Device Enrollment
Overview
Device enrollment registers endpoints with Bastion for management and monitoring. Employees enroll their own devices through the Bastion user portal, authenticating via your configured Identity Provider (Google Workspace or Entra ID).
Enrollment Flow
macOS
Open the user portal
Navigate to the Bastion user portal and go to the Laptop tab.
Open the enrollment modal
Click I change laptop. In the modal that opens, select the MacOS tab.
Download the enrollment profile
Click the macOS download button to download your personal enrollment profile (
enrollment_profile.mobileconfig). This profile is personal and should not be shared.Install the profile
Open the downloaded file. macOS will prompt you to install it via System Settings → General → Device Management. Authentication is handled automatically via SCEP using the personal profile you downloaded.
Complete enrollment
Once the profile is installed, the device is enrolled and will appear in Bastion.
Windows
Open the user portal
Navigate to the Bastion user portal and go to the Laptop tab.
Open the enrollment modal
Click I change laptop. In the modal that opens, select the Windows tab.
Click the enrollment link
Click the Windows download button. This opens the Windows Settings → Accounts → Access work or school page, prefilled with your email address and the MDM server URL.
Authenticate
Follow the enrollment flow and sign in with your organization's Identity Provider (Google Workspace or Entra ID).
Complete enrollment
Once authenticated, the device is enrolled and will appear in Bastion.
Linux
Open the user portal
Navigate to the Bastion user portal and go to the Laptop tab.
Open the enrollment modal
Click I change laptop. In the modal that opens, select the Linux tab.
Download the installer
Click DEB (Debian/Ubuntu) or RPM (Fedora/CentOS) depending on your distribution. A one-time enrollment key will be generated for you.
Run the installation commands
Copy and run the displayed installation commands in your terminal. The enrollment key is personal, single-use, and expires at the end of the day.
Complete enrollment
Once installed, the device is enrolled and will appear in Bastion.
Post-Enrollment
After enrollment completes:
- Device syncs hardware and software inventory
- Policies are assigned to the device
- Vulnerability scan is initiated
- Compliance check is performed
Enrolled devices may require a reboot and up to 48–72 hours to fully sync all policies and inventory data.
You can verify successful enrollment by checking:
- The device appears in the device list
- Status shows Active
- Inventory is populated
- Policies are applied
Viewing Device Configuration
Once enrolled, you can view your device's configuration from the Laptop tab in the user portal:
- My device — Shows your device's security compliance status and policy pass/fail results
- Company configuration — Shows MDM policies deployed by your organization (read-only)
- Privacy — Shows privacy settings and data collection information
To view applied policies directly on your device:
- macOS: Open System Settings → General → Device Management
- Windows: Open Settings → Accounts → Access work or school, then click on your connected account
Troubleshooting
Device Not Appearing
- Verify network connectivity
- Ensure the enrollment completed successfully
- Check that the Identity Provider authentication succeeded
- Ensure firewall allows outbound connections to
mdm.bastion.tech
Enrollment Profile Fails to Install (macOS)
- Ensure no existing MDM profile conflicts
- Check that the profile has not expired
- Try downloading a fresh profile from the user portal
Windows Enrollment Not Starting
- Ensure you are running Windows 10 or later
- Check that Access work or school settings are accessible
- Verify no existing MDM enrollment conflicts
Identity Provider Authentication Fails
- Confirm your account is active in Google Workspace or Entra ID
- Check that your organization has configured the IdP integration in Bastion
- Try clearing browser cookies and re-authenticating