Enrollment settings
Enrollment is the first step in managing mobile devices using Mobile Device Manager Plus (MDM). It involves onboarding the device to the MDM Server for further management. MDM offers multiple enrollment methods pertaining to every organization and their needs. For instance, organizations that provide devices to employees can use admin enrollment methods such as Zero Touch Enrollment (ZTE), Knox Enrollment (KME), EMM Token or Apple Business Manager (ABM) enrollment methods to gain complete control over the corporate owned devices. Whereas organizations that deploy personally owned devices (BYOD) can utilize enrollment methods such as Enrollment through invites or Self Enrollment method to ensure control only over the corporate data and apps on the devices. You can customize the enrollment settings by navigating to the Enrollment tab -> Enrollment Settings on the MDM Server.
Authentication
In order to complete enrollment, users must be assigned to the devices. While assigning users, it is important to authenticate the users to ensure only authorized users can enroll their devices. You can configure the authentication type to be used during enrollment in the Authentication tab. You can choose any of the authentication types given below:
- Using One Time Passcode
- Authentication using Directory Services or Zoho Authentication
- Combination of both of the above
Minimum OS version Criteria
MDM allows you to limit the OS versions from which enrollment should be allowed for devices. Administrators can specify the minimum OS versions that are allowed for enrollment. For example, admin can configure that only devices running on iOS 12 and above or Android 9 and above are allowed to enroll. The devices running below the specified OS versions will be automatically blocked from enrollment. This ensures that devices with outdated or unsupported OS versions are not enrolled into MDM.
Deprovisioning Settings
Admins can deprovision the devices from MDM when a device is no longer in use or when an employee leaves the company. De-provisioning devices will completely erase all the corporate data present on the device. This helps to protect corporate data associated with unmanaged devices. In MDM, admins can configure certain settings to predefine the device deprovisioning process.
- Revoke MDM management from personal (BYOD) devices once users are removed from Okta directory. Admin can configure to automatically deprovision devices associated with the users who are removed from Okta directory. Note:
- If an user has associated with more than 3 devices, deprovisioning cannot be done for those devices.
- Desktops and laptops cannot be deprovisioned.
- Trigger sign-out for the associated Google Workspace (G Suite) users across all apps once the device is deprovisioned. This will remove all data and accounts associated with G Suite user from the device.
Note:
-
G Suite should be configured. In case if you have already configured it, you need to re-authenticate and make sure that Manage data access permissions for users on your domain is enabled when the Google consent screen is prompted.
-
- The ME MDM app or MDM profile must be present on the device for continued management. In some cases, the user may try to unmanage the device and prevent the admins from managing it any further by removing the ME MDM app or MDM profile from the device. In case of corporate owned devices, admins can prevent users from revoking management through Supervision using ABM or Device Owner provisioning using ZTE or KME. But for personal devices, since users cannot be restricted completely from revoking management, admins can instead make sure that they are notified when a user unmanages the device by enabling the option Notify when device becomes unmanaged. Admins can enter more than one email address if the notifications have to be sent to multiple mailboxes.
Inactive Device Policy
MDM contacts the managed devices, once a day, to check for the availability of the devices even when there is no command to be executed. If any device remains unresponsive, it signifies that the device has lost contact with the MDM Server.
Below are the scenarios when a device may lose contact with the server. If the device is,
- switched off.
- not connected to the Internet.
- factory reset and is unmanaged.
- removed from management by the user when it did not have internet connectivity.
- connected to any network, internal or otherwise, that blocks certain URLs thereby preventing the device from contacting the MDM server. To verify this, try accessing mdm.manageengine.com from the device browser.
By default if no response is received from a device for more than 7 days, the device will be marked inactive. The admin can also specify the duration after which unresponsive devices will be marked inactive in the Inactive Devices Policy. Admins can view the list of inactive devices in the Homepage dashboard on the MDM Console or as reports. Admins can also Schedule Inactive devices report by navigating to Reports tab -> Schedule Reports -> Add Schedule Report, to be notified of devices that have lost contact with the server via email.