrollment.manage.microsoft.com -Port 443
Test-NetConnection -ComputerName portal.manage.microsoft.com -Port 443

# For Jamf Pro
Test-NetConnection -ComputerName yourinstance.jamfcloud.com -Port 443

Procedure

Device inventory and prioritisation

Export current device inventory from existing asset management or directory services. Include device type, operating system version, ownership (corporate or BYOD), user assignment, and location:

   # Export from Azure AD/Entra ID
   az ad device list --query "[].{Name:displayName, OS:operatingSystem, OSVersion:operatingSystemVersion, TrustType:trustType}" -o tsv > device_inventory.tsv

For organisations without centralised inventory, distribute a device registration form collecting: device make/model, serial number, operating system version, primary user, and whether the device accesses organisational data.

Classify devices into enrollment waves based on risk and complexity:

Wave	Criteria	Typical timeline
Pilot	IT staff devices, volunteers from each platform	Week 1-2
Wave 1	Corporate-owned devices at headquarters	Week 3-4
Wave 2	Corporate-owned devices at regional/country offices	Week 4-5
Wave 3	BYOD devices with willing early adopters	Week 5-6
Wave 4	Remaining BYOD devices, field devices	Week 6-8

Identify minimum operating system versions for enrollment. Devices below these thresholds require upgrade or replacement before MDM enrollment:

Platform	Minimum version	Rationale
iOS	15.0	Managed Apple ID support, declarative management
Android	10.0	Android Enterprise work profile improvements
Windows	10 21H2	Windows Autopilot enhancements
macOS	12.0	Declarative device management, platform SSO

Flag devices requiring pre-enrollment action:
- Devices below minimum OS version: schedule upgrade
- Devices with existing MDM enrollment: coordinate unenrollment
- Devices with full-disk encryption using local keys: document recovery keys before enrollment

Platform enrollment configuration

iOS and iPadOS enrollment

Configure Apple Business Manager integration. In your MDM console, upload the MDM server token downloaded from Apple Business Manager:

   MDM Console > Settings > Apple Business Manager
   Upload: AppleBM_Token_yourorg.p7m
   Default device assignment: [Your MDM server]

For devices purchased through Apple or authorised resellers, enable Automated Device Enrollment (formerly DEP). This provides zero-touch enrollment and supervision.

Create an iOS enrollment profile specifying supervision status and authentication:

   <!-- iOS Enrollment Profile Configuration -->
   <dict>
     <key>PayloadDisplayName</key>
     <string>Organisation MDM Enrollment</string>
     <key>IsSupervised</key>
     <true/>
     <key>AwaitDeviceConfigured</key>
     <true/>
     <key>ConfigurationWebURL</key>
     <string>https://mdm.example.org/enroll</string>
   </dict>

Supervised mode enables additional management capabilities: app installation without user prompt, restriction bypass for enterprise apps, single app mode, and global HTTP proxy. Corporate-owned devices should always be supervised. BYOD devices cannot be supervised without full device wipe and re-enrollment through Apple Configurator.

Configure enrollment authentication. For corporate devices with Automated Device Enrollment, authentication occurs during Setup Assistant:

   Setup Assistant > Authentication
   Method: Azure AD / Entra ID
   Require MFA: Yes
   Skip Setup Assistant panes: Location Services, Siri, Screen Time, Apple Pay

For BYOD enrollment via Company Portal app, users authenticate with organisational credentials after installing the app from the App Store.

Assign enrollment profiles to device serial numbers in Apple Business Manager. Devices sync to MDM within 24 hours, or force sync:

   # Intune: Sync Apple Business Manager devices
   # Navigate to: Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > [Token] > Sync

Android enrollment

Connect Android Enterprise to your MDM platform. Navigate to the managed Google Play configuration and complete the organisation binding:

   MDM Console > Android Enterprise > Connect
   Google Account: admin-mdm@example.org (dedicated account, not personal)
   Organisation: Your Organisation Name

The binding creates a managed Google Play organisation. Applications approved in managed Google Play become available for deployment to enrolled devices.

Select enrollment method based on device ownership and Android version:

Method	Use case	Android version	Device ownership
Work profile	Personal device with work container	5.0+	BYOD
Fully managed	Corporate device, complete control	5.1+	Corporate
Dedicated device	Kiosk, shared device, single purpose	6.0+	Corporate
Work profile on company-owned device	Corporate device with personal use permitted	11.0+	Corporate

For most organisations, work profile serves BYOD devices while fully managed serves corporate devices.

Configure enrollment for fully managed corporate devices. Create an enrollment token:

   Android enrollment > Corporate-owned fully managed user devices
   Token name: Corporate-Enrollment-2025
   Expiry: 90 days
   QR code: Generate

The QR code encodes the enrollment token. During device setup, tapping the welcome screen six times reveals the QR reader. Alternatively, enter the enrolment token afw#setup during initial device setup to trigger enrollment.

Configure work profile enrollment for BYOD. Users install the company app (Company Portal, Workspace ONE Intelligent Hub, or equivalent) from the Play Store and authenticate:

   Android enrollment > Personal devices with work profile
   Enrollment restriction: All users in group "BYOD-Permitted-Users"
   Personal profile: Allow (do not block personal apps)
   Work profile applications: Managed Google Play only

Windows enrollment

Configure Windows automatic enrollment for Azure AD/Entra ID joined devices. In your MDM console, enable the Azure AD integration:

   MDM Console > Windows enrollment > Automatic enrollment
   MDM user scope: All (or specific group)
   MAM user scope: None (MDM takes precedence)

Devices joining Azure AD automatically enroll in Intune if the user is within scope. This provides seamless enrollment for new corporate devices.

For existing Windows devices not yet Azure AD joined, configure bulk enrollment using a provisioning package or Windows Autopilot:

   # Create provisioning package for bulk enrollment
   # Windows Configuration Designer approach

   # Alternative: Register device hash for Autopilot
   Install-Script -Name Get-WindowsAutoPilotInfo
   Get-WindowsAutoPilotInfo -OutputFile autopilot_devices.csv

Upload autopilot_devices.csv to Intune under Devices > Windows > Windows enrollment > Devices.

Configure enrollment restrictions to prevent unmanaged personal Windows devices:

   Windows enrollment > Enrollment restrictions
   Device type restriction: Create
   Name: Corporate-Windows-Only
   Platform: Windows (MDM)
   Personally owned: Block
   Assignment: All Users

Organisations permitting Windows BYOD should create a separate restriction with appropriate compliance requirements.

Configure Windows Hello for Business as part of enrollment. This replaces passwords with certificate-based authentication:

   Windows enrollment > Windows Hello for Business
   Configure Windows Hello for Business: Enabled
   Use a Trusted Platform Module (TPM): Required
   Minimum PIN length: 6
   Biometric authentication: Allowed

macOS enrollment

Configure Automated Device Enrollment for corporate Mac devices through Apple Business Manager, following the same MDM server token process as iOS.
Create a macOS enrollment profile:

   macOS enrollment > Enrollment program
   Profile name: Corporate-Mac-Enrollment
   User affinity: Enroll with User Affinity
   Authentication: Company Portal
   Locked enrollment: Yes (prevents user from removing MDM profile)

For existing Mac devices not purchased through ABM, configure user-initiated enrollment. Users navigate to the enrollment URL and authenticate:

   Enrollment URL: https://enrollment.manage.microsoft.com/enrollmentserver/discovery

   # Alternative for Jamf Pro
   sudo profiles -e -server https://yourinstance.jamfcloud.com/enroll

Configure Bootstrap Token escrow for Apple Silicon Macs. The bootstrap token enables MDM to authorise kernel extensions and software updates:

   macOS enrollment > Settings
   Bootstrap Token: Enabled
   Escrow location: MDM server

Without bootstrap token escrow, macOS prompts for local administrator credentials during software updates and kernel extension approval, breaking automated management.

Policy configuration

Configure policies before enrolling production devices. Policies fall into three categories: compliance policies that define minimum security requirements, configuration profiles that push settings, and application policies that deploy software.

Create compliance policies establishing minimum device security. Non-compliant devices trigger defined actions (mark non-compliant, block access, wipe device):

   # Example compliance policy structure
   compliance_policy:
     name: "Organisation-Baseline-Compliance"
     platforms: [iOS, Android, Windows, macOS]

     rules:
       - encryption_required: true
       - min_os_version:
           iOS: "15.0"
           Android: "10.0"
           Windows: "10.0.19043"  # 21H1
           macOS: "12.0"
       - password_required: true
       - password_min_length: 6
       - jailbreak_detection: block  # iOS only
       - device_threat_level: medium_or_below  # if using MTD

     non_compliance_action:
       - mark_noncompliant: immediately
       - block_access: after_3_days
       - send_notification: immediately
       - wipe_device: never  # or "after_90_days" for corporate

Create configuration profiles pushing required settings. Separate profiles by function to enable granular assignment:

   Profile: WiFi-Corporate
   Platform: All
   Settings:
     - SSID: CorpWiFi
     - Security: WPA2-Enterprise
     - Authentication: PEAP-MSCHAPv2
     - Identity: {{userPrincipalName}}

   Profile: Restrictions-BYOD
   Platform: iOS, Android
   Settings:
     - Allow backup to iCloud: Yes (BYOD may backup personal data)
     - Managed Open In: Required (work data stays in work apps)
     - Copy/paste between managed and unmanaged: Blocked

   Profile: Restrictions-Corporate
   Platform: iOS, Android
   Settings:
     - Allow backup to iCloud: No
     - Allow app installation: Managed apps only
     - Camera: Allowed (or restricted for specific use cases)

Configure conditional access policies integrating MDM compliance with identity:

   Conditional Access Policy: Require-Compliant-Device

   Assignments:
     Users: All users
     Exclude: Break-glass accounts, Service accounts

   Cloud apps: All cloud apps

   Conditions:
     Device platforms: All platforms
     Client apps: Browser, Mobile apps and desktop clients

   Access controls:
     Grant: Require device to be marked as compliant

   Session: Sign-in frequency 12 hours

This policy blocks access to organisational resources from devices not enrolled and compliant with MDM policy. Implement after pilot testing to avoid locking out users.

Configure application deployment policies. Push required applications automatically; make optional applications available in the company app store:

   App deployment:
     Required apps (auto-install):
       - Microsoft Authenticator
       - Organisational app (custom LOB app)
       - Mobile Threat Defence app (if applicable)

     Available apps (user choice):
       - Microsoft Office suite
       - Adobe Acrobat Reader
       - Other productivity apps

Pilot group testing

Create a pilot group of 10-20 users spanning all platforms and representing different roles. Include at least one IT staff member per platform, one field-based user, and users with both corporate and BYOD devices:

   Pilot Group: MDM-Pilot
   Members:
     - IT staff: 5 users (1 per platform + 1 Windows/iOS dual user)
     - Programme staff: 5 users
     - Finance staff: 3 users
     - Field staff: 4 users
     - Executive: 1 user (visible champion)

Assign enrollment and compliance policies to the pilot group only:

   Policy: Organisation-Baseline-Compliance
   Assignment: MDM-Pilot group
   Exclude: None

   Profile: WiFi-Corporate
   Assignment: MDM-Pilot group

   Conditional Access: Require-Compliant-Device
   Assignment: MDM-Pilot group (not all users yet)

Guide pilot users through enrollment and document issues. Create a pilot tracking spreadsheet:

User	Device	Platform	Enrollment date	Issues	Resolution
jsmith	iPhone 14	iOS 17.2	2025-01-15	None	Enrolled successfully
ajohansson	Pixel 7	Android 14	2025-01-15	Work profile creation failed	Factory reset resolved
mchen	Surface Pro	Win 11	2025-01-16	Compliance policy timeout	Extended sync period

Run pilot for minimum two weeks. Verify:
- All platforms enroll successfully
- Compliance policies evaluate correctly
- Applications deploy as expected
- Conditional access blocks non-compliant devices
- Email, calendar, and files accessible from enrolled devices
- Remote wipe functions (test on designated test device)
- Field connectivity scenarios work
Refine policies based on pilot feedback. Common adjustments:
- Extend compliance grace period if field devices sync infrequently
- Adjust password requirements if users struggle with mobile input
- Add approved applications discovered during pilot
- Modify WiFi profiles for additional office locations

Staged rollout

Communicate rollout timeline and requirements to all users. Send initial notification two weeks before their wave:

   Subject: Mobile Device Management Enrollment - Action Required by [Date]

   [Organisation] is implementing Mobile Device Management (MDM) to protect
   organisational data on mobile devices. You will need to enroll your
   device(s) by [date].

   What you need to do:
   - Corporate device: Follow the enrollment guide at [link]
   - Personal device accessing work email: Enroll or switch to web-only access

   Why this matters:
   - Protects sensitive data if your device is lost or stolen
   - Enables remote wipe of work data only (personal data unaffected on BYOD)
   - Required for continued access to email, files, and organisational apps

   Support: Contact IT help desk for enrollment assistance

For BYOD devices, obtain explicit consent. Users must understand what MDM can and cannot see or control:

   BYOD Consent Acknowledgement

   By enrolling your personal device, you consent to:

   What IT CAN see:
   - Device make, model, and serial number
   - Operating system version
   - Installed organisational apps
   - Device compliance status (encryption, passcode)
   - Device location (only if enabled and disclosed)

   What IT CANNOT see:
   - Personal apps (outside work profile on Android)
   - Personal photos, messages, browsing history
   - Personal email accounts

   What IT CAN do:
   - Remove organisational apps and data
   - Enforce work passcode requirements
   - Block access to organisational resources if non-compliant

   What IT CANNOT do:
   - Wipe personal data (BYOD work profile only removes work data)
   - Access personal accounts
   - Track location without explicit consent and disclosure

   [ ] I acknowledge and consent to MDM enrollment

   Signature: ________________  Date: ________

Execute wave 1 enrollment. Expand policy assignment to include the wave 1 group:

   # Update policy assignments
   Policy: Organisation-Baseline-Compliance
   Assignment: MDM-Pilot, Wave-1-HQ-Corporate

   Conditional Access: Require-Compliant-Device
   Assignment: MDM-Pilot, Wave-1-HQ-Corporate

Provide enrollment support during each wave. For large waves, schedule drop-in enrollment sessions where IT staff assist with enrollment. Monitor enrollment completion:

   # Intune: Export enrollment status
   # Graph API query for enrollment status
   GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=deviceName,enrolledDateTime,complianceState,userPrincipalName

Follow up with non-enrolled users. Send reminder at wave midpoint and final reminder three days before deadline. After deadline, conditional access blocks non-enrolled devices from organisational resources.
Proceed through subsequent waves, adjusting pace based on support capacity and issue rate. Do not begin next wave until previous wave reaches 90% enrollment and critical issues are resolved.

Compliance monitoring setup

Configure compliance reporting dashboard. Most MDM platforms provide built-in dashboards; supplement with custom reports:

   Dashboard widgets:
   - Total enrolled devices by platform
   - Compliance percentage by platform
   - Non-compliant device count with top reasons
   - Enrollment trend (devices enrolled per week)
   - Devices not checked in (last 7/14/30 days)

Configure alerts for compliance drift:

   Alert: High-Noncompliance-Rate
   Trigger: Non-compliant devices exceed 10% of enrolled
   Action: Email to IT security lead

   Alert: Stale-Device
   Trigger: Device not checked in for 30 days
   Action: Email to device owner and manager

   Alert: Jailbreak-Detection
   Trigger: iOS device detected as jailbroken
   Action: Immediate block, email to security team

Establish regular compliance review cadence:

Review	Frequency	Participants	Focus
Daily check	Daily	IT operations	New enrollments, critical alerts
Weekly review	Weekly	IT team	Compliance trends, stale devices
Monthly report	Monthly	IT management	Policy effectiveness, exception requests
Quarterly audit	Quarterly	IT + Security	Policy review, gap analysis

Document exception process for devices that cannot meet compliance requirements:

   Exception Request Form

   Requestor: ____________
   Device: ____________
   Non-compliant item: ____________

   Business justification:
   ____________

   Compensating controls:
   ____________

   Exception duration: ____________

   Approvals required:
   - IT Security: ____________
   - Department head: ____________

BYOD-specific configuration

Personal devices require different treatment than corporate devices. The work profile model on Android and managed apps on iOS create a container for organisational data without controlling the entire device.

Configure work profile enrollment for Android BYOD. Work profile creates a separate container with distinct app copies:

   Android BYOD Policy:
     Enrollment type: Work profile on personally-owned devices

     Work profile settings:
       - Copy/paste to personal profile: Blocked
       - Screen capture: Allowed (or blocked for sensitive roles)
       - Work profile lock: Required, separate from device lock
       - Work app notifications: Show content when locked (optional)

     Personal profile visibility: None (MDM cannot see personal apps)

     Wipe scope: Work profile only (personal data preserved)

Configure managed app protection for iOS BYOD without full MDM enrollment (MAM-only):
For organisations permitting access without device enrollment, Mobile Application Management (MAM) protects data within managed apps:

   App Protection Policy: iOS-BYOD-MAM

   Data protection:
     - Backup org data to iCloud: Block
     - Send org data to other apps: Policy managed apps only
     - Receive data from other apps: All apps
     - Save copies of org data: Block
     - Org data to native contacts: Block

   Access requirements:
     - PIN for access: Required
     - PIN length: 6
     - Biometric instead of PIN: Allowed

   Conditional launch:
     - Max OS version: None (allows older devices)
     - Jailbroken devices: Block access

MAM-only provides less visibility and control than full MDM enrollment. Use only when device enrollment is not feasible.

Configure selective wipe capability to remove only organisational data:

   Wipe options:
     Corporate device: Full device wipe (returns to factory)
     BYOD with work profile: Work profile removal only
     MAM-only device: Remove managed app data only

Verification

Confirm successful MDM rollout through the following verification steps:

# Verify enrollment completeness
Total devices expected: [from inventory]
Total devices enrolled: [from MDM dashboard]
Enrollment rate: [calculate percentage]
Target: >95% of expected devices enrolled

# Verify compliance status
Total enrolled devices: ___
Compliant devices: ___
Non-compliant devices: ___
Compliance rate: ___% (target: >90%)

# Verify by platform
iOS: ___/___ enrolled, ___% compliant
Android: ___/___ enrolled, ___% compliant
Windows: ___/___ enrolled, ___% compliant
macOS: ___/___ enrolled, ___% compliant

Test remote management capabilities on a designated test device:

# Lock device remotely
# MDM Console > Devices > [Test Device] > Remote lock
# Verify: Device locks immediately and requires PIN/password

# Locate device (if configured and consented)
# MDM Console > Devices > [Test Device] > Locate
# Verify: Location displays on map (requires device online)

# Selective wipe (work data only) - test on BYOD test device
# MDM Console > Devices > [Test Device] > Remove company data
# Verify: Work profile/managed apps removed, personal data intact

# Full wipe - test on corporate test device only
# MDM Console > Devices > [Test Device] > Factory reset
# Verify: Device returns to factory state

Verify conditional access enforcement:

Test 1: Enrolled, compliant device
  Action: Access email/files from enrolled device
  Expected: Access granted
  Actual: ___

Test 2: Enrolled, non-compliant device
  Action: Make device non-compliant (remove passcode)
  Expected: Access blocked after grace period
  Actual: ___

Test 3: Non-enrolled device
  Action: Access email/files from unmanaged device
  Expected: Access blocked, enrollment prompt
  Actual: ___

Troubleshooting

Symptom	Cause	Resolution
iOS enrollment fails with “Profile Installation Failed”	APNs certificate expired or invalid	Renew APNs certificate in Apple portal; re-upload to MDM. Requires same Apple ID as original.
Android work profile creation fails	Insufficient storage space	Free at least 1GB before work profile creation. Work profile duplicates several system apps.
Android enrollment shows “Device not supported”	Device not Android Enterprise certified or outdated Android version	Check Android Enterprise Partner Directory for certification. Upgrade OS or replace device.
Windows device shows “Enrollment failed 0x80180026”	Enrollment server unreachable	Verify firewall allows outbound 443 to enrollment.manage.microsoft.com. Check proxy configuration.
Windows device enrolled but policies not applying	Intune sync delay or policy conflict	Force sync: Settings > Accounts > Access work or school > [Account] > Info > Sync. Check for conflicting GPO.
macOS enrollment hangs at “Downloading profile”	MDM profile URL blocked or certificate trust issue	Verify Apple root certificates trusted. Check proxy not intercepting SSL to MDM server.
Compliance policy shows “Not evaluated”	Device enrolled but initial compliance check not complete	Wait 15-30 minutes for initial evaluation. Force sync from device. Verify device meets minimum OS version.
Conditional access blocks enrolled, compliant device	AAD device registration incomplete or stale	Re-register device with Azure AD. Check Azure AD > Devices for duplicate entries.
User cannot install required apps	Managed Google Play / Apple Business Manager not linked	Verify enterprise app store configuration. Check app is approved/licensed for user.
Work profile apps crash on launch	VPN or firewall blocking managed app traffic	Ensure app endpoints accessible. Check per-app VPN configuration if applicable.
BYOD users refuse enrollment citing privacy concerns	Unclear communication about MDM capabilities	Review and share the MDM capability disclosure. Offer MAM-only alternative if policy permits.
Device location unavailable when requested	Location services disabled or not configured	Enable location services policy (requires user consent disclosure). Check device is online.
Selective wipe removes personal data	Incorrect wipe command issued on BYOD	Always verify device ownership before wipe. Use “Remove company data” not “Factory reset” for BYOD.
Windows Hello enrollment fails	TPM not available or disabled	Enable TPM in BIOS. Verify TPM 2.0 present with `tpm.msc`. Consider allowing non-TPM for older hardware.
Bulk enrollment via provisioning package fails	Package not signed or expired	Regenerate provisioning package. Verify not expired. Sign with code signing certificate.

Platform-specific diagnostic commands

iOS diagnostic:

Settings > General > VPN & Device Management > Management Profile
Verify: Profile shows organisation name and "Verified" status

# Check MDM logs (requires Apple Configurator 2 on Mac)
cfgutil get-configuration-profiles -e [device_ecid]

Android diagnostic:

# Verify work profile status
adb shell pm list users
# Should show work profile user (typically user 10 or higher)

# Check MDM agent logs
adb logcat | grep -i "androidmanagement\|workprofile\|devicepolicy"

Windows diagnostic:

# Check enrollment status
dsregcmd /status

# Verify MDM enrollment
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Enrollments"

# Check Intune sync status
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\*" | Select-Object AccountId, ServerURL

# View MDM logs
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational" | Select-Object -First 50

macOS diagnostic:

# Check enrollment status
sudo profiles list -output stdout

# Verify MDM profile
system_profiler SPConfigurationProfileDataType

# Check MDM communication
log show --predicate 'subsystem == "com.apple.ManagedClient"' --last 1h

+----------------------------------------------------------+
|            ENROLLMENT TROUBLESHOOTING FLOW               |
+----------------------------------------------------------+
         |
         v
+------------------+     No     +------------------+
|  Device connects |----------->|  Check network   |
|  to internet?    |            |  connectivity    |
+--------+---------+            +------------------+
         | Yes
         v
+------------------+     No     +------------------+
|  Enrollment URL  |----------->|  Verify URL and  |
|  reachable?      |            |  firewall rules  |
+--------+---------+            +------------------+
         | Yes
         v
+------------------+     No     +------------------+
|  User can        |----------->|  Check IdP       |
|  authenticate?   |            |  integration     |
+--------+---------+            +------------------+
         | Yes
         v
+------------------+     No     +------------------+
|  Profile         |----------->|  Check platform  |
|  downloads?      |            |  certificates    |
+--------+---------+            +------------------+
         | Yes
         v
+------------------+     No     +------------------+
|  Profile         |----------->|  Review profile  |
|  installs?       |            |  configuration   |
+--------+---------+            +------------------+
         | Yes
         v
+------------------+     No     +------------------+
|  Device shows    |----------->|  Force sync,     |
|  in MDM console? |            |  check logs      |
+--------+---------+            +------------------+
         | Yes
         v
+------------------+
|  Enrollment      |
|  successful      |
+------------------+