Deprovisioning Devices

Keeping track of all the mobile devices in an organization is a crucial device management task to be performed by any mobile device management solution. IT admins need to have complete information about the devices that are in use and the ones that are not currently a part of the workforce. The admin should also be able to deprovision the devices that are not in use. Using Mobile Device Manager Plus, all that the IT admin has to do, is to mark the devices to be deprovisioned.

Why deprovision devices?

Deprovisioning devices completely removes it from management. In case of lost devices, devices requiring maintenance, and devices of employees who are leaving the organization, have to be removed from management. Such devices have to be deprovisioned.

For workspace-managed devices, the work profile can be revoked. In case of fully managed devices, they can be factory reset and different user can be assigned and managed.

How to deprovision a device?

Deprovision can be done either for a single device or multiple devices. For deprovisioning individual devices, navigate to Enrollment > Devices > Managed > Actions > Deprovision. You can also choose multiple devices from this tab and then deprovision them.

Revoke MDM

Revoke MDM erases only corporate data(work apps, company documents, etc.) present on the device, hence the user's personal data(personal apps, personal files, etc.) is safe and still present on the device.

Note:The data once deleted cannot be restored.

Factory reset device

Wipe options(Retain MDM profile, Unlock PIN, Retain eSIM data, Retain SD card data) are applicable only when Factory reset device is selected.
Retain MDM profile: It is applicable only for devices enrolled via Windows Autopilot.
Unlock PIN: After factory reset, the device must be unlocked using this new PIN to initiate device bootup. It is applicable only for macOS devices.
Retain eSIM data: When this option is enabled, eSIM configurations will be retained on the device even after factory reset. It is applicable for iOS/iPadOS devices.
Retain SD card data: It is applicable for all Android devices.
These options will be shown based on the device platform selected for deprovision. If a complete wipe is performed, both corporate and personal data will be deleted.

Note:
• Complete wipe can be performed on both Supervised and Unsupervised Apple devices based on the permissions configured in the device privacy settings in MDM prior to enrollment.
• Complete wipe can be performed only on fully managed and WPCO android devices but not workspace managed devices.
• You can deprovision the corporate data for up to 25 devices at once.
• You can perform complete wipe for up to 10 devices at once.

Move devices to

Personal devices can only be moved to retired. Corporate devices can be moved to stock, repair, or retire.

• In Stock - When employees leave the organization, their mobile devices can be assigned to another user. Such devices that are ready to be managed but awaiting user assignment will come under In Stock. You can assign users and then manage the devices.
• Repair - Mobile devices generally require frequent servicing and while they are in repair they cannot be a part of the workforce but might have corporate data that could fall into the wrong hands. Therefore, when a device is being repaired, the device can be marked as a device in Repair in the MDM server. The deprovisioned device can be re-enrolled once it has been repaired. .
• Retire - This will unmanage the devices in cases of enrollments other thanZero-touch, ABM/ASM, and Chrome enrollment. For these enrollment methods, the devices will have to be manually removed from their respective portals. Additionally, the devices will be wiped and the personal devices will be available on the server for 90 days, after which they will be removed.

Note: Specify the reason for deprovision as it is sued for audit log purposes.
If the device was enrolled using KNOX, ABM/ASM, Zero-touch, and Chrome enrollment the device will get re-enrolled automatically upon boot up.
If for some reason the device cannot be repaired and needs to be permanently removed from MDM, the status can be changed to retire.

Deprovisioning Settings

Admins can deprovision the devices from MDM when a device is no longer in use or when an employee leaves the company. Deprovisioning devices will completely erase all the corporate data present on the device. This helps to protect corporate data associated with unmanaged devices. In MDM, admins can configure certain settings to predefine the device deprovisioning process.

1. Revoke MDM from devices once users are deactivated in Okta - Admin can configure to automatically deprovision devices associated with the users who are disabled or removed from the Okta directory.

Note:

• Deprovisioning is not possible when a user has more than three associated devices and when the device count exceeds 50.
• Desktops and Laptops remain continuously provisioned.
2. Upon deprovisioning, sign-out the associated Google Workspace (G Suite) users across all apps - This will remove all data and accounts associated with G Suite users from the device.
3. Notify via email when device unmanaged by user: For personal devices, since users cannot be restricted completely from revoking management, admins can instead make sure that they are notified when a user unmanages the device by enabling the option Notify when the device becomes unmanaged . Admins can specify more than one email address if the notifications have to be sent to multiple persons.
4. Show unenrollment option in ME MDM app: Device management can be revoked by the user if this option is enabled in the product console.

Remove admin enrolled deprovisioned devices

If a device enrolled using admin enrollment is deprovisioned, the device will be un-enrolled but not removed from the respective portals. Follow these documents to remove devices from ABM, Zero-touch, Chrome and Knox.