MDM Enrollment and Bulk Device Provisioning: Enterprise Buyer's Guide

What Is MDM Enrollment for Bulk Devices?

Solaris Wireless, founded 2013, has been serving institutional buyers in this category since the company's earliest engagements. Mobile Device Management (MDM) enrollment is the process by which an enterprise device is registered with a corporate MDM platform and receives its organisational configuration, security policies, app assignments, Wi-Fi credentials, email configuration, VPN settings, and device restrictions. For individual devices, IT staff can enrol each device manually. For large enterprise deployments, manual enrollment per device is impractical.

Bulk MDM enrollment, also called zero-touch enrollment, pre-registers devices with an organisation's MDM platform before they are shipped. When an employee receives the device and powers it on for the first time, it automatically contacts the MDM server and receives its full configuration without any manual IT intervention. The employee sees a brief guided setup screen and receives a fully configured corporate device.

The two dominant zero-touch enrollment platforms are:

• Apple Business Manager (ABM): For iOS, iPadOS and macOS devices
• Google Zero-Touch: For Android Enterprise devices

Both platforms require the device supplier to be an authorised reseller who can register devices in the buyer's enrollment account before shipment.

Apple Business Manager: How It Works for Bulk iPhone and iPad Deployment

Apple Business Manager (ABM) is Apple's web portal for enterprise device management, Managed Apple ID creation, and volume app licensing. For device deployment, the relevant ABM feature is the Device Enrollment Program (DEP), which enables automatic MDM enrollment.

Prerequisites

To use ABM for bulk iPhone deployment:

1. ABM account: The organisation must have an Apple Business Manager account. Free to create at business.apple.com using a D-U-N-S number.
2. MDM platform linked to ABM: The organisation's MDM (Jamf Pro, Microsoft Intune, Mosyle, Kandji, etc.) must be linked to the ABM account. This is done in ABM settings and takes ~15 minutes to configure.
3. MDM enrollment profile: An MDM enrollment profile must be created that specifies what the device receives on first activation, what apps to install, which restrictions to apply, which configuration profiles to push.
4. ABM-authorised reseller: Devices must be purchased from an Apple ABM-authorised reseller. Only authorised resellers can add devices to a customer's ABM account. Devices bought through consumer channels cannot be added to ABM.

The Enrollment Process

Once prerequisites are in place, the bulk iPhone deployment process:

1. The organisation places a device order with an ABM-authorised supplier (such as Solaris Wireless), specifying their ABM customer ID.
2. The supplier registers each device's serial number in the organisation's ABM account before shipping.
3. Devices ship to employee addresses (direct-to-employee) or a distribution point.
4. Employee powers on the device. The device contacts Apple's activation server, which checks ABM and finds an enrollment assignment.
5. The device is redirected to the organisation's MDM platform and automatically enrolls. The MDM pushes the enrollment profile, apps, policies, configuration.
6. The employee completes the brief user-facing setup (language, region, Apple ID if required). Corporate apps appear automatically. The device is ready for work.

Total IT involvement per device: zero. The IT team configures the MDM profile once and the same configuration applies to all devices automatically at first boot.

What Can Be Configured via ABM/MDM?

When a device enrolls via ABM and MDM, the MDM platform can configure and enforce:

• Passcode policies (minimum length, complexity, timeout)
• Wi-Fi credentials for corporate networks
• VPN configuration (Cisco AnyConnect, Pulse Secure, GlobalProtect)
• Email account configuration (Exchange, Office 365)
• App installation (managed apps pushed silently from MDM)
• App restrictions (prevent App Store use, restrict specific apps)
• Content filtering (web filtering profiles)
• Feature restrictions (camera, AirDrop, iCloud, screen recording)
• Device lock and remote wipe capability
• Certificate deployment for network authentication

The result is a fully locked-down corporate device that meets security policy requirements without any manual per-device IT work.

Supervised vs. Unsupervised iOS Devices

Devices enrolled through ABM are automatically placed in Supervised mode (also called DEP-enrolled). Supervised mode provides IT with deeper management capabilities not available on unsupervised (personally-enrolled) devices:

• Silent app installation without user prompt
• Ability to prevent the user from removing the MDM profile
• Lost Mode (specific to ABM) for lost device location and remote lock
• Single App Mode for kiosk use cases
• More granular feature restrictions (e.g., restricting specific Siri capabilities)

ABM-enrolled devices are always supervised. Consumer-enrolled (BYOD) devices are never supervised. This distinction is why enterprise iOS deployments require ABM, supervised mode is critical for enterprise security and management requirements.

Google Zero-Touch Enrollment: How It Works for Android Enterprise Deployment

Google Zero-Touch enrollment is Android Enterprise's pre-provisioning program, launched in 2017 to provide an equivalent to Apple's ABM. It allows enterprises to pre-configure Android devices for automatic MDM enrollment before they reach employees. The Zero-Touch API documentation covers programmatic device configuration for organisations managing large fleets.

Prerequisites

To use Zero-Touch for bulk Android deployment:

1. Zero-Touch portal access: The organisation creates a Zero-Touch customer account at enterprise.google.com/zero-touch.
2. EMM/MDM platform: The MDM platform must be Android Enterprise-certified. Compatible platforms include VMware Workspace ONE, Microsoft Intune, Jamf, MobileIron/Ivanti, ManageEngine, and others.
3. DPC extras configuration: The Zero-Touch portal requires the organisation to configure the Android Device Policy Client (DPC) extras, essentially a JSON blob that specifies the EMM token and enrollment parameters for the MDM platform.
4. Zero-Touch authorised reseller: Devices must be purchased from a Zero-Touch authorised reseller, who uploads device IMEIs to the organisation's Zero-Touch portal before shipment. Solaris Wireless is a Google-approved vendor with Zero-Touch reseller authorisation.

The Enrollment Process

1. Organisation places an Android device order with a Zero-Touch authorised supplier, providing their Zero-Touch customer ID.
2. The supplier registers each device's IMEI in the organisation's Zero-Touch portal before shipping.
3. Devices ship to employees.
4. Employee powers on the device and connects to Wi-Fi or activates mobile data.
5. Android checks Google's Zero-Touch infrastructure, finds an enrollment configuration for the IMEI, and downloads the DPC (Device Policy Controller) app for the specified MDM platform.
6. The DPC app configures the device with the organisation's MDM enrollment. The MDM pushes apps, policies and configurations.
7. Device is ready. From the employee's perspective: a brief setup screen, then a fully configured corporate Android device.

Android Work Profile vs. Fully Managed Device

Android Enterprise has two primary deployment modes:

• Fully Managed Device (Device Owner): The organisation owns the entire device. IT has complete control. Typically used for company-owned devices issued to employees. Zero-Touch enrollment always results in fully managed mode.
• Work Profile (Profile Owner): Creates a separate work container on a personally-owned device (BYOD). Corporate apps and data are isolated in the work profile. Cannot be applied via Zero-Touch, work profile enrollment is user-initiated.

For bulk enterprise deployments with company-owned devices, the scenario where Zero-Touch is relevant, fully managed device mode is the correct deployment model.

Samsung Knox Enrollment: What It Is and When to Use It

Samsung Knox Enrollment Service (KME) is Samsung's own pre-provisioning program, predating Google Zero-Touch. For Samsung Galaxy device deployments, KME provides additional Knox-specific features beyond standard Zero-Touch:

• Knox Platform for Enterprise (KPE) activation for Samsung-specific security features
• Pre-configuration of Samsung-specific settings (Knox Guard, Samsung DeX mode)
• Device blocking capability, KME can prevent device use until MDM enrollment is completed

KME and Zero-Touch are not mutually exclusive. Samsung Galaxy devices can be enrolled via both KME and Zero-Touch simultaneously, with KME handling Samsung-specific configuration and Zero-Touch handling MDM enrollment. For Samsung-heavy deployments (e.g., an enterprise standardising on Galaxy devices), using both provides the richest pre-provisioning capability.

The Economic Case for Zero-Touch MDM Provisioning

The IT staging cost of manually enrolling enterprise devices is a significant, often underestimated deployment cost. The numbers:

Manual Enrollment Labour Cost

• IT technician throughput: 15-20 devices per day (setup, enrollment, verification)
• Fully loaded IT labour cost: $400-600/day
• 1,000-device deployment: 50-67 person-days = $20,000-40,000
• 5,000-device deployment: 250-333 person-days = $100,000-200,000

Zero-Touch Enrollment Labour Cost

• IT setup: configure ABM/Zero-Touch portal and MDM profile = 4-8 hours total
• Per-device IT labour: zero
• 1,000-device or 5,000-device deployment IT cost: effectively zero (4-8 hours configuration, same for both)

Additional Savings: Staging Facility Elimination

Manual staging requires a physical staging facility, a room where IT staff receive bulk shipments, configure devices, and re-ship to employee locations. This facility has real estate cost, inbound freight cost, and re-packaging/re-shipping cost. Direct-to-employee delivery with zero-touch enrollment eliminates the staging facility entirely. Devices ship from the supplier directly to employee desks, already pre-registered for automatic enrollment.

For a 2,000-employee rollout with employees in multiple locations, the staging facility elimination alone can save $15,000-30,000 in logistics costs.

Choosing an MDM Platform for Bulk Device Deployment

The MDM platform choice affects what provisioning configurations are possible. The major enterprise MDM platforms and their positioning:

Jamf (iOS/macOS Focus)

Jamf Pro and Jamf Now are the dominant MDM platforms for Apple device management. If the enterprise runs primarily iPhone and Mac, Jamf provides the deepest Apple management capability including ABM integration, advanced enrollment policies and Apple Silicon Mac management. Jamf is the recommended MDM for Apple-first enterprises.

Microsoft Intune (Cross-Platform)

Microsoft Intune (part of Microsoft Endpoint Manager / Microsoft 365) manages both iOS/macOS and Android devices from a single platform. For enterprises already in the Microsoft 365 ecosystem, Intune provides seamless integration with Azure AD, Conditional Access and Microsoft Defender. Supports both ABM (for iOS) and Zero-Touch (for Android). Recommended for enterprises with mixed iOS/Android fleets.

VMware Workspace ONE (Cross-Platform, Enterprise Scale)

VMware Workspace ONE (Airwatch) is a comprehensive Unified Endpoint Management (UEM) platform covering mobile, desktop and IoT devices. Preferred by large enterprises (10,000+ devices) requiring advanced unified management across all device types and operating systems. Higher implementation complexity than Jamf or Intune but the most capable platform for heterogeneous large-scale deployments.

Mosyle (Apple-Focused, Education and SMB)

Mosyle provides Apple device management for education and small-to-medium businesses. Simpler interface than Jamf with competitive pricing for smaller deployments (under 1,000 Apple devices). Full ABM integration. Recommended for Apple-first organisations that find Jamf's complexity overkill for their scale.

Specifying MDM Provisioning Requirements for a Device Order

When requesting MDM provisioning from an institutional device supplier, include these details in the order specification:

For ABM/iOS Orders:

• Your Apple Business Manager Organisation ID (shown in ABM settings)
• Your MDM platform (Jamf, Intune, Mosyle, etc.)
• Which MDM enrollment profile to assign (if multiple profiles exist in your MDM)
• Whether devices should be enrolled in Supervised mode (always yes for ABM purchases)
• Any specific asset tag or device naming requirements for IMEI-to-employee assignment

For Zero-Touch/Android Orders:

• Your Zero-Touch Customer ID
• Your EMM/MDM platform and the DPC extras JSON for your enrollment configuration
• Android Enterprise mode: Fully Managed Device (typical) vs. Dedicated Device (kiosk)
• Whether Samsung KME is also required (for Samsung Galaxy orders)
• Any per-device IMEI-to-asset-tag mapping requirements

For Custom OS (MVNO and Specialist Enterprise):

• Base OS version and OEM model for the custom build
• App manifest (apps to pre-install as system apps)
• Carrier configuration: APN, VoLTE, voicemail settings
• SIM lock carrier codes if applicable
• Branding assets: boot animation, wallpaper, launcher icon if applicable
• Validation environment: test SIM and test network access for QA verification

Solaris Wireless MDM Provisioning Capabilities

Solaris Wireless provides the following provisioning services for institutional device orders:

• Apple Business Manager enrollment, iPhones and iPads registered in customer ABM accounts before shipment, compatible with all ABM-linked MDM platforms
• Google Zero-Touch enrollment, Android devices registered in customer Zero-Touch portals before shipment; Solaris is a Google-approved vendor since 2016
• Samsung Knox Enrollment Service, Samsung Galaxy devices enrolled via KME for organisations using Samsung Knox management
• Custom OS flashing, custom Android ROM builds for MVNO and specialist enterprise programmes
• SIM lock provisioning, carrier-specific SIM lock for MVNO subscriber devices
• App pre-installation, system app pre-installation for custom OS orders
• Asset tagging, physical asset tags and IMEI-to-employee assignment lists for enterprise asset management

Solaris has provisioned 10,000+ devices for institutional buyers including enterprise programmes, MVNO operators and government agencies. MDM device provisioning services provides a full capability overview.

Frequently Asked Questions: MDM Enrollment and Bulk Provisioning