Skip to main content

Device Enrollment

Device enrollment is the process by which an endpoint joins your RMM tenant. After enrollment, the device appears in the console and begins sending monitoring data.

Manual Enrollment

The fastest way to enroll a single device:

  1. In the RMM console, navigate to Devices → Add Devices.
  2. Select the target platform (Windows / macOS / Linux).
  3. Download the installer. The enrollment token is embedded in the download.
  4. Run the installer on the device.
  5. The device appears in the Devices list within 1–2 minutes.

See Agent Installation for platform-specific installation commands.

Bulk Enrollment via Group Policy (Windows Domain)

Deploy the agent to all Windows domain-joined devices without touching each machine:

  1. Download the .msi installer from Devices → Add Devices.
  2. Place the installer on a UNC file share accessible by all target machines: 
    \\fileserver\share\rmm\TheOneRMM-Agent.msi
  3. Open Group Policy Management Console on a domain controller.
  4. Create a new GPO or edit an existing one linked to the target OU.
  5. Navigate to: 
    Computer Configuration
      → Policies
        → Software Settings
          → Software Installation
  6. Right-click → New → Package → browse to the UNC path.
  7. Select Assigned deployment method.
  8. The MSI installs on next Group Policy refresh (at reboot or gpupdate /force).
tip

The enrollment token is pre-embedded in the MSI, so no additional configuration transforms are needed for standard deployments.

Bulk Enrollment via MDM

Jamf Pro (macOS)

  1. Download the .pkg installer from the RMM console.
  2. In Jamf Pro, navigate to Computers → Management Settings → Packages.
  3. Upload TheOneRMM-Agent.pkg.
  4. Create a new Policy:
    • Trigger: Enrollment Complete (or Recurring Check-in)
    • Payload: the uploaded package
    • Scope: target device group or department
  5. Deploy the policy. Jamf installs the agent silently during next check-in.

Microsoft Intune (macOS / Windows)

macOS:

  1. Wrap the .pkg using the Intune App Wrapping Tool to create a .intunemac file.
  2. In Intune: Apps → Add → macOS App (PKG), upload the .intunemac file.
  3. Assign to the target device group as Required.

Windows:

  1. Upload the .msi directly: Apps → Add → Line-of-business app.
  2. Set install command: 
    msiexec /i TheOneRMM-Agent.msi /quiet
  3. Set uninstall command: 
    msiexec /x TheOneRMM-Agent.msi /quiet
  4. Assign to the target group as Required.

Enrollment Token Management

Each installer download contains an enrollment token that identifies your tenant. To manage tokens:

  1. Navigate to Settings → Enrollment Tokens.
  2. Available actions:
    • View active tokens — see all tokens and their expiry dates
    • Revoke a token — immediately invalidates that token; devices already enrolled are not affected
    • Generate a new token — creates a fresh token valid for 30 days

When a token expires, existing enrolled devices are unaffected. New device installs using the expired token will fail to enroll — download a fresh installer for new enrollments.

Re-Enrollment (Replacement Device)

When replacing a device with new hardware:

  1. Install the agent on the new device as normal.
  2. The agent sends a hardware_fingerprint — a deterministic identifier derived from the device's hardware characteristics (CPU ID, board serial, MAC address hash).
  3. If the fingerprint matches a previously enrolled (and now offline or retired) device record, the console shows a Re-Association Prompt.
  4. Click Re-Associate to link the new hardware to the existing device record.
  5. Historical monitoring data, alert history, and assigned policies transfer to the new device.
  6. Manually retire the old physical device from Device Detail → Actions → Retire Device.

If there is no fingerprint match (genuinely new hardware), the device enrolls as a new record.

Device Retirement

When decommissioning a device:

  1. Navigate to Devices and click the device.
  2. Click Actions → Retire Device.
  3. Confirm the retirement.
  4. The device is marked Retired and removed from active monitoring.
  5. Historical data is retained for 1 year after retirement.
  6. The retired device slot is released from your billing count at the next billing cycle.

To permanently delete a device record: Device Detail → Actions → Delete Device (requires admin role). Deletion is irreversible.

Offline Enrollment (Air-Gapped Networks)

For devices without persistent internet access:

  • Install the agent normally. The agent queues enrollment data on the local disk buffer.
  • When the device gains temporary internet access, enrollment completes automatically and queued data is flushed.
  • The device is marked Enrolled (Offline) in the console until it first connects.
Limited Functionality

Permanently air-gapped devices cannot receive remote commands, patch deployments, or script executions. Monitoring telemetry is buffered locally (up to 200 MB) and uploaded during any internet-connected window. Alert rules for air-gapped devices fire only when data is received.

Enrollment Troubleshooting

SymptomLikely CauseResolution
Device not appearing after 5 minEnrollment token expiredRe-download installer; generate fresh token
Device not appearing after 5 minFirewall blocking port 443Allow outbound HTTPS to api.theonermm.app
Device shows duplicate entriesRe-enrollment without fingerprint matchMerge duplicates via Device Detail → Merge
Enrollment fails on macOSGatekeeper blockingSee Troubleshooting → macOS agent not enrolling

For more details, see the full Troubleshooting guide.