Self Enrollment
Mobile Device Manager Plus provides an option for Self Enrollment, wherein the end users can enroll devices by themselves. This is helpful in scenarios when you want to ensure data security on personally owned devices which access corporate data, ie, BYOD/COPE devices. Follow the steps mentioned below to configure Self Enrollment settings. Ensure that AD/Azure authentication is enabled for Self Enrollment to work. The Self Enrollment process remains the same for iOS, Android and Windows devices. Users should access the following URL from the device which needs to be enrolled:
- On-premise: https://<FQDN>:<PORT>/mdm/enroll
- Cloud: https://mdm.manageengine.in/enroll - This enrollment link may vary depending on your region (e.g., ".eu" for Europe, ".in" for India)
Enabling Self Enrollment
The following steps needs to be performed to enable Self Enrollment:
- On the web console, navigate to Enrollment.
- Click Self Enrollment and click on Configure.
In the case of MDM Cloud, when users try to self enroll the device, they will be prompted to sign up and create an account with Zoho. On successful account creation, they will receive an email, to register their account and join the organization. An email with the OTP and the enrollment invite will be sent to the users.
Authentication
On-prem:
Users will get an authentication prompt where they should enter email, username and password. Additionally, if more than one AD is integrated then users can select the AD in dropdown and authenticate.
Cloud:
A specific AD can chosen for authentication in MDM Server. Users will be redirected to the corresponding AD, once it is authenticated the enrollment process will continue.
Restrict Self Enrollment to specific AD groups
The self enrollment URL is usually shared across the organization and any device can be enrolled with the URL as it is device/ user independent. Thus, administrators may want to restrict self enrollment to specific AD groups. MDM allows you to restrict self enrollment only to specific AD groups, ensuring only specific devices get enrolled with MDM. Follow the steps specified below to restrict self enrollment:
- For the option Allow Self Enrollment for, select All AD Groups, to allow users in all the AD groups to self enroll the devices. You can optionally exclude specific groups as well by specifying the groups to be excluded the option of Self Enrollment.
- If you choose Selected AD Groups, only users of specific groups are allowed to self enroll the devices. Specify the groups to be allowed self enrollment.
Restrict Self Enrollment to specific Platforms
Self-enrollment can be restricted to certain platforms. For example, admin may choose only to allow self-enrollment on specific platforms such as iOS or Android and restrict it on others. This can be done to maintain security and control over the enrollment process. While configuring Self Enrollment, admin can select the platforms that they want to restrict from enrollment.
Restrict Self Enrollment to specific number of devices
Self Enrollment allows users to enroll multiple devices without any admin intervention. While it reduces admin intervention, allowing users to enroll multiple devices could lead to security concerns in organizations and hence most organizations prefer restricting the number of devices that can be enrolled per user. MDM allows admins to regulate the number of devices that can be enrolled by the user.
While configuring Self enrollment, admins can enter the number of devices that can be enrolled per user under the option Number of devices per user. This will ensure the user can access the URL only to enroll the specified number of devices.
Auto assign device to Groups
The devices which are enrolled need to be added to groups. When devices are enrolled using Self Enrollment, we can choose the groups to which the devices will be added upon enrollment.
- Under Auto Assign Groups , enter the platform and owned by details along with the group to which the devices which satify these criteria be added.
- Once all the required groups have been added, click on Save to save the settings.
When a new device is enrolled into a specific group, all the profiles and apps distributed to that group will automatically be applied to the newly added device. This will ensure that all the policies and restrictions applied to the device as soon as it is enrolled.
If no groups are added while configuring Self Enrollment,the devices will be considered as unassigned. In this case, the devices will not be part of any group and will be considered as individual devices. Therefore, these devices will not receive any of the profiles or apps upon enrollment. Follow the steps given here to manually add the devices to Groups.
It is recommended to promote Self Enrollment to users by publishing/promoting the Self Enrollment URL, through the internal forums, blogs, mails to reach more users.
Self Enrollment process on Apple devices
- End user uses the self enrollment URL, to access the Enrollment window
- In case of MDM Cloud, end users are prompted to sign in using the Zoho account. The user must be a part of the org. To know more about Zoho Accounts, you can refer to Zoho Accounts FAQ.
- In case of MDM on-premises the following information should be filled in.
- User Name
- Password
- Owned By
- End user will be prompted to install the Mobile Device Manager Plus profile. Click Continue to complete the profile installation.
As soon as the device gets enrolled, users will receive an App catalog from where they can install apps that are distributed through Mobile Device Manager Plus. Administrators will also be notified that a new user has enrolled the device. If any specific profiles, or apps are distributed to the group where the device is enrolled, then the newly added device automatically receives all the configurations and apps applied to the group.
Self Enrollment process on Android devices
- Download ME MDM app, using the self enrollment URL.
- Once the download is successful, user will have to click on the downloaded ME MDM app to install it.
- After the installation is complete, user should open the app and click on On Premises/Cloud.
- In case of MDM on-premises, user should specify the following details
- Server name
- Server port
- User needs to authenticate using their Active Directory/Zoho account credentials.
- User has to follow the on-screen instructions to create a Work profile.
- User should accept the Terms and Conditions by clicking Continue
- User needs to enable Device Administrator on their mobile device and click Activate to complete enrollment.
ME MDM app icon will be listed on all enrolled mobile devices. By clicking the ME MDM app icon, MDM app opens and the end user can see the distributed Apps and associated profiles listed here. Profiles that are associated to the devices will be listed under Policies and Restrictions. Device Details will provide the complete information about the device.
In case of Knox devices, an exclusive Knox container is created within the mobile device. By clicking the Knox container icon, the user can access the corporate resources. Apps that are distributed by Mobile Device Manager Plus for the Knox container can be accessed by clicking "Apps" icon within the container. By clicking the "Personal home" icon, the user can exit the Knox container and view the personal data and apps in the device.
Self Enrollment process on Windows devices
Users can follow the steps mentioned below on their windows mobile device, to get their mobile devices enrolled with the Mobile Device Manager Plus server. Users must access the self enrollment url and subsequently will be instructed to following the steps mentioned below:
- On the mobile device that needs to be enrolled, go to Settings.
- Click Company Apps (in Windows 8) / Workplace (in Windows 8.1) / Accounts -> Access work or school (in Windows 10).
- Click Add Account (in Windows 8 and 8.1) / Enroll only in device management (in Windows 10).
- In case of MDM on-premises, enter the following details:
- Email Address: Specify the user email address
- Password : Active Directory/Azure Password.
- User name : Active Directory/Azure User Name.
- Server : Specify the server name.
- In case of MDM Cloud, user has to specify their e-mail address. Enter the server URL and password copied from the enrollment window.
- Click Sign In.
- It can be seen that the account has been added. Click Done.
Users can see that they have successfully enrolled the windows device. Upon device enrollment, the ME MDM app will be available in the device. Distributed profiles and apps can be viewed from this app. Once the enrollment is completed, the admin will be notified.