MDM OTA enrollment for iOS devices

Question

I am trying to develop and distribute an iOS app in an enterprise. I came across this in iOS docs - Deploying iPhone and iPad MDM. In this article, it specifies that OTA enrollment can be performed wirelessly (lines quoted below). Is it really possible to do this the very first time? How can an MDM server push to devices wirelessly - the first time? It mentions that it can be done using an app or a web portal. Does that mean the app sends the device credentials (like UDID) to the MDM server for registration? Please share the details if anyone has performed OTA enrollment for iOS devices. Thanks in advance.

Enrollment

Once the Mobile Device Management server and network are configured, the first step in managing an iPhone or iPad is to enroll it with an MDM server. This creates a relationship between the device and the server, allowing it to be managed on demand without further user interaction.

This can be done by connecting iPhone or iPad to a computer via USB, but most solutions deliver the enrollment profile wirelessly. Some MDM vendors use an app to kickstart this process, others initiate enrollment by directing users to a web portal. Each method has its benefits, and both are used to trigger the Over-the-Air Enrollment process via Safari.

Answer 1

The user typically is asked, either through a web page or in an app, to provide credentials such as username and password. The server uses that to build an MDM mobile configuration profile which is sent back to the device. If the user is enrolling in Safari then, after successful log in, the user gets a link to click on to the .mobileconfig. Safari sends this to the Settings app which installs the MDM profile. If the enrollment happens in an application then that application passes the link to the .mobileconfig to Safari (via [UIApplication openURL:] which then hands it on to Settings.

As part of installing the MDM profile, the server can ask the device for various inventory including UDID.