Skip to main content
Welcome to Primo. This guide outlines what a typical onboarding looks like so you know what to expect and can move through each phase confidently. Most customers go from setup to full deployment in 4 weeks, but the pace depends on the size of your fleet and which Primo products you’re activating.

What you will set up

  • Employees — import your team from your HR System or via CSV.
  • MDM — enroll and manage all your devices.
  • EDR (Endpoint Detection and Response) — deploy endpoint protection (SentinelOne or CrowdStrike).
  • SaaS — connect and automate access to your business apps.
Not all customers activate every module. Start with what’s most urgent for your team.

Typical timeline

PhaseWhat happensExpected outcome
Week 1 — SetupImport employees, activate MDM, set policies, connect SaaS appsCockpit is configured and ready to test
Week 2 — TestingEnroll 1–3 devices, validate policies, test SaaS provisioningConfigurations confirmed working
Week 3–4 — DeploymentSend MDM invitations to all employees, monitor enrollmentFull fleet enrolled and secured

Prerequisites

Before starting:
StepThemeTask🎯 Objectives
1️⃣Setup the cockpit- Import employees
- Configure your hardware catalog
- [MDM] Create your instance
- [MDM] Set your policies
- [EDR] Configure deployment via MDM
- [SaaS] Connect your email provider
- [SaaS] Connect your apps to provision/deprovision		Your cockpit is fully configured and your products are ready to use
2️⃣Enrollment testsTest the deployment on one or several devicesYour first machines are successfully enrolled and your MDM policies validated
3️⃣ValidationValidate configurations and resolve any issues found during testingAll configurations are verified and ready for full rollout
4️⃣Global deployment- Communicate internally with your teams
- Send enrollment invitations to all collaborators		Primo is deployed across all your devices

Phase 1 — Set up the cockpit

Import your employees

Connecting your HR System allows you to automatically import your employee list and avoid manual entry. It also enables automated onboarding/offboarding in Primo and provides key data for MDM or identity configuration.
  1. Go to Settings → Employee synchronization
  2. Select your provider (Personio, Lucca, BambooHR, etc.)
  3. Enter the required connection details
  4. Filter and choose which data to import
  5. Start synchronization
Your employees will then be automatically imported into Primo.

Set up your hardware catalog

Select or create your hardware catalog to prepare equipment assignment during onboarding. This is optional but useful if you’re ordering devices through Primo.

Phase 2 — Activate MDM

MDM lets you manage and secure all your devices remotely — Mac, Windows, Linux, iOS, and Android.

Activate your MDM instance

  1. Go to Settings → MDM.
  2. Activate your FleetDM instance.
  3. Upload your Apple Push Notification (APN) certificate.
Your MDM is now operational and an MDM section appears in your sidebar.

Configure your policies

Before enrolling devices, define your security policies:
  • Encryption (FileVault, BitLocker)
  • Password requirements
  • Wi-Fi and VPN profiles
  • Zero Touch Deployment (if ordering devices through Primo)

Test on a few devices

Send an MDM invitation to 1–3 devices to validate your setup before rolling out to everyone. Go to Employees → MDM invitations and invite those employees. Devices are created and assigned automatically once the MDM agent is installed — no manual entry needed.

Roll out to everyone

Once you’re satisfied with your test:
  1. Prepare an internal communication (email or Slack) to let employees know what to expect.
  2. From Employees → MDM invitations, send invitations to all collaborators.
Automatic reminders are sent every 7 days to employees who haven’t completed installation. You can track the deployment directly from your cockpit.

Phase 3 — Deploy endpoint protection (EDR)

Endpoint Detection and Response (EDR) runs alongside your MDM to detect and respond to threats in real time. Primo supports:
  • SentinelOne — deployed automatically via MDM.
  • CrowdStrike Falcon — requires manual package setup in FleetDM.
Once configured, the agent is automatically pushed to enrolled devices.

Phase 4 — Connect SaaS apps

With Primo’s SaaS Management, you can automatically provision and deprovision access to your business tools based on each employee’s role.

Connect your apps

  1. Go to Identity & Access → App Catalog.
  2. Connect your applications via Primo’s pre-built integrations or custom connectors (AI Agent or SAML SSO).

Set up provisioning rules

Define which apps each role or team gets access to. Use templates to automate provisioning on onboarding and revoke access automatically during offboarding.

Troubleshooting

IssueRecommended solution
No employees imported from HR SystemCheck your API permissions or reconnect the HR System
Enrollment errorSee the enrollment troubleshooting guide
App not installed automaticallyCheck your MDM profile and software configuration
SaaS provisioning failedReview the logs and relaunch failed actions