How to enroll Android devices with MDM?
Mobile Device Manager Plus allows organizations to manage commericial and rugged devices. The first step to Android device management is to register the Android device with MDM. Mobile Device Manager Plus provides multiple Android device enrollment methods to meet the varying needs of organizations. With the advent of Android Enterprise, several features and configurations have been added that secure the devices and make them cater to the needs of an organization. Additionally, ManageEngine is recognized by Google as Android Enterprise Gold Partner.
Personal Owned Devices
For personal devices, Android Enterprise employs the Profile Owner method. This approach involves creating a Work profile, which acts as a container that separates the personal and corporate spaces on the device. In this scenario, organizations have complete control over the work profile without affecting the users privacy. Profile Owner, while offering robust control over the work profile, supports fewer features compared to Device Owner.
If the device is enrolled in Mobile Device Manager Plus through self-enrollment or enrollment through invites, it is automatically provisioned as Profile Owner.
Some of the main features supported by Profile Owner
- Preventing the sharing of data from work profile to personal profile.
- Restricting the installation/uninstallation of apps.
- Restricting screen capture in the work profile.
Corporate Owned Devices
For corporate-owned android devices, MDM provides two types of management: Full device and Workspace management. These are the enrollment methods available for corporate devices:
- Zero Touch Enrollment (ZTE)
- Samsung Knox Mobile Enrollment (KME)
- QR code Enrollment
- NFC Enrollment
- Android Debug Bridge (ADB)
Confused about the correct enrollment technique to be used for enrolling devices in your organization? Click here to know what is the most optimal enrollment technique, for your scenario.
Full Device Management
For corporate-owned devices, the recommended management method is to provision them as Device Owner or Full Device Management type. This ensures that the organization has full control over the device, essentially owning it. Device Owner or Full Device Management provides enhanced features, guaranteeing comprehensive control over the device and safeguarding confidential data from unauthorized access. It supports all the features available in Profile Owner and has additional capabilities for more extensive device management.
Some of the features supported by Device Owner
- Additional restrictions such as restricting device reset, modifying settings, etc.,
- Silent app installation
- Blocklisting/Allowlisting apps
The complete set of restrictions supported by Device Owner can be viewed here.
Workspace Management
In situations where a device is both corporate-owned and personally enabled, Android Enterprise introduces Workspace Management. A work profile is created on the devices that effectively separates personal and corporate data, offering control over the corporate data without influencing the personal side. Workspace Management is a versatile approach that combines elements of both Profile Owner and Device Owner to ensure comprehensive security and management of corporate assets on personally enabled devices.
Benefits of Workspace management in corporate owned devices:
- Users cannot remove the Work Profile from the device
- The Admin can perform Complete Wipe on the device.
- The Enterprise Factory Reset Protection policy can be applied to the device.
To know more about the feature comparison between all three management types, click here
Removing an Enrolled Device
- On the web console, navigate to Enrollment.
- Click on Devices tab.
- Click Search button and search for the device by using its known properties (user name, device name etc).
- Click on Action button and select Remove Device.
- In the confirm box that appears, click OK.
Removing the device will remove all the profiles and apps associated with the device. However, ME MDM App in the device will not be removed. Users must manually remove the app if required.
Click here to know about the ports to be opened for managing mobile devices.
FAQs
1. How do I enroll an Android device in BYOD mode?
To enroll a personal Android device in BYOD mode, use Invite Enrollment or Self Enrollment. Both methods provision the device as Personally-owned Work Profile (BYOD or previously Profile Owner), which creates a separate work profile on the device. Corporate apps and data are isolated within the work profile, and personal data remains untouched.
- Invite Enrollment: Navigate to Enrollment > Invite to Enroll on the MDM console. Enter the user's email address or mobile number and send the invitation. The user receives a link to download the ME MDM app and complete enrollment.
- Self Enrollment: Share the enrollment URL or QR code with users, allowing them to initiate enrollment independently.
Note: Devices enrolled as Personally-owned Work Profile support fewer management features compared to Fully Managed (previously Device Owner) devices. For corporate-owned devices requiring full management, use QR code, ZTE, or KME enrollment methods, which provision devices as Fully Managed.
2. How do I enroll an Android device in MDM using SMS?
SMS enrollment is supported for both Personally-owned Work Profile (BYOD) and Fully Managed (previously Device Owner) devices. This feature is available only in the cloud version of Mobile Device Manager Plus.
To enroll using SMS, navigate to Enrollment > Invite to Enroll on the MDM console. When adding a user, enter the mobile number and select SMS as the notification method. The user receives an SMS with the enrollment link.
Note:
- Mobile Device Manager Plus integrates with Clickatell and BulkSMS to send enrollment SMS.
- Users with Do Not Disturb enabled may not receive the SMS.
- The sender ID varies by country and carrier. Inform users to expect an enrollment SMS to avoid it being treated as spam.
3. How many SMS credits do I get, and how do I track usage?
Mobile Device Manager Plus provides free SMS credits for enrollment. Your organization receives 20% extra credits based on the number of licensed devices. For example, an organization with 1,000 licensed devices receives 1,200 SMS credits by default.
Once SMS credits are exhausted, additional credits must be purchased separately.
If you have a valid license, SMS credit details are shown on the subscription page. Navigate to Admin > Global Settings > Subscription on the MDM console.
4. How do I re-enroll an Android device in MDM?
To re-enroll an Android device:
- On the MDM console, navigate to Enrollment, locate the device, and click Action > Remove Device to deprovision it.
- Re-enroll using the appropriate method based on the original management type:
- Fully Managed (previously Device Owner): A factory reset is required before re-enrollment. Enroll using QR code, ZTE, KME, or ADB.
- Personally-owned Work Profile (BYOD or previously Profile Owner): Remove the work profile from the device. Re-enroll using Invite Enrollment or Self Enrollment. No factory reset is required.
- Company-owned Work Profile (Work profile on company owned devices): Follow the re-enrollment steps applicable to corporate-owned devices with work profile provisioning.
5. How do I enroll Android devices in MDM without a factory reset?
There are two scenarios where Android devices can be enrolled without a factory reset:
- Personally-owned Work Profile (BYOD or previously Profile Owner): Enroll using Invite Enrollment or Self Enrollment. These methods create a work profile on the existing device without requiring a factory reset.
- Fully Managed (previously Device Owner) via ADB: Android Debug Bridge (ADB) enrollment allows already-deployed devices to be provisioned as Fully Managed (Device Owner) without a factory reset. This requires USB debugging to be enabled on the device and a USB connection to the MDM server.
Note: All other Fully Managed enrollment methods (QR code, EMM token, KME, ZTE) require the device to be in its initial setup state, which means a factory reset is required for already-deployed devices.
6. How do I reactivate an inactive Android device enrolled in MDM?
If an enrolled Android device appears inactive or is not syncing with the MDM server, follow these steps:
- Check connectivity: Ensure the device has an active Wi-Fi or mobile data connection.
- Verify server reachability: On the device, open a browser and attempt to reach the MDM server URL. If the server is reachable, proceed to the next step. If not, switch to a different network and retry.
- Sync the device: Open the ME MDM app on the device and trigger a manual sync.
- Contact support: If the device can reach the server but still does not appear active in the console, contact ManageEngine MDM support with the device details and logs.
For further device recovery steps, refer to the FAQ page.
7. Where can I download the latest MDM APK for Android?
You can download the latest Android MDM agent using any of the following methods:
- Google Play Store: Install the ManageEngine MDM agent directly from the Play Store: ManageEngine MDM Android Agent.
- Direct APK download: Download the latest APK directly: https://mdmdatabase.manageengine.com/latest/MDMAndroidAgent.apk.