diff --git a/tools/mdm/apple/glossary-and-protocols.md b/tools/mdm/apple/glossary-and-protocols.md
index 0045a404f8..733d925230 100644
--- a/tools/mdm/apple/glossary-and-protocols.md
+++ b/tools/mdm/apple/glossary-and-protocols.md
@@ -1,3 +1,50 @@
+## Overview
+
+```mermaid
+sequenceDiagram
+ participant apns as APNS
+ participant mac as Mac
+ participant server as fleet server
+
+ note over server: Server sends automatic enrollment
endpoint details to ABM as part of a
ADE/DEP configuration cron job
+ alt Automatic Authenticated Enrollment
+ mac->>server: GET /api/v1/fleet/sso
(endpoint configured using ADE)
Opens authetication webpage in a webview
+ server->>mac: Enrollment Profile (specific response headers)
+ else Automatic Enrollment
+ mac->>server: GET /api/mdm/apple/enroll
(endpoint configured using ADE)
+ server->>mac: Enrollment profile
+ else Manual Enrollment
+ note over mac,server: User downloads a profile
containing the OTA endpoint
+ mac->>server: POST /api/latest/fleet/ota_enrollment
+ mac->server: Throw-away SCEP flow
+ server->>mac: Enrollment profile
+ end
+
+ mac->>server: GET /mdm/apple/scep?operation=GetCACaps
SCEP Catability Check
+ server->>mac: List of SCEP catabilities
+
+ mac->>server: POST /mdm/apple/scep?operation=PKIOperation
Certificate Signing Request
+ server->>mac: Signed Certificate
+
+ mac->>server: POST /mdm/apple/mdm
MessageType: Authenticate
Push notification token
+ server->>mac: 200 OK
+
+ mac->>server: POST /mdm/apple/mdm
MessageType: Bootstrap Token
Used to help grant Secure Tokens
and erase the device
+ server->>mac: 200 OK
+
+ mac->>server: POST /mdm/apple/mdm
MessageType: TokenUpdate
+ server->>mac: 200 OK
+
+ loop MDM mTLS
+ server->>apns: MDM Push Notification
+ apns->>mac: Push Notification
+ mac->>server: PUT /mdm/apple/mdm
Status: Idle
+ server->>mac: Command
+ mac->>server: PUT /mdm/apple/mdm
Acknowledged
+ server-->>mac: More commands...
+ end
+```
+
## Glossary
### SCEP: Simple Certificate Enrollment Protocol