Device Enrollment
Device Enrollment is the first step to manage devices using Mobile Device Manager Plus (MDM). Enrolling devices consists of two main steps: onboarding devices to the MDM server and then assigning users to these devices. The former is required to manage them while the latter is required to apply user-specific policies on devices. There are multiple enrollment methods supported by MDM, to support various needs in an enterprise. Some of the MDM enrollment methods are specific to the platform, while some are common for all platforms. Based on the type of mode in which the devices will be used in an organization/ enterprise they can be broadly classified into two categories and they are:
Workspace Management (Profile Owner/ Unsupervised)
While enrolling personal or BYOD devices a logical container (work profile) will be created on the devices which separates the personal apps and corporate apps on the device. Organizations can fully control the work profile but have zero control over the device's personal space as it just "owns the profile". Click here to know more.
Note:
If a VPN connection is used for enrolling an android device with workspace management, then the connection should be re-configured manually inside the work profile to complete containerization.
Full Device Management (Device Owner/ Supervised)
Typically used for managing company-owned devices that are either deployed for frontline workers who use them as Kiosks, Shared devices, etc. or company-owned devices given to employees for both personal and work usage. While enrolling these devices, the organizations can have full control over the device as "it owns the device". Click here to know more.
Android Enrollment Methods
Mobile Device Manager Plus allows organizations to manage commercial and rugged devices. The first step to Android device management is to register the Android device with MDM. Mobile Device Manager Plus provides multiple Android device enrollment methods to meet the varying needs of organizations. Use any of the mentioned Android enrollment methods to enroll devices into MDM.
SCENARIOS | ENROLLMENT METHOD | PRE-REQUISITES | HOW IT WORKS | ||||
---|---|---|---|---|---|---|---|
WORKSPACE MANAGEMENT | |||||||
If the organization has employees that use their personal devices for work and they are allowed to enroll the devices on their own. | Self Enrollment | 1) Directory Services like AD, Azure and Okta. | Organization can publish a common enrollment URL or a QR code which can be accessed by the employees and enroll their devices by authenticating with their company credentials. | ||||
The organization can choose to invite selective employees (like contract workers, etc.) to enroll their devices. | Invite Enrollment | - | The IT administrator can create enrollment email/ SMS invites using MDM, which can be sent to the employees who can then enroll the devices following the instructions given in the mail. | ||||
FULL DEVICE MANAGEMENT | |||||||
If the organization has devices which are purchased from verified resellers that can be enrolled out of the box. Eg: In this scenario device can be shipped directly to the users and will be enrolled to MDM once users unbox them. |
Zero Touch Enrollment | 1) Devices running 9.0 or later. 2) Devices purchased from specified reseller partners. 3) Organization needs a Zero Touch portal account which can be obtained from their reseller partner. (Add verified resellers page link) |
The IT administrator integrates the Zero Touch portal with the MDM server. | ||||
If the organization has Samsung devices which are purchased from verified resellers that can be enrolled out of the box then Knox Enrollment is the most recommended enrollment method. | Knox Mobile Enrollment | 1) Devices running 6.0 or later. 2) Devices which are Samsung-Knox supported and purchased from verified reseller partners. 3) Organization needs a Knox portal account which can be obtained from their reseller partner. |
The IT administrator integrates the Knox portal with the MDM server. | ||||
If the organization has corporate devices which are not purchased from verified resellers and cannot be enrolled using ZTE but want to enroll the devices under Full Device Management, then QR Code/ EMM Token Enrollment method is the most suitable one. | EMM Token Enrollment | 1) Devices running 6.0 or later. | A fresh or a factory reset device can be activated and enrolled using a QR code or a common enrolment token (afw#memdm). | ||||
If the organization has devices which cannot be enrolled using Zero Touch or EMM Enrollment methods (Eg:- If the device does not have a camera) and also do not support google play services. | NFC Enrollment | 1) Devices running 5.0 or later. 2) Devices should support near field communication (NFC). |
The IT administrator uses an Admin device with MDM NFC app installed, using which other devices can be enrolled through an NFC bump/ tag. | ||||
If the organization has many non-standard android devices or AOSP based devices which are custom made according to the needs of the organization and the admin wants to enroll them as full device management, then Android Debug Bridge or ADB is the most suitable method. | Android Debug Bridge(ADB) | 1) Devices that are supposed to be managed need to be connected to a windows machine which has an ADB installer to enroll devices. | The IT administrator can connect the devices to be managed to a Windows machine and enroll the devices. | ||||
If there are Samsung devices which are already in use, and need to enrolled without having to factory reset the device. Note: This method is no longer recommended and it does not support some features like clear passcode and enforcing high accuracy location services setting. |
Samsung Device Admin Enrollment | 1) Devices should be Android 10.0 or below. 2) Devices must be Samsung-Knox supported |
The ME MDM app must be installed on the device initially and then it can be enrolled using a QR code. |
Apple
Enrolling devices is the first stage in managing a mobile device and here you can know the various steps involved in enrolling Apple devices. Before enrolling any Apple device, it is mandatory you upload an APNs certificate in MDM.
iOS Enrollment Methods
SCENARIOS | ENROLLMENT METHOD | PRE-REQUISITES | HOW IT WORKS | ||||
---|---|---|---|---|---|---|---|
WORKSPACE MANAGEMENT | |||||||
If the organization has employees that use their personal devices for work and they are allowed to enroll the devices on their own. | Self Enrollment | 1) Directory Services like AD, Azure and Okta. | Organization can publish a common enrollment URL or a QR code which can be accessed by the employees and enroll their devices by authenticating with their company credentials. | ||||
The organization can choose to invite selective employees (like contract workers, etc.) to enroll their devices. | Invite Enrollment | - | The IT administrator can create enrollment email/ SMS invites using MDM, which can be sent to the employees who can then enroll the devices following the instructions given in the mail. | ||||
FULL DEVICE MANAGEMENT | |||||||
If the organization has iOS/ iPadOS devices which are purchased directly from apple or verified resellers and can be enrolled out of the box. Eg : In this scenario device can be shipped directly to the users and will be enrolled to MDM once users unbox them. |
Automated Device Enrollment (ABM/ASM) | 1) Apple Business Manager account is needed. (https://support.apple.com/en-in/HT207305) | The IT administrator can integrate the ABM portal with the MDM server as a one-time step. | ||||
If the organization has an ABM account but the devices to be enrolled are not purchased from verified resellers. Using this method, the devices can be added to the Apple Business Manager portal initially by using the Apple Configurator for iPhone app. Future enrolments will happen out of the box through ABM. | Using Apple Configurator app on iPhone. | 1) iPhone with Apple Configurator app installed in it. 2) iOS 13 or above. |
The IT administrator installs and configures Apple Configurator app on the device to be enrolled, then moves the device close to the iPhone with Apple Configurator app and finishes the enrollment. | ||||
- If it is not possible for the organization to obtain an Apple Business/ School Manager account, the devices can be manually enrolled using the Apple Configurator app on a Mac. | Using Apple Configurator app on Macbook. | 1) A Macbook with Apple Configurator app. | The IT administrator installs and configures Apple Configurator app on the device to be enrolled, then connects the device to a Macbook using a USB and subsequently follows on-screen instructions to finish the enrollment. |
tvOS Enrollment Methods
SCENARIOS | ENROLLMENT METHOD | PRE-REQUISITES | HOW IT WORKS | ||||
---|---|---|---|---|---|---|---|
FULL DEVICE MANAGEMENT | |||||||
If the organization has Apple TV devices which are purchased directly from apple or verified resellers and can be enrolled out of the box. | Automated Device Enrollment (ABM/ASM) | 1) Apple Business Manager account is needed. (https://support.apple.com/en-in/HT207305) | The IT administrator can integrate the ABM portal with the MDM server a a one-time step. | ||||
If the organization has corporate TVs and the admin wants to enroll the devices under Full Device Management, then Apple Configurator Enrollment using Mac is the most suitable enrollment method. | Using Apple Configurator app on Macbook. | 1) A Macbook with Apple Configurator app. | The IT administrator can create enrollment email/ SMS invites using MDM, which can be sent to the employees who can then enroll the devices following the instructions given in the mail. |
Chrome Enrollment Methods
Chromebook Enterprise enrollment is the process that enables the enrollment and corporate management of Chromebooks by assigning these devices to a specific organization.
SCENARIOS | ENROLLMENT METHOD | PRE-REQUISITES | HOW IT WORKS | ||||
---|---|---|---|---|---|---|---|
FULL DEVICE MANAGEMENT | |||||||
If the organization has eligible devices purchased from authorized partners/ resellers need to be enrolled as full device management then Zero Touch Enrollment is suitable. | Zero Touch Enrollment | 1) Pre provisioning token by your partner/ reseller. | After obtaining the token from Google Workspace OU and passing it to resellers they will add the devices and then the devices will automatically be enrolled in the corresponding OU when they are activated. | ||||
If the organization has devices which are not eligible for Zero Touch Enrollment. | Manual Enrollment | 1) A google Workspace account with enrollment permission. | While activating the device, enroll it manually using the google workspace account with enrollment permission. |
Feature Comparison between Enrollment Methods
Apple Enrollment Methods | |||||||
Automated Device Enrollment (ABM/ASM) | Apple Configurator - Mac | Apple Configurator - iPhone | |||||
---|---|---|---|---|---|---|---|
Preventing users from removing management is possible. | User can remove management only during the provisional period (30 days) post which revoking MDM management won't be possible | User can remove management only during the provisional period (30 days) post which revoking MDM management won't be possible | |||||
Automated creation of admin account is possible only when MacOS devices are enrolled through ADE | Automated creation of admin account is not possible. | - | |||||
Mandatory Enrollment (Management even after reset) is possible. | Mandatory Enrollment (Management even after reset) is not possible. | Mandatory Enrollment (Management even after reset) is not possible. |
Android Enrollment Methods | |||||||
EMM Token Enrollment | Zero Touch Enrollment | ADB | NFC Enrollment | Samsung Device Admin | Full Device Management | ||
---|---|---|---|---|---|---|---|
Devices should support google play services. | Devices should support google play services. | Devices to be enrolled can or cannot have Google Play services. If Google Play services are not available: - Enforcing high accuracy location services setting is not supported, EFRP won't be supported, play store apps won't be supported, safety net attestation will not be supported and instant communication will not happen. |
Devices to be enrolled can or cannot have Google Play services. If Google Play services are not available: - Enforcing high accuracy location services setting is not supported, EFRP won't be supported, play store apps won't be supported, safety net attestation will not be supported and instant communication will not happen. |
Clear/ Reset passcode is not supported. | Clear/ Reset passcode is not supported. | ||
- | Mandatory Enrollment (Management even after reset) is possible. | - | - | Enforcing high accuracy location services setting is not supported. | Enforcing high accuracy location services setting is supported. |
Categories of Enrolled Devices
Devices in every organization have a certain lifecycle, whereby there are chances where the devices are under maintenance, retired etc., Further, there are always cases where the devices have been enrolled in advance with MDM and the users are assigned when a new employee joins the organization. For such cases, MDM lets you easily identify these devices using the enrollment categories explained below:
- Managed: These are the devices which have been completely enrolled and ready to be managed by MDM. Meaning, you can start enforcing policies, distributing apps, content, etc.
- Staged: This category includes devices which have been retired, back In Stock or In Repair. You can assign such statuses when you deprovision a device from MDM management. This category also includes devices, which have not been activated yet and/or have not been assigned users.
- Pending Enrollment: These are devices for which the enrollment has been initiated by creating an enrollment invite but the enrollment is yet to take place.
- Awaiting License: This category includes devices that are awaiting for license association. The devices will be listed in this view when your purchased license count is insufficient to manage more devices. Ex: If you have enrolled 100 devices into MDM but you have purchased only 70 licenses, then you have to purchase additional licenses.
Note:
If enrollment fails due to connectivity issues or device-based problems, click on the method of enrollment used, and select 'Remove device'. Once this is done, re-try the enrollment process. If the issue persists, contact support.