Skip to main content
  1. Addigy
  2. Enrolling Devices
  3. Enrolling Devices

Secure Enrollment URLs

Updated:

This feature is in Open Beta. To Enable it go to Settings > Enable Beta Features > Secure Enrollment.

Overview

Secure Enrollment is a feature for manual device enrollment that helps provide more security and peace of mind for your enrollment URLs. It allows admins to create a randomized enrollment URL that can be rotated at will and secured with an optional passcode. It also generates a customizable webpage that end users will see as they navigate to the URL, which can help make the enrollment process more personalized.

Enabling MDM Secured Enrollment

Note: Once Secure Enrollment has been enabled for a policy, it can not be undone. The Secure Enrollment will also be inherited down to child policies, and this change is irreversible. Be sure to update any internal documentation that is using the previously logged enrollment URL. 

To begin enabling this for a policy, navigate over to the Add Devices page and choose a policy. On the selected policy, you will see the following warning that Secure Enrollment is not enabled for the policy. 

Now that you are in a policy without Secure Enrollment configured, follow these steps:

1. Click Enable Secure Enrollment.

2. The following window will appear, and you will want to click Enable Secure Enrollment at the top.
Screenshot 2025-05-19 at 22.36.22.png

2. Carefully read the warning at the top of the page. Secure Enrollment can not be enabled until the admin chooses I understand. 
Screenshot 2025-05-19 at 22.37.15.png

3. A green badge will appear confirming Secure Enrollment has been enabled. 

4. Copy the new URL and configure the passcode, logo, and custom page text as desired. 

New Enrollment URL

Once Secure Enrollment has been enabled for a policy, a unique URL containing an identifier will be generated as the new entry point for device enrollment.

The legacy enrollment URL will no longer function for the affected policy branch, which means any children of the enabled policy will no longer have the former URL. This will not affect any currently enrolled devices. 

Modifying Existing Secure Enrollment Settings 

Note: Generating a new URL will invalidate the previous URL, so devices will not be able to download the enrollment profile when using an invalidated URL.

To regenerate the URL:

  1. Navigate to Add Devices > Policy that you want to modify.
  2. Click Edit Secure Enrollment.
    Screenshot 2025-05-19 at 22.37.49.png
  3. The Enrollment URL can be regenerated by clicking Regenerate URL.
    Screenshot 2025-05-19 at 22.39.24.png
  4. The logo, passcode, and custom page text can be configured in this modal as well. 
  5. Hit save in the lower right to save any changes 

Using the new URL

Once secure enrollment is enabled and configured, a unique enrollment URL will be generated. This URL should be shared with end users to download and install the MDM enrollment profile.

User Experience When Accessing the URL

When users visit the enrollment URL, they will encounter a landing page that can vary depending on the settings in the policy. 

No Customization Applied or passcode applied

The user is taken directly to the profile download page. No logo or description is displayed, and no password is required.

Logo & Description Configured

The landing page displays the custom logo and description before allowing the profile download. No passcode is required.
Screenshot 2025-05-19 at 22.46.15.png

Logo, Description & Password Configured

The landing page displays the logo and description. The user must enter the password before gaining access to download the profile.

Notes and Considerations

URL Regeneration

Once the URL is regenerated, you will still be able to navigate to the old page, but you will not be able to download the enrollment profile. If you click the Download Now button using an invalidated enrollment URL, you will see the following page in your browser:

If you have a passcode configured in your Secure Enrollment settings, the passcode will not be accepted if the URL has been invalidated.

Finally, if an enrollment profile was downloaded before the URL was regenerated, that profile will be invalidated 30 minutes after the URL is regenerated.

 

Apple Configurator 2 Enrollments

Secure Enrollment policies can not be used to enroll devices with Apple Configurator 2, please use a policy without secure enrollment enabled for these devices.

 

Addigy Migrations

For customers who are in process of completing an Addigy migration - please reach out to the Customer Success team before enabling Secure Enrollment. 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team