Mobile Device Management (MDM) enrollment and management is a core topic for the CompTIA A+ 220-1101 exam, falling under Domain 1.0 (Mobile Devices), Objective 1.2 (Given a scenario, install and configure mobile device settings). This chapter covers the complete lifecycle of an MDM-managed device: from initial enrollment methods (user-initiated, corporate-owned, and bulk enrollment) to policy enforcement, application management, and remote actions like lock/wipe. Understanding MDM is critical because approximately 15-20% of the exam questions in the Mobile Devices domain will test your knowledge of MDM concepts, enrollment workflows, and troubleshooting. Master this material to confidently answer scenario-based questions about corporate device management.
Jump to a section
Think of an MDM solution as a corporate fleet manager for a large logistics company. The fleet manager oversees hundreds of delivery trucks (mobile devices) used by drivers (employees). Each truck must be configured identically: GPS tracking enabled, speed governor set, cargo locks secure, and driver logs standardized. The fleet manager does not drive each truck individually; instead, he uses a centralized system to send configuration profiles over the air. When a new truck is purchased, it is enrolled by installing a management agent that phones home to the fleet's control center. The control center then pushes a baseline configuration: install the required safety apps, enforce a speed limit, and disable personal music streaming. If a truck is reported stolen, the fleet manager can remotely lock the doors or wipe the cargo data. The driver cannot remove the management agent because it is installed with privileged access (like a device administrator profile). The fleet manager also monitors each truck's location, battery status, and compliance with company policies. If a truck deviates from policy (e.g., jailbroken to remove speed limiter), the control center flags it and may quarantine the truck by restricting access to corporate networks. This mirrors exactly how MDM works: a central server pushes policies via APNs (Apple Push Notification service) or C2DM (Android Cloud to Device Messaging), enforces compliance, and can remotely lock or wipe devices.
What is MDM and Why Does It Exist?
Mobile Device Management (MDM) is a security solution that enables organizations to centrally manage, secure, and enforce policies on mobile devices (smartphones, tablets, laptops) used by employees. MDM addresses several critical business needs: - Data protection: Prevent sensitive corporate data from leaking if a device is lost or stolen. - Compliance: Ensure devices meet security baselines (e.g., encryption enabled, passcode complexity, OS version). - Configuration management: Deploy Wi-Fi, VPN, email, and app settings automatically. - Inventory & asset tracking: Keep an accurate record of all devices and their status.
For the 220-1101 exam, you must know the difference between MDM and Mobile Application Management (MAM). MDM controls the entire device, while MAM controls only specific applications. The exam will test your ability to choose the correct solution based on a scenario.
How MDM Enrollment Works: Step-by-Step Mechanism
MDM enrollment is the process of registering a device with the MDM server. The enrollment flow varies by device platform (iOS, Android, Windows, macOS) and ownership model (BYOD vs. corporate-owned).
1. Discovery: The device contacts the MDM server, typically via a URL embedded in the enrollment profile. For Apple devices, this uses the Apple Push Notification service (APNs) to establish a persistent connection. For Android, it uses Google's Firebase Cloud Messaging (FCM).
2. Authentication: The device authenticates to the MDM server. Common methods: - Username/password: User enters corporate credentials. - Certificate-based: A client certificate is installed on the device (e.g., via SCEP – Simple Certificate Enrollment Protocol). - Token-based: A one-time enrollment token is generated by the MDM and entered on the device.
3. Profile Installation: The MDM server sends a configuration profile (e.g., an Apple .mobileconfig or a Microsoft Intune policy) to the device. The profile contains:
MDM server URL
Device identity certificate
Push notification topic (for APNs/FCM)
Access rights (e.g., allow remote lock, wipe, query inventory)
4. Device Check-in: After installing the profile, the device performs an initial check-in with the MDM server. This establishes a command-and-control channel. The device sends its unique identifier (UDID for iOS, device ID for Android) and reports its current state (OS version, installed apps, compliance status).
5. Policy Application: The MDM server pushes policies to the device. Policies can include:
Password policy: minimum length, complexity, maximum failed attempts before wipe.
Encryption requirement: enforce device encryption (FileVault on macOS, BitLocker on Windows, device encryption on Android/iOS).
App management: install required apps, block prohibited apps, remove apps remotely.
Network settings: push Wi-Fi profiles, VPN configurations, email account settings.
Restrictions: disable camera, disable screen capture, disable USB debugging, restrict app installation to managed app store only.
6. Compliance Monitoring: The device periodically checks in with the MDM server (e.g., every 15 minutes by default in Intune). If the device becomes non-compliant (e.g., jailbroken, encryption disabled, OS outdated), the MDM can take actions such as:
Send a notification to the user.
Block access to corporate resources (conditional access).
Remotely wipe the device.
Key Components, Values, and Defaults
APNs (Apple Push Notification service): Required for iOS/macOS MDM. The MDM server must obtain an APNs certificate from Apple. This certificate is used to push commands to devices. Without APNs, the MDM cannot communicate with Apple devices.
FCM (Firebase Cloud Messaging): Google's equivalent for Android. The MDM server uses FCM to send commands to Android devices.
Enrollment tokens: For corporate-owned devices, Apple Business Manager and Android Enterprise generate enrollment tokens that are entered during setup (e.g., Apple DEP – Device Enrollment Program).
SCEP (Simple Certificate Enrollment Protocol): Used to issue device certificates for authentication. Default key size is 2048-bit RSA.
UDID (Unique Device Identifier): A 40-character hex string that uniquely identifies an iOS device. Used during enrollment.
IMEI/MEID: International Mobile Equipment Identity – used for device identification in cellular networks, but not typically used by MDM.
Configuration and Verification Commands (Windows MDM)
On Windows 10/11, devices can be enrolled in MDM via Group Policy or manually. To verify MDM enrollment status:
# Check enrollment status via Settings
Settings > Accounts > Access work or school > Click on connected account > Info
# Using PowerShell
Get-MgDevice -Filter "operatingSystem eq 'Windows'" | Select-Object DisplayName, DeviceId, EnrollmentType, ComplianceState
# Check MDM server URL in registry
reg query HKLM\SOFTWARE\Microsoft\Enrollments\ /s | findstr "EnrollmentServerUrl"For iOS, you can verify enrollment by going to Settings > General > Device Management and viewing the management profile. The profile will show the MDM server name and the installed configuration payloads.
How MDM Interacts with Related Technologies
Conditional Access: MDM integrates with identity providers (Azure AD, Okta) to enforce access policies. For example, only devices that are compliant with MDM policies can access Office 365 email.
Mobile Threat Defense (MTD): MDM can integrate with MTD solutions to detect malicious apps or network attacks on the device.
Enterprise Mobility Management (EMM): MDM is often a component of a broader EMM suite that also includes MAM, identity management, and enterprise app store.
Unified Endpoint Management (UEM): UEM extends MDM to manage desktops, laptops, and IoT devices from a single console. 220-1101 may mention UEM as an evolution of MDM.
Common MDM Enrollment Methods
User-Driven Enrollment (BYOD): User installs the Company Portal app (Intune) or enrolls via a web link. The device is partially managed – only corporate data and apps are controlled, not the entire device.
Corporate-Owned, User-Enrolled: Device is pre-configured with an enrollment profile (e.g., Apple DEP). During initial setup, the device automatically enrolls without user intervention.
Corporate-Owned, Fully Managed: Device is enrolled in device administrator mode (Android) or supervised mode (iOS). The MDM has full control, and the user cannot remove the management profile.
Bulk Enrollment: For large deployments, MDM supports bulk enrollment via a provisioning package (Windows Configuration Designer) or zero-touch enrollment (Android Zero-Touch).
MDM Remote Actions
Remote Lock: Locks the device with a new PIN. Used when a device is lost but not believed to be compromised.
Remote Wipe: Erases all data on the device, returning it to factory defaults. Used when the device contains sensitive data and is unrecoverable.
Retire/Selective Wipe: Removes only corporate data and apps, leaving personal data intact. Used for BYOD devices when an employee leaves the company.
Reset Passcode: Allows the admin to reset the device passcode (supported on supervised iOS devices and Android Enterprise).
Lost Mode: Puts the device in a state that displays a custom message on the lock screen with a contact number.
Troubleshooting MDM Enrollment
Common issues and their causes:
Enrollment fails with "Device already enrolled": The device is already managed by another MDM. The user must unenroll from the old MDM first.
Profile installation fails: The device may not have a network connection, or the APNs certificate is expired. Check the MDM server's push certificate.
Device not receiving policies: The check-in interval may be long, or the device is not connected to the internet. Force a check-in by going to Settings > Device Management > Check for Updates.
Non-compliance not triggering actions: The compliance policy may not be assigned to the device, or the grace period has not expired.
For the exam, remember that APNs certificate expiry is a common cause of iOS MDM communication failure. Renew the certificate before it expires.
Exam Tip: BYOD vs. Corporate-Owned
The exam will present scenarios where you must choose the appropriate enrollment method. Key differentiators: - BYOD: User owns the device. MDM should use selective wipe only. User privacy is a concern. - Corporate-owned: Organization owns the device. Full wipe is acceptable. Device can be supervised (iOS) or set as device owner (Android). - Dedicated device (kiosk mode): Device is locked to a single app. Use Android Enterprise dedicated device enrollment or Apple Configurator for supervised iOS.
Initiate Enrollment Request
The user or administrator triggers enrollment. For BYOD, the user downloads the Company Portal app (Intune) or navigates to an enrollment URL. For corporate-owned devices, enrollment is triggered automatically during initial setup (e.g., Apple DEP) or via a provisioning package. The device sends an enrollment request to the MDM server, including its unique identifiers (UDID for iOS, serial number for Windows) and a device certificate request. The MDM server validates the request and responds with a challenge or enrollment token.
Authenticate Device and User
The device authenticates to the MDM server using the provided credentials. Common methods: Azure AD authentication (OAuth 2.0) for Intune, or certificate-based authentication using SCEP. The MDM server verifies the user's identity and checks if the device is authorized for enrollment. If authentication fails, enrollment is denied. The server may also check device eligibility (e.g., OS version, compliance with minimum requirements).
Install Management Profile
Upon successful authentication, the MDM server sends a configuration profile to the device. On iOS, this is a .mobileconfig file that includes the MDM server URL, push notification topic, and device identity certificate. The user must manually approve the profile installation on BYOD devices; on supervised devices, it installs silently. The profile grants the MDM server privileges to manage the device, including the ability to query inventory, install apps, and enforce restrictions.
Device Check-In and Inventory
After the profile is installed, the device performs an initial check-in with the MDM server. It sends detailed inventory data: hardware information (model, serial number, storage capacity), OS version, installed applications, and current compliance status. The MDM server records this data in its database for asset management. The check-in also establishes the persistent push notification channel (APNs or FCM) for future commands.
Policy Enforcement and Compliance
The MDM server pushes policies to the device based on the user's group or device category. Policies include security settings (passcode, encryption), app management (required/blocked apps), and network configurations (Wi-Fi, VPN). The device applies these policies immediately. It also begins compliance monitoring: the device periodically checks in (e.g., every 15 minutes) and reports its status. If a policy is violated (e.g., device jailbroken), the MDM can take action such as blocking access or wiping the device.
Ongoing Management and Remote Actions
After enrollment, the MDM server can send commands to the device at any time via the push channel. Common commands: remote lock, remote wipe, retire (selective wipe), reset passcode, install or remove apps, update settings. The device acknowledges each command and reports the result. The MDM server also handles certificate renewal (e.g., SCEP certificates expire and must be renewed). Administrators monitor device compliance and can revoke access if needed.
In enterprise environments, MDM is deployed to manage thousands of devices across multiple platforms. Here are three common scenarios:
Scenario 1: Healthcare – Secure Mobile Access for Clinicians A hospital issues iPhones to all doctors and nurses for accessing electronic health records (EHR). The MDM (e.g., VMware Workspace ONE) enrolls devices via Apple DEP, making them supervised. Policies enforce a 6-digit passcode, device encryption, and disable iMessage and FaceTime to prevent data leakage. The MDM also pushes a VPN profile to ensure all EHR traffic goes through the hospital's network. If a device is lost, the IT team can immediately put it in Lost Mode or perform a remote wipe. The hospital also uses conditional access: only compliant devices can access the EHR web portal. A common misconfiguration is failing to renew the APNs certificate, causing all iOS devices to lose communication with the MDM – this happened at a large hospital chain, leading to a 24-hour outage of mobile EHR access.
Scenario 2: Retail – Kiosk Mode for Point-of-Sale A retail chain uses Android tablets as dedicated point-of-sale (POS) terminals. They enroll the tablets using Android Enterprise dedicated device enrollment. The MDM (e.g., Samsung Knox Manage) locks the device into a single kiosk app (the POS app). Policies disable the navigation bar, volume buttons, and other hardware keys. The MDM also pushes a Wi-Fi profile and disables Bluetooth to prevent unauthorized connections. Battery optimization settings prevent the device from sleeping. If a tablet is stolen, the MDM can wipe it remotely. The challenge is scale: the chain has 5,000 tablets across 500 stores. They use bulk enrollment with a QR code that each store manager scans during setup. A common issue is that the kiosk app crashes, leaving the user stuck; the MDM can push an update or restart the app remotely.
Scenario 3: Education – Chromebook Management A school district issues Chromebooks to students. They use Google Admin Console (a UEM tool) to manage the devices. Enrollment is zero-touch: when a student turns on the Chromebook, it automatically enrolls based on the serial number in Google's enrollment database. Policies restrict extensions, force safe search, and block incognito mode. The MDM pushes a Wi-Fi profile for the school network and installs required educational apps. At the end of the school year, the devices are automatically wiped and re-enrolled for the next batch of students. A common problem is students finding ways to bypass enrollment (e.g., using a personal Google account). The school enforces forced re-enrollment by locking the device to the domain. If a Chromebook is lost, the admin can disable the device, preventing any Google sign-in.
Performance Considerations: At scale, the MDM server must handle thousands of concurrent check-ins. Push notifications reduce polling, but check-in intervals must be balanced against server load. Typical check-in intervals are 15-60 minutes. For remote wipe, the command is sent immediately via push notification. If the device is offline, the wipe command is queued and executed when the device next connects.
What the 220-1101 Exam Tests on MDM Enrollment and Management
CompTIA A+ 220-1101 Objective 1.2 specifically asks you to "install and configure mobile device settings." Within that, MDM enrollment and management is a key scenario. The exam will present a scenario (e.g., a company needs to manage employee smartphones) and ask you to select the appropriate technology or step. You must know:
The difference between MDM and MAM.
The purpose of APNs and FCM.
The concept of device enrollment and the steps involved.
Common MDM features: remote lock, remote wipe, passcode policies, encryption enforcement.
The difference between BYOD and corporate-owned device management.
How to troubleshoot enrollment issues (e.g., APNs certificate expiry).
Common Wrong Answers and Why Candidates Choose Them
Choosing MAM over MDM when the scenario requires full device control. Candidates confuse the two. Remember: MDM controls the device; MAM controls apps. If the scenario says "the company needs to enforce a passcode on the entire device," that's MDM. If it says "the company needs to manage only the corporate email app," that's MAM.
Selecting "Factory reset" instead of "Remote wipe." Both erase data, but "remote wipe" is the MDM term. The exam will use the exact term "remote wipe." Factory reset is a manual action.
Assuming MDM works without an internet connection. MDM commands rely on push notifications (APNs/FCM) which require internet. If a device is offline, commands are queued but not executed until the device reconnects.
Confusing APNs with Apple ID. APNs is Apple's push notification service, not a user's Apple ID. The MDM server needs an APNs certificate, not a user's Apple ID credentials.
Specific Numbers and Terms That Appear Verbatim
APNs (Apple Push Notification service) – required for iOS MDM.
FCM (Firebase Cloud Messaging) – for Android MDM.
SCEP (Simple Certificate Enrollment Protocol) – for certificate-based authentication.
UDID (Unique Device Identifier) – used during iOS enrollment.
Remote wipe vs. Selective wipe (also called retire).
BYOD (Bring Your Own Device) vs. COPE (Corporate-Owned, Personally Enabled).
Supervised mode (iOS) – gives MDM full control.
Device Owner (Android) – equivalent to supervised mode.
Edge Cases the Exam Loves to Test
A device that is already enrolled in one MDM cannot be enrolled in another without first unenrolling.
If the APNs certificate expires, iOS devices will not receive commands, but the existing policies remain in effect.
For BYOD, a selective wipe removes corporate data but leaves personal data intact.
For corporate-owned devices, a full wipe is acceptable.
How to Eliminate Wrong Answers
Read the scenario carefully: Is the device personally owned or corporate-owned? If personally owned, look for answers that mention "selective wipe" or "retire." If corporate-owned, "remote wipe" is fine. Look for keywords like "enforce passcode" (MDM), "manage specific app" (MAM). Also, watch for answers that mention "Apple ID" or "Google Account" – these are not MDM components. The correct answer will involve APNs, FCM, or SCEP.
MDM enrolls devices via a configuration profile that includes the server URL and push notification topic.
Apple devices require APNs (Apple Push Notification service) for MDM communication; Android uses FCM (Firebase Cloud Messaging).
Remote wipe erases all device data; selective wipe removes only corporate data and apps.
BYOD devices should be managed with selective wipe to preserve user privacy.
Corporate-owned devices can be enrolled automatically using Apple DEP or Android Zero-Touch.
Common MDM policy settings: password complexity, encryption enforcement, app whitelisting/blacklisting, Wi-Fi/VPN profiles.
Troubleshooting tip: If iOS devices stop receiving MDM commands, check the APNs certificate expiry date.
These come up on the exam all the time. Here's how to tell them apart.
MDM (Mobile Device Management)
Manages the entire device (hardware, OS, settings).
Enforces device-level policies (passcode, encryption, remote wipe).
Requires enrollment of the device with an MDM server.
Ideal for corporate-owned devices or when full control is needed.
Can block or install apps device-wide.
MAM (Mobile Application Management)
Manages only specific applications and their data.
Enforces app-level policies (app PIN, data encryption, copy/paste restrictions).
Does not require device enrollment; works via app configuration.
Ideal for BYOD scenarios to protect corporate data without invading privacy.
Can selectively wipe corporate data from managed apps only.
Mistake
MDM and MAM are the same thing.
Correct
MDM (Mobile Device Management) controls the entire device, including hardware settings, security policies, and remote wipe. MAM (Mobile Application Management) controls only specific applications and their data, without managing the device itself. For example, MAM can require a PIN to open the corporate email app, but it does not enforce a device-wide passcode.
Mistake
Remote wipe and selective wipe are identical actions.
Correct
Remote wipe erases all data on the device, returning it to factory defaults. Selective wipe (also called retire) removes only corporate data, apps, and settings, leaving personal data intact. Selective wipe is used for BYOD devices to protect user privacy.
Mistake
MDM can manage any mobile device without platform-specific requirements.
Correct
MDM requires platform-specific infrastructure: Apple devices need APNs (Apple Push Notification service) and an APNs certificate; Android devices need Google's Firebase Cloud Messaging (FCM). Without these push services, the MDM server cannot communicate with the devices.
Mistake
Enrolling a device in MDM requires physical access to the device.
Correct
Enrollment can be done remotely via over-the-air profile installation. For corporate-owned devices, enrollment can be automated during initial setup using Apple DEP or Android Zero-Touch, without any physical interaction beyond turning the device on.
Mistake
Once a device is enrolled, the user can easily remove the management profile.
Correct
On supervised iOS devices or Android Enterprise devices with Device Owner mode, the management profile cannot be removed by the user without administrator approval. On BYOD devices, the user can unenroll, but this may trigger a selective wipe of corporate data.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MDM (Mobile Device Management) controls the entire device, including hardware settings, security policies, and remote wipe. MAM (Mobile Application Management) controls only specific applications and their data, without managing the device itself. On the exam, if the scenario mentions 'enforce a passcode on the device' or 'remote wipe the device,' choose MDM. If it says 'require a PIN to open the corporate email app' or 'manage only the corporate app,' choose MAM.
For iOS, enrollment begins when the device contacts the MDM server, typically via a URL in a configuration profile. The device authenticates (often with a certificate via SCEP), then installs a .mobileconfig profile that grants management privileges. The MDM server uses APNs to push commands. For corporate-owned devices, Apple DEP automates enrollment during initial setup without user interaction.
APNs (Apple Push Notification service) is the service that allows the MDM server to send commands to iOS devices. The MDM server obtains an APNs certificate from Apple, which is used to authenticate push notifications. Without APNs, the MDM cannot communicate with Apple devices in real time. The exam may ask: 'Which service is required for MDM on iOS?' Answer: APNs.
Yes, this is called a selective wipe or retire. It removes only corporate apps, data, and settings (like email profiles and VPN configurations) while leaving personal data intact. This is a key feature for BYOD scenarios to respect user privacy. The exam may test the difference between selective wipe (BYOD) and full wipe (corporate-owned).
First, verify that the device has an internet connection. Then check the MDM server's APNs certificate – if it has expired, the MDM cannot push commands. Also, ensure the device is properly enrolled and the management profile is installed. On the device, go to Settings > General > Device Management and confirm the profile is present. If needed, re-enroll the device.
Supervised mode gives the MDM additional controls, such as the ability to silently install apps, block app removal, and prevent the user from removing the management profile. It is typically used for corporate-owned devices. Standard MDM (without supervision) allows the user to remove the profile and has fewer restrictions. The exam may ask: 'Which mode allows silent app installation?' Answer: Supervised.
No. MDM works on stock iOS and Android devices. In fact, MDM can detect if a device is jailbroken or rooted and mark it as non-compliant. The exam may present a scenario where a jailbroken device is detected and the MDM blocks access to corporate resources.
You've just covered MDM Enrollment and Management — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?