Skip to content
mngd docs

Enroll your first Mac

There are two enrollments to think about, and whether you need one or both depends on your tier:

TierAgent enrollmentMDM enrollment
mngd patchRequired
mngdRequiredRequired
  • Agent enrollment — connects the mngd agent on a Mac to your org. Uses an enrollment token (mngd_XXXX-XXXX-XXXX). Start here — see Install the agent.
  • MDM enrollment — lets mngd push configuration profiles and declarations. Uses a signed .mobileconfig that includes SCEP + MDM payloads. Only needed on mngd (not mngd patch).

Agent enrollment

Section titled “Agent enrollment”

Covered in Install the agent. Two paths:

  • Direct — admin pastes the token into the agent on first launch.
  • MDM-silent — admin downloads a config profile from the Profile button in the portal, pushes it through their MDM. The profile populates the com.mngd.agent Managed Preferences domain with EnrollmentToken + ServerURL, and the agent reads those on first launch and enrolls without any user interaction.

MDM enrollment (mngd tier only)

Section titled “MDM enrollment (mngd tier only)”

Generate a per-org MDM profile at Settings → Enrollment in the web app. Download the .mobileconfig, open it on the target Mac, and approve the profile in System Settings → General → Device Management.

For large-scale deployment, push the profile through your existing MDM (Jamf, Iru, Intune, Addigy, Mosyle) or through Apple Business Manager automated enrollment.

Verifying enrollment

Section titled “Verifying enrollment”

Agent side (on the Mac):

Terminal window
defaults read com.mngd.agent EnrollmentToken 2>/dev/null && \
  echo "Agent profile installed"
log show --predicate 'subsystem == "com.mngd.agent"' --last 5m \
  | grep -i "registered\|checkin"

MDM side (on the Mac, mngd tier only):

Terminal window
profiles show | grep mngd

In the web app, head to Devices — the device appears within a minute of check-in.

Troubleshooting

Section titled “Troubleshooting”

If the device doesn’t show up, see troubleshooting. Common causes:

  • Invalid or revoked token — the agent’s menu-bar icon will show a gray “Not enrolled” state. Generate a fresh token in the portal and paste it in.
  • Network blocked — the agent needs outbound HTTPS to api.mngd.app and cdn.mngd.app.
  • Managed Preferences profile not applied — run profiles status -type configuration and look for app.mngd.enrollment in the output.