They say there are only two hard problems in computer science:

1. Naming things
2. Invalidating cache contents
3. Off-by-one errors

I was reminded of the first problem as my company recently struggled to communicate clearly among ourselves and with vendors about the types of device enrollment in Mobile Device Management (MDM) systems.

I couldn’t find any industry-standard terms that applied here. If I’m wrong, I’d be happy to hear about it. If I’m right, maybe others will find the following names and definitions useful.

Enrollment Classes 

For enterprises, Apple Business Manager, Android Zero Touch Enrollment, and Samsung Knox are reliable, large-scale methods of enrolling devices in MDM management.  However, only authorized resellers can add devices to those systems.  A business buying a fleet of phones from a carrier or major retailer can rely on the reseller setting their phone up for easy management.   

However, an MVNO or other service provider cannot always establish the “chain of custody” necessary to prove ownership and get devices into those systems.  There are other methods, but they have limitations. Apple and Google have different procedures and names for their device enrollment processes. Platform-agnostic terminology can make it easier to talk about the end state of an enrolled device regardless of platform. Toward that end, we defined three classes of enrollment. 

• Class A enrollment is the most secure and permanent. The MDM has nearly complete control of the device and after a factory reset the device will be automatically reenrolled in the MDM which can reestablish control. 

• Class B enrollment is nearly as good.  The MDM has nearly complete control of the device, but a factory reset will disconnect the device from the MDM and require manual intervention to reenroll the device. 

• Class C enrollment is useful but fairly weak. The MDM can control and monitor some aspects of the device, but the device holder has the ability to bypass the MDM controls and make changes that put the device or its user at risk. 

Class A 

Class A enrollment requires a device to be added to a zero-touch enrollment platform: Apple Business Manager (for iOS), Knox Mobile Enrollment (for Samsung), or Zero-Touch Enrollment (for Android, including Samsung). 

The zero-touch enrollment platforms are best suited for organizations managing large fleets of devices.  While some exceptions can be managed with effort, the usual path is that the organization buys devices from an “authorized reseller” who adds the devices to the platform for the organization. 

• Advantages: Class A is sticky (even a factory reset doesn’t remove the device from the MDM) and easy (the devices are put in the portal by the reseller, and the organization doesn’t have to do anything to enroll them). 

• Disadvantage: Class A is very difficult to add to existing devices. 

Class B 

Class B enrollment can be done to existing devices without concern for the zero-touch enrollment platforms. 

This is useful for organizations trying to onboard existing devices while maintaining tight control.  A Class B enrollment leaves the device “owned” by the MDM so it can enforce always-on VPN and other privileged policies. 

• Advantages: Class B does not require the devices to be in a zero-touch enrollment platform, and it allows privileged policies to be enforced. 

• Disadvantages: Class B requires touching every device, requires the device to be factory reset (“wiped”), and the device does not automatically reenroll after another factory reset. 

Class C 

Class C enrollment can be done to existing devices without the need to factory reset them. 

This can be useful for adding management to deployed devices.  However, because the device is not “owned” by the MDM, privileged policies like always-on VPN cannot be enforced. 

• Advantage: Class C does not require a factory reset. 

• Disadvantage: Class C does not prevent the user from disabling important policies like always-on VPN, or even from uninstalling the MDM client.