Device Enrollment
Overview
Device enrollment registers endpoints with Bastion for management and monitoring. Employees enroll their own devices through the Bastion user portal, authenticating via your configured Identity Provider (Google Workspace or Entra ID).
Enrollment Flow
macOS
Open the user portal
Navigate to the Bastion user portal and go to the Laptop tab.
Open the enrollment modal
Click I change laptop. In the modal that opens, select the MacOS tab.
Download the enrollment profile
Click the macOS download button to download your personal enrollment profile (
enrollment_profile.mobileconfig). This profile is personal and should not be shared.Install the profile
Open the downloaded file. macOS will prompt you to install it via System Settings → General → Device Management. Authentication is handled automatically via SCEP using the personal profile you downloaded.
Complete enrollment
Once the profile is installed, the device is enrolled and will appear in Bastion.
Windows
Open the user portal
Navigate to the Bastion user portal and go to the Laptop tab.
Open the enrollment modal
Click I change laptop. In the modal that opens, select the Windows tab.
Click the enrollment link
Click the Windows download button. This opens the Windows Settings → Accounts → Access work or school page, prefilled with your email address and the MDM server URL.
Authenticate
Follow the enrollment flow and sign in with your organization's Identity Provider (Google Workspace or Entra ID).
Complete enrollment
Once authenticated, the device is enrolled and will appear in Bastion.
Linux
Open the user portal
Navigate to the Bastion user portal and go to the Laptop tab.
Open the enrollment modal
Click I change laptop. In the modal that opens, select the Linux tab.
Download the installer
Click DEB (Debian/Ubuntu) or RPM (Fedora/CentOS) depending on your distribution. A one-time enrollment key will be generated for you.
Run the installation commands
Copy and run the displayed installation commands in your terminal. The enrollment key is personal, single-use, and expires at the end of the day.
Complete enrollment
Once installed, the device is enrolled and will appear in Bastion.
Post-Enrollment
After enrollment completes:
- Device syncs hardware and software inventory
- Policies are assigned to the device
- Vulnerability scan is initiated
- Compliance check is performed
Enrolled devices may require a reboot and up to 48–72 hours to fully sync all policies and inventory data.
You can verify successful enrollment by checking:
- The device appears in the device list
- Status shows Active
- Inventory is populated
- Policies are applied
Viewing Device Configuration
Once enrolled, you can view your device's configuration from the Laptop tab in the user portal:
- My device — Shows your device's security compliance status and policy pass/fail results
- Company configuration — Shows MDM policies deployed by your organization (read-only)
- Privacy — Shows privacy settings and data collection information
To view applied policies directly on your device:
- macOS: Open System Settings → General → Device Management
- Windows: Open Settings → Accounts → Access work or school, then click on your connected account
Troubleshooting
Device Not Appearing After Enrollment
- Verify network connectivity and ensure the firewall allows outbound connections to
mdm.bastion.tech - Ensure the enrollment completed successfully (check System Settings on macOS or Access work or school on Windows)
- Check that the Identity Provider authentication succeeded
- Wait up to 15 minutes for the first sync to complete
- If still not appearing, try unenrolling and re-enrolling
Enrollment Profile Fails to Install (macOS)
- Ensure no existing MDM profile is installed — remove old profiles via System Settings > General > Device Management first
- Check that the downloaded profile has not expired (profiles are time-limited)
- Try downloading a fresh profile from the user portal
- Verify you are installing via System Settings, not double-clicking the file
Windows Enrollment Not Starting or Gives an Error
- Ensure you are running Windows 10 or later
- Check that Access work or school settings are accessible (some corporate policies disable this)
- Remove any previous MDM enrollment first — stale registry keys from a prior MDM can block new enrollment
- Verify no group policy conflicts are preventing MDM enrollment
- Ensure the firewall allows outbound HTTPS connections to
mdm.bastion.tech
Disk Encryption Shows as Failed Even Though It Is Enabled
After enabling FileVault (macOS) or BitLocker (Windows), the device must sync with Bastion. This can take up to 48–72 hours. If the status remains "failed" after that, try triggering a manual sync by re-enrolling the device. Persistent false positives may indicate a profile conflict — contact support.
How Do I Re-Enroll After an MDM Migration?
If you previously used a different MDM, remove the old management profile before enrolling in Bastion. On macOS, go to System Settings > General > Device Management and remove the old profile. On Windows, disconnect via Settings > Accounts > Access work or school. Then follow the standard enrollment flow from the Bastion user portal.
Identity Provider Authentication Fails
- Confirm your account is active in Google Workspace or Entra ID
- Check that your organization has configured the IdP integration in Bastion
- Try clearing browser cookies and re-authenticating
- Test in an incognito or private browser window
Does the MDM Access Personal Data?
Bastion MDM collects device hardware and software inventory, security posture data, and compliance status. It does not access personal files, browsing history, photos, or geolocation. Admins can share this information with employees to address privacy concerns during enrollment.