MDM Enrollment Methods: Zero-Touch, QR Code, and Manual Enrollment Compared
MDM enrollment is the process of registering a device with a Mobile Device Management platform so it can receive policies, apps, and security configurations. Every managed device must be enrolled before IT can configure, monitor, or secure it. The enrollment method determines how much IT intervention is required — zero-touch enrollment requires none, QR code enrollment requires a single scan, and manual enrollment requires hands-on configuration — and how well the process scales. Zero-touch handles 10,000 devices identically to 10. Manual enrollment requires touching each device individually.
This guide compares every MDM enrollment method across Android, iOS, macOS, and Windows: Android Zero-Touch Enrollment (ZTE), Samsung Knox Mobile Enrollment (KME), Apple Automated Device Enrollment (ADE), Windows Autopilot, QR code, NFC, user-initiated URL/email, and manual enrollment. Bento MDM supports all enrollment methods — including Offline QR enrollment for devices without internet — at $1/device.
What Happens During MDM Enrollment
Regardless of which method is used, three things happen during enrollment. First, the MDM agent is installed on the device — either downloaded from an app store, pushed via the enrollment service, or sideloaded via a QR code. Second, the device registers with the MDM server and receives its identity certificate, which authenticates it for all future communication. Third, the MDM server pushes the assigned policy profile: security configurations, app installations, VPN settings, Wi-Fi credentials, content filtering rules, and any device restrictions.
After enrollment, the device is “managed.” It checks in with the MDM server on a configurable schedule, reports compliance status, and receives ongoing policy updates. The enrollment method only affects HOW the device gets registered. What happens AFTER enrollment is identical regardless of method — the same policies, apps, and security controls apply whether the device was enrolled via zero-touch, QR code, or manual entry. The MDM implementation guide covers enrollment as one stage in the full deployment workflow, from planning through validation.
Enrollment Methods Comparison
The table below compares eight MDM enrollment methods across six dimensions. Each cell is self-contained — if a search engine or AI assistant extracts a single row, it reads as a complete comparison without context from other rows.
| Dimension | Android ZTE | Samsung KME | Apple ADE | Windows Autopilot | QR Code | NFC | User-Initiated | Manual |
|---|---|---|---|---|---|---|---|---|
| Platform | Android 8.0+ | Samsung Galaxy (Android 6.0+) | iOS, iPadOS, macOS, tvOS | Windows 10/11 Pro or Enterprise | Android 6.0+, iOS, Windows | Android 5.0+ only | All platforms | All platforms |
| IT intervention | None. Fully automated on first boot. | None. Fully automated on first boot. | None. Fully automated on activation. | None. Fully automated on first boot. | Minimal. One scan per device. | Minimal. One tap per device. | None from IT. User self-enrolls. | Full. Manual per device. |
| Scale | Unlimited. Bulk serial registration. | Unlimited. Bulk CSV upload. | Unlimited. Auto-linked by purchase order. | Unlimited. Bulk hardware hash upload. | Moderate. Sequential scanning. | Moderate. Sequential tapping. | Low to moderate. Each user acts independently. | Very low. Each device configured individually. |
| Prerequisites | ZTE-participating reseller, Google ZTE portal account | Samsung Knox portal account, Knox license | Apple Business Manager or Apple School Manager account, APNs certificate | Azure AD tenant, device hardware hash registered | MDM console generates QR code. No vendor portal needed. | NFC provisioning tag or master device, factory-reset state | Enrollment URL or email link from the MDM console | MDM server URL entered manually in device settings |
| BYOD? | No. Corporate-owned only. | No. Corporate-owned Samsung only. | No. Organization-owned Apple only. | No. Corporate-owned Windows only. | Yes. Works for BYOD and corporate. | No. Requires factory-reset state. | Yes. Designed for BYOD. | Yes, but poor user experience. |
| Best for | Corporate Android fleets, kiosks, ship-to-home | Samsung Galaxy fleets, rugged XCover/Tab Active | School 1:1 iPads, corporate MacBooks, healthcare iPads | Corporate Windows laptops, remote employee ship-to-home | Small to medium deployments, BYOD events, existing devices | Warehouse staging of Android devices in rapid succession | BYOD programs, remote employees enrolling personal devices | Testing, troubleshooting, one-off devices (<10) |
Automatic Enrollment Methods
Automatic enrollment is automated device enrollment that requires no IT intervention at the device. The device is pre-registered with an enrollment service. On first boot and upon establishing an internet connection, it downloads the MDM agent, applies the assigned profile, and enters the target management mode. IT configures the enrollment once; every registered device enrolls the same way.
Android Zero-Touch Enrollment (ZTE)
Android ZTE is Google’s automated enrollment service for Android Enterprise devices. The manufacturer, carrier, or authorized reseller registers device serial numbers in the organization’s Google Zero-Touch portal. On first boot, the device connects to Wi-Fi, contacts Google’s ZTE server, downloads the MDM agent, and enrolls into the assigned management mode — Work Profile (BYOD), Device Owner (corporate), or COSU (kiosk). No IT staff touch the device.
Requirements: Android 8.0 or later, device purchased from a ZTE-participating reseller (most major OEMs and carriers support ZTE), and a Google Zero-Touch portal account linked to the MDM server. ZTE works with any Android Enterprise–compatible MDM. For the full Android management model — Work Profile, Device Owner, and COSU — see Android device management with Bento MDM.
Samsung Knox Mobile Enrollment (KME)
Knox Mobile Enrollment is Samsung’s proprietary bulk enrollment service for Samsung Galaxy devices. IT registers device serial numbers or IMEIs in the Samsung Knox portal via CSV upload. On first boot, the Galaxy device contacts Samsung’s KME server, downloads the MDM agent, and enrolls with it. KME works alongside ZTE but offers Samsung-specific provisioning controls that ZTE cannot provide: Knox Guard (remote device lock for leased or financed devices), Knox Configure (system-level app management, boot animation, and APN settings baked into firmware), and Samsung-only policy restrictions.
Requirements: Samsung Galaxy device running Android 6.0 or later, Samsung Knox portal account, and a Knox license (included with most enterprise Galaxy devices). Bento MDM integrates with Samsung Knox Mobile Enrollment for bulk Galaxy provisioning — including the Galaxy XCover rugged series and Galaxy Tab Active tablets used in field service and warehouse environments.
Apple Automated Device Enrollment (ADE)
Apple ADE is Apple’s zero-touch enrollment service for iOS, iPadOS, macOS, and tvOS. Devices purchased through Apple or an Apple Authorized Reseller are linked automatically to the organization’s Apple Business Manager (ABM) or Apple School Manager (ASM) account by purchase order. On first activation, the device contacts Apple’s enrollment server and redirects to the organization’s MDM server. The MDM agent is installed, the supervision profile is applied, and the device is managed.
ADE replaced the legacy Device Enrollment Program (DEP) and the Volume Purchase Program (VPP), both of which are now consolidated under Apple Business Manager. Requirements: Apple device purchased through an ABM/ASM-linked channel, ABM or ASM account, and an MDM server with a valid APNs (Apple Push Notification service) certificate. For school-specific ADE workflows — 1:1 iPad programs, Shared iPad, and Apple School Manager integration — see MDM for education — managing student and staff devices.
Windows Autopilot
Windows Autopilot is Microsoft’s zero-touch enrollment service for Windows 10 and Windows 11 devices. IT registers device hardware hashes (unique identifiers extracted from the BIOS) in the Autopilot service via CSV upload or OEM pre-registration. On first boot, the device connects to the internet, contacts the Autopilot service, joins Azure AD, and enrolls in Microsoft Intune or a third-party MDM that supports Autopilot integration.
Requirements: Windows 10 or 11 Pro, Enterprise, or Education edition, Azure AD tenant, and device hardware hash registered in the Autopilot service. Autopilot supports user-driven deployment (where the user signs in during OOBE and the device configures based on their identity) and self-deploying mode (where the device configures without user interaction — ideal for kiosks and shared devices). For how Autopilot compares to on-premise deployment, see on-premise MDM vs cloud MDM.
QR Code and NFC Enrollment
QR code and NFC enrollment are semi-automated methods that require one action per device — a scan or a tap — but do not require vendor portal pre-registration, OEM partnership, or purchase-order linking. They work with any device, including devices already in the field that were not purchased through zero-touch channels.
QR Code Enrollment
IT generates a QR code in the MDM console that contains the enrollment URL, server credentials, and policy assignment. The user or IT technician scans the QR code with the device’s camera during initial setup (Android) or via the Settings app (iOS). The MDM agent downloads, the device registers, and enrollment completes. QR code enrollment works on Android 6.0+, iOS, and Windows (via companion app).
QR code enrollment is the most versatile method. It works for corporate-owned devices that were not purchased through ZTE/KME/ADE channels. It works for BYOD programs where employees enroll their personal devices at an enrollment event. It works for existing deployed devices that need to be migrated to a new MDM. And it requires no vendor portal account, no OEM partnership, and no purchase-order linking — just the MDM console and a camera.
NFC Enrollment
NFC enrollment uses near-field communication to transfer the enrollment configuration from a provisioning device (NFC tag or a master phone running the MDM provisioning app) to a new Android device. IT taps the provisioning device against the new device during initial setup. The NFC payload contains the MDM server URL, enrollment token, and Wi-Fi credentials. The device connects, downloads the MDM agent, and enrolls.
NFC enrollment works only on Android 5.0+ and requires the target device to be in a factory-reset state (initial setup screen). It is fastest for batch provisioning at a staging desk — IT resets a stack of devices, taps each one against the NFC tag in sequence, and all devices enroll within minutes. NFC is not suitable for BYOD (requires factory reset) or for remote enrollment (requires physical proximity).
User-Initiated and Manual Enrollment
User-Initiated Enrollment (URL or Email Link)
IT sends the user an enrollment link via email, SMS, or internal portal. The user opens the link on their device, follows the enrollment prompts, approves the MDM management profile (which discloses what IT will manage), and the device enrolls. This method works on all platforms and is the standard for BYOD programs because it requires explicit user consent at every step.
User-initiated enrollment scales to the size of the workforce, but it depends on each user completing the process independently. IT cannot force enrollment — the user must act. Clear enrollment instructions, a short video walkthrough, and help desk availability reduce drop-off. For remote and hybrid teams where employees enroll from home, user-initiated enrollment via email link is the most common method because IT cannot physically hand the employee a device to scan.
Manual Enrollment
Manual enrollment requires the user or IT technician to navigate to the device’s settings, find the MDM or Work Account section, and type the MDM server URL. The device contacts the server, downloads the agent, and enrolls. No QR code, no link, no zero-touch registration — just manual URL entry.
Manual enrollment is the slowest and least scalable method. Each device requires hands-on configuration. It is appropriate for testing MDM configurations before a broader rollout, troubleshooting enrollment failures on individual devices, and enrolling one-off devices that fall outside the standard enrollment workflow. It is not recommended for production deployments with more than 10 devices.
Offline QR Enrollment — Enrolling Devices Without Internet
Every enrollment method described above requires internet connectivity. Android ZTE contacts Google’s server. Apple ADE contacts Apple’s server. Windows Autopilot contacts Microsoft’s server. QR code and URL enrollment contact the MDM server. If the device cannot reach the internet — on an air-gapped military network, in a basement warehouse with no cellular coverage, on a construction site with no Wi-Fi, on a maritime vessel at sea — none of these methods work.
Bento MDM’s Offline QR enrollment solves this. IT generates an encrypted enrollment payload in the form of a QR code in the admin console. A supervisor carries the printed QR code (or a phone displaying it) to the device location. The device scans the QR code via its camera. The enrollment configuration applies locally — the MDM agent installs from the QR payload, the device identity is established, and the baseline policy profile activates. When the device eventually connects to any network, it completes registration with the MDM server and syncs. For full offline mode and Offline QR Commands, see the Bento MDM feature page.
No other MDM vendor offers enrollment without internet connectivity. This capability extends MDM to environments where every other vendor’s enrollment process fails before it starts.
Which Enrollment Method Should You Use?
Choosing by Device Ownership
Corporate-owned devices purchased new: use zero-touch enrollment — Android ZTE, Samsung KME, Apple ADE, or Windows Autopilot, depending on the platform. These methods require no IT intervention at the device and scale to any fleet size. BYOD devices owned by employees: use QR code enrollment or user-initiated URL/email enrollment. Both require user consent, preserve privacy, and do not require a factory reset. The BYOD vs COPE vs CYOD ownership model comparison explains how each enrollment method aligns with each model. Mixed fleets: use zero-touch for corporate-owned devices and QR/URL for BYOD in the same MDM deployment.
Choosing by Scale
For 1–10 devices: manual or QR code enrollment. The overhead of configuring a zero-touch portal for fewer than 10 devices exceeds the time saved. For 10–500 devices: QR code enrollment or NFC staging. A single QR code enrolls devices sequentially at a provisioning desk. For 500+ devices: zero-touch enrollment is mandatory. No IT team can manually or QR-enroll 5,000 devices within a deployment window. Zero-touch scales linearly with zero marginal labor per device. For existing devices already in the field that were not purchased through zero-touch channels: QR code enrollment in a batch event (all-hands enrollment day) or user-initiated email enrollment rolled out by the department.
Choosing by Connectivity
Internet available on first boot: any enrollment method works. Intermittent or unreliable connectivity: Bento MDM’s Offline QR enrollment enables enrollment without an internet connection. The device syncs with the server when connectivity resumes. Air-gapped network with no internet by design: Offline QR enrollment plus on-premise MDM deployed inside the air-gapped network. This is the only combination that provides enrollment and ongoing management for fully isolated environments.
Frequently Asked Questions
What is MDM enrollment?
MDM enrollment is the process of registering a device with a mobile device management platform. During enrollment, the MDM agent installs on the device, the device receives its identity certificate, and the MDM server pushes the assigned policies, apps, and security configurations. After enrollment, the device is managed — it checks in with the server on schedule, reports compliance, and receives ongoing updates.
What is zero-touch enrollment?
Zero-touch enrollment is automated device enrollment that requires no IT intervention at the device. The device is pre-registered with an enrollment service — Google Zero-Touch (Android), Samsung Knox Mobile Enrollment (Samsung), Apple Automated Device Enrollment (iOS/macOS), or Windows Autopilot (Windows). On first boot and when the device connects to the internet, it enrolls automatically. IT configures the enrollment once; every registered device applies the same configuration.
Which enrollment method is best for BYOD?
QR code enrollment or user-initiated URL/email enrollment. Both methods require user action and explicit consent, which is appropriate for employee-owned personal devices. Zero-touch methods (ZTE, KME, ADE, Autopilot) are not BYOD-compatible because they require a factory-reset state and corporate device pre-registration with the vendor’s enrollment service.
Can I enroll devices without internet?
All standard enrollment methods require internet connectivity — the device must reach Google (ZTE), Apple (ADE), Microsoft (Autopilot), or the MDM server (QR/URL). Bento MDM’s Offline QR enrollment generates an encrypted enrollment payload in the form of a QR code that the device scans locally. The enrollment applies offline. The device completes server registration when connectivity resumes. No other MDM vendor offers offline enrollment.
What is the difference between Android ZTE and Samsung Knox Mobile Enrollment?
Android Zero-Touch Enrollment (ZTE) is Google’s enrollment service for all Android Enterprise devices running Android 8.0 or later. Knox Mobile Enrollment (KME) is Samsung’s enrollment service for Samsung Galaxy devices specifically. KME offers Samsung-specific provisioning controls — Knox Guard for remote device lock, Knox Configure for firmware-level app and APN management — that ZTE cannot provide. On Samsung devices, organizations can use either ZTE or KME, but KME provides deeper Samsung hardware integration.
What replaced Apple’s Device Enrollment Program (DEP)?
Apple Automated Device Enrollment (ADE) replaced DEP. Both DEP and the Volume Purchase Program (VPP) are now consolidated under Apple Business Manager (for businesses) and Apple School Manager (for education). ADE provides the same zero-touch enrollment capability as DEP with a unified management interface for device enrollment, app licensing, and Managed Apple ID creation.
How many devices can zero-touch enrollment handle?
Unlimited. Android ZTE, Samsung KME, Apple ADE, and Windows Autopilot all support bulk serial number or hardware hash registration. A school district deploying 10,000 iPads enrolls them identically to a startup deploying 10 — the enrollment configuration is set once in the portal, and every registered device applies it automatically on first boot. The limiting factor is not the enrollment service; it is the organization’s network bandwidth and MDM server capacity for simultaneous initial policy pushes.
Related Articles
