Enrollment methods - Primo Documentation

By method

Method	When to use	Compatibility	Driven by	Pros	Cons
Zero Touch	Gold standard - move towards this little by little	✅ macOS ✅ Windows ✅ iOS/iPadOS ❌ Android (coming soon)	Admin	Highest level of control Devices cannot be activated without authentication — protection against theft	Requires initial setup in ABM or Autopilot Not compatible with devices not registered in ABM or Autopilot
Employee enrollment (default)	Default - always works!	✅ macOS ✅ Windows ✅ Linux ✅ iOS/iPadOS ✅ Android	Employee	Works on any supported platform No prior infrastructure required	Relies on employee action Requires employees to have admin access
Account-driven Device Enrollment	If you federate accounts in Apple Business	❌ macOS (coming soon) ✅ iOS/iPadOS	Employee	Privacy-preserving Separates work and personal data on the device	Requires federation in Apple Business
Silent agent deployment	If you already can deploy packages (migration scenario)	✅ macOS ✅ Windows ✅ Linux	Admin	Centralised and silent No employee interaction needed	Mac: once the agent is installed, the MDM profile still needs to be accepted by the employee
Migrating with Apple Business	For devices in Apple Business and on macOS Tahoe 26+	✅ macOS ✅ iOS/iPadOS	Admin	Reassigns devices already in Apple Business to Primo without wiping Works on devices already deployed in the field	Requires an existing Apple Business account with devices already assigned Only works with macOS Tahoe 26+

By platform

macOS

Zero Touch — gold standard; use this for new devices purchased through Primo or an authorized reseller
Migrating with Apple Business — for devices already assigned in Apple Business running macOS Tahoe 26+
Silent agent deployment — if you already have a package deployment tool and need to migrate silently
Employee enrollment — always works as a fallback; relies on employee action

Windows

Zero Touch — gold standard; use this for new devices enrolled via Windows Autopilot
Silent agent deployment — if you already have a package deployment tool and need to migrate silently
Employee enrollment — always works as a fallback; relies on employee action

Linux

Silent agent deployment — preferred if you have a package deployment tool
Employee enrollment — always works; relies on employee action

iOS / iPadOS

Zero Touch — gold standard; use this for devices purchased through Primo or an authorized reseller and assigned in Apple Business
Migrating with Apple Business — for devices already assigned in Apple Business
Account-driven Device Enrollment — if you federate accounts in Apple Business and want to preserve privacy on personal devices
Employee enrollment — always works as a fallback; relies on employee action

Android

Employee enrollment — the only available method; employees enroll their own devices

Zero Touch for Apple