Customize ME MDM app

iOS

Security Settings

On Identifying Jailbroken devices

Jailbroken devices provide users with additional capabilities which renders the devices unsafe for enterprise use. Therefore, corporate data must be removed from such devices. MDM identifies Jailbroken devices during enrollment and during every scan. Upon detecting a Jailbroken device, the enrollment fails or the device is removed from management if it was previously managed.

Distributing ManageEngine MDM app to managed iOS devices

ManageEngine MDM app is required to detect jail-broken devices, distribute documents, remotely view device screens and track the location of managed devices. The option "Distribute ME MDM app to managed iOS devices" is enabled by default and ensures the ManageEngine MDM app is installed on all managed iOS devices. You can also configure the mail template for distributing the app, if needed. Further, ManageEngine MDM app can also be used for securing E-mail attachments as explained here.

NOTE: If the users have not logged into their iTunes accounts on the devices, the ManageEngine MDM app will be available in the App Catalog. The users should enter their iTunes credentials to complete the app installation. Upon installation of the ManageEngine MDM app the App Catalog will be removed from the devices.

Android

If you have to manage Android devices, you need to configure the ME MDM app settings. The app is installed in all the managed Android devices. You can customize the following:

  1. Security Settings

  2. Profile Settings

  3. ME MDM App Settings

  4. Rebrand ME MDM app

  5. Configure Mode of Communication
  6. Download Mode of ME MDM app

Security Settings

Remove devices when

Admins can use the following settings to ensure the corporate data is removed from devices if the device is compromised. The devices are checked during enrollment and during every scan and if they are found to be non-compliant to the option selected below, the device will be deprovisioned and data will be wiped from the device. If the device is checked during enrollment, the device enrollment will fail.

  1. Rooted
  2. Basic Integrity Check fails
  3. Google Certification fails

Rooted

Rooting devices provides users additional controls like removing profiles distributed by MDM or removing the device from MDM. Therefore, it's not ideal for organizations to allow Rooted devices to access the corporate data as it could lead to a data breach. MDM identifies rooted devices and upon selecting this option removes these devices from management. Removing the device from management also removes the corporate data from the devices.

Basic Integrity Check fails

Android's Basic Integrity Check monitors if the device is Rooted, virtual device or contains a virtual ROM. If any of the above conditions are true, the device fails the Basic Integrity Check. During enrollment, if the device fails Basic Integrity, Check, the device will not be enrolled. If an enrolled device fails Basic Integrity Check, the device will be removed from management and the data will be removed from the device.

Google Certification fails

Google certifies devices based on it's Compatibility Testing Suite, which contains the basic requirements for Google to certify devices for enterprises. If this option is selected, the devices will be enrolled only if they are certified by Google. Here is an exhaustive list of Google certified devices.

NOTE: Google Certification also checks for the device's Basic Integrity. But when Basic Integrity Check is selected, it is possible for devices to pass the Basic Integrity Check but not be Google certified.

Profile Settings

Every time you distribute a profile with a few policies and restrictions to some devices, the end user is notified to accept the Policy. This can be customized by specifying a time limit for the end user to accept the policy. If the policy is not installed within the specified time, then the policy is moved to Violated Policies. If the user accepts the policy, then it is moved to Imposed Polices. If Passcode policy has been distributed to the devices and passcode has not been set according to the configured policy by the time specified, then all the apps except the ME MDM app, Settings and the Launcher app are disabled in the device. After the user sets the passcode, the disabled apps would be enabled. This is to protect corporate data when a corporate policy has been violated.

Managing ME MDM app

You can customize the ME MDM app settings like allowing user to remove app, hiding the app from the managed device, etc.

  1. Allowing user to remove ME MDM app

  2. Hiding ME MDM app on device

  3. 'Revoke Administration' Password

Allowing user to remove ME MDM app

If the user removes ME MDM app from the device, the device becomes unmanaged i.e., IT Admin can no longer manage the user's device as ME MDM App is mandatory for device management. In case you still wish to allow users to remove ME MDM App, you can also configure a warning, which is displayed when the user attempts to remove the ME MDM App. This is not applicable for devices provisioned as Profile Owner(Work Profile).

You can restrict users from removing ME MDM app. This is supported for Android devices running 5.0 or later versions and the device should be provisioned as Device Owner. For devices enrolled via DEP, users can be restricted from removing ME MDM app as explained here.

Hiding ME MDM app on device

You can choose to hide the ME MDM app on the managed device. In that case, the users cannot open ME MDM app to access the App Catalog inside the app. Hence, they cannot download apps distributed through App Catalog.

Usually, when a device is unmanaged, the ME MDM app present in the device can be easily removed by the users manually. The data including all profiles and apps is removed automatically. But in some cases, if you remove a device from management when ME MDM app is hidden on a device, the app is not removed from the device due to some server connectivity problems. To avoid such issues, you can consider the following:

  1. Revoke 'Hide ME MDM App' setting and make ME MDM app visible on a device prior to unmanaging an enrolled device. Or
  2. On the mobile device, access this URL memdm://open from the device. Then, click on the link 'OPEN', to make the ME MDM app visible on the device.

Now, use Revoke Administration' Password to disable Device Administrator rights for ME MDM App and then remove it.

'Revoke Administration' Password

Follow the steps mentioned below to set a 'Revoke Administration' Password:

  1. On the web console, under Enrollment tab, select ME MDM App under Android in the left pane.
  2. Specify the 'Revoke Administration' Password in the given field.

'Revoke Administration' Password can be used in the following scenarios:

  1. When it is necessary to temporarily disable Kiosk Mode on the user's device, the 'Revoke Administration' Password can be used.
  2. The Revoke Administration Password that you set, can be used to disable Device Administrator on the user's device. This password is especially useful, when you are unable to unmanage the enrolled device using "Remove Device" action. It is not possible to disable Device Administrator permission and remove ME MDM app on the device when there are issues in server connectivity issues. Only when Device Administrator permission is disabled for ME MDM app, the user can easily remove the app from the device.
  3. If ME MDM app is hidden, refer to this to know how to revoke Administration.

    4. To enter the 'Revoke Administration' Password on the device, first click on the ME MDM app icon and click four times on the top pane where the app name is visible. A Password Prompt dialog box appears where the password can be entered.

By default, 'Revoke Administration' Password is already set, which can be viewed using icon.

Rebranding ME MDM App

If you want to use your enterprise's logo as the icon for ME MDM app or rename the ME MDM app, then you can use this feature. ME MDM app can be re-branded, the display name of the app can be renamed, app icon can be modified and even the startup screen image can be customized. Follow the steps mentioned below to rebrand ME MDM app:

  1. On the web console, select Admin tab and click on Rebranding
  2. Here you can change the logo displayed in the Server and the website to be linked.
  3. To make app-related changes, click on the Enrollment tab and select ME MDM app from Android in the left pane.
  4. Here you can change the app logo, app name and the app startup screen.

You can now see ME MDM App is now rebranded to your choice.

Configuring Mode of Communication

You can choose one of the following modes of communication to enable efficient communication between your MDM server and managed mobile devices.

  1. Immediate mode
  2. Periodic mode

Immediate
You can choose this mode of communication when you have uninterrupted internet access for server-device communication. All communications between MDM server and managed mobile devices will occur instantly via Firebase Cloud Messaging(FCM).

On selecting Immediate mode, you should choose either Google Play Store or MDM Server to download ME MDM App which is required during device enrollment.
  1. It is recommended to download ME MDM app from the Google Play Store.
  2. You can choose to download ME MDM app directly from MDM Server in circumstances when access to Google Play Store is restricted or when the device is not registered and does not have a Google Account linked to it.

Periodic Mode (Enroll devices within the corporate network/Wi-Fi)

Periodic mode is an alternative to Immediate Mode and is the preferred mode of communication between MDM server and mobile devices, when there is limited public internet access within your organization or there is no access to Google apps and/or services. In this mode the managed mobile devices communicate with MDM Server once every 60 minutes, hence it is not possible to carry out on-demand actions such as remote lock, complete wipe etc. immediately.
On choosing this option, the ME MDM app which is required for device enrollment, can be downloaded by default, only from the MDM Server.
  1. It is recommended not to switch between Immediate mode and Periodic mode frequently, to avoid problems in communication between the server and managed mobile devices.
  2. When you switch from Periodic mode to Immediate mode as the preferred mode of communication, it is necessary to check if there is internet access and that the mobile devices are registered with Google i.e., they have a Google Account linked to them.

Download Mode of ME MDM app

As a part of enrollment, every device downloaded the ME MDM app. ME MDM app can be downloaded from the Google Play Store or MDM Server. You can choose to configure the mode from which the download should happen. You can configure it by following the steps mentioned below :

  1. On the web console, click Enrollment
  2. Under Android click ME MDM app
  3. Under distribute ME MDM App settings, choose the mode, for the users to download ME MDM App. You can choose to download the App either from the Google Playstore or from MDM Server.
  4. Click Save Changes

    If you choose Periodic mode, you will have to ensure that the server is reachable at port 8020/9020, for the users to initiate download.

You have successfully configured the download mode for ME MDM app.

Windows

Allowing user to delete MDM Workspace account

In case the user no longer requires the device or leaves the organization, it is necessary to remove all your enterprise details from the mobile device. When this option is enabled, users can delete the ME MDM Workspace account on the device.
If you allow users to delete ME MDM Workspace account from the device, the device becomes unmanaged on deleting the account. Hence, it is recommended to disable this option.

Communication Type

You can choose one of the following modes of communication to enable efficient communication between your MDM server and managed mobile devices.

  1. Immediate mode(using WNS)
  2. Periodic

Immediate
You can choose this mode of communication when you have uninterrupted internet access for server-device communication. All communications between MDM server and managed mobile devices will occur instantly via Windows Notification Service(WNS).

Periodic Mode (Enroll devices within the corporate network/Wi-Fi)

Periodic mode is an alternative to Immediate Mode and is the preferred mode of communication between MDM server and mobile devices, when there is limited public internet access within your organization or if the organization has stringent security standards. In this mode the managed mobile devices communicate with MDM Server once every 60 minutes, hence it is not possible to carry out on-demand actions such as remote lock, complete wipe etc. immediately.
  1. It is recommended not to switch between Immediate mode and Periodic mode frequently, to avoid problems in communication between the server and managed mobile devices.
  2. When you switch from Periodic mode to Immediate mode as the preferred mode of communication, it is necessary to check if there is Internet access..

If you allow users to delete ME MDM Workspace account from the device, the device becomes unmanaged on deleting the account. Hence, it is recommended to disable this option.

Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine