Customize ME MDM app

iOS

Distributing ME MDM app to managed iOS devices

If you want to detect jail-broken iOS devices or use Geo Tracking, to track the location of managed iOS devices, ME MDM app must be installed in the devices. Enabling the option "Distribute ME MDM App to managed iOS devices" automatically distributes the ME MDM app to all managed iOS devices. You can also configure the mail template for distributing the app, if needed. Further, MDM app can also be used for securing E-mail attachments as explained here.

Android

If you have to manage Android devices, you need to configure the ME MDM app settings. The app is installed in all the managed Android devices. You can customize the following:

  1. Profile Settings

  2. ME MDM App Settings

  3. Rebrand ME MDM app

  4. Configure Mode of Communication
  5. Download Mode of ME MDM app

Profile Settings

Every time you distribute a profile with a few policies and restrictions to some devices, the end user is notified to accept the Policy. This can be customized by specifying a time limit for the end user to accept the policy. If the policy is not installed within the specified time, then the policy is moved to Violated Policies. If the user accepts the policy, then it is moved to Imposed Polices. If Passcode policy has been distributed to the devices and passcode has not been set according to the configured policy by the time specified, then all the apps except the ME MDM app, Settings and the Launcher app are disabled in the device. After the user sets the passcode, the disabled apps would be enabled. This is to protect corporate data when a corporate policy has been violated.

Managing ME MDM app

You can customize the ME MDM app settings like allowing user to remove app, hiding the app from the managed device, etc.

    1. Allowing user to remove ME MDM app

    2. Hiding ME MDM app on device

    3. 'Revoke Administration' Password

Allowing user to remove ME MDM app

If the user removes ME MDM app from the device, the device becomes unmanaged i.e., IT Admin can no longer manage the user's device as ME MDM App is mandatory for device management. In case you still wish to allow users to remove ME MDM App, you can also configure a warning, which is displayed when the user attempts to remove the ME MDM App. This is not applicable for devices provisioned as Profile Owner(Work Profile).

You can restrict users from removing ME MDM app. This is supported for Android devices running 5.0 or later versions and the device should be provisioned as Device Owner. For devices enrolled via DEP, users can be restricted from removing ME MDM app as explained here.

Hiding ME MDM app on device

You can choose to hide the ME MDM app on the managed device. In that case, the users cannot open ME MDM app to access the App Catalog inside the app. Hence, they cannot download apps distributed through App Catalog.

Usually, when a device is unmanaged, the ME MDM app present in the device can be easily removed by the users manually. The data including all profiles and apps is removed automatically. But in some cases, if you remove a device from management when ME MDM app is hidden on a device, the app is not removed from the device due to some server connectivity problems. To avoid such issues, you can consider the following:

      1. Revoke 'Hide ME MDM App' setting and make ME MDM app visible on a device prior to unmanaging an enrolled device. Or
      2. For mobile devices, enter *#63636 in the dialer, to make the ME MDM App visible on the device.
      3. For devices without dialers(such as tablets), access this URL, memdm://open from the device. Then, click on the link 'OPEN', to make the ME MDM app visible on the device.
           Now, use 'Revoke Administration' Password to disable Device Administrator rights for ME MDM App and then remove it.

'Revoke Administration' Password

 Follow the steps mentioned below to set a 'Revoke Administration' Password:

      1. On the web console, under Enrollment tab, select ME MDM App under Android in the left pane.
      2. Specify the 'Revoke Administration' Password in the given field.

 'Revoke Administration' Password can be used in the following scenarios:

      1. When it is necessary to temporarily disable Kiosk Mode on the user's device, the 'Revoke Administration' Password can be used.

      2. The Revoke Administration Password that you set, can be used to disable Device Administrator on the user's device. This password is especially useful, when you are unable to unmanage the enrolled device using "Remove Device" action. It is not possible to disable Device Administrator permission and remove ME MDM app on the device when there are issues in server connectivity issues. Only when Device Administrator permission is disabled for ME MDM app, the user can easily remove the app from the device.

      3. If ME MDM app is hidden, refer to this to know how to revoke Administration.


      4. To enter the 'Revoke Administration' Password on the device, first click on the ME MDM app icon and click four times on the top pane where the app name is visible. A Password Prompt dialog box appears where the password can be entered.

By default, 'Revoke Administration' Password is already set, which can be viewed using icon.

Rebranding ME MDM App

If you want to use your enterprise's logo as the icon for ME MDM app or rename the ME MDM app, then you can use this feature. ME MDM app can be re-branded, the display name of the app can be renamed, app icon can be modified and even the startup screen image can be customized. Follow the steps mentioned below to rebrand ME MDM app:

    1. On the web console, select Admin tab and click on Rebranding
    2. Here you can change the logo displayed in the Server and the website to be linked.
    3. To make app-related changes, click on the Enrollment tab and select ME MDM app from Android in the left pane.
    4. Here you can change the app logo, app name and the app startup screen.

You can now see ME MDM App is now rebranded to your choice.

Configuring Mode of Communication

You can choose one of the following modes of communication to enable efficient communication between your MDM server and managed mobile devices.

  1. Immediate mode
  2. Polling mode

Immediate
You can choose this mode of communication when you have uninterrupted internet access for server-device communication. All communications between MDM server and managed mobile devices will occur instantly via Google Cloud Messaging(GCM).

On selecting Immediate mode, you should choose either Google Play Store or MDM Server to download ME MDM App which is required during device enrollment.

  1. It is recommended to download ME MDM app from the Google Play Store.
  2. You can choose to download ME MDM app directly from MDM Server in circumstances when access to Google Play Store is restricted or when the device is not registered and does not have a Google Account linked to it.

Polling Mode (Enroll devices within the corporate network/Wi-Fi)

Polling mode is an alternative to Immediate Mode and is the preferred mode of communication between MDM server and mobile devices, when there is limited public internet access within your organization or there is no access to Google apps and/or services. In this mode the managed mobile devices communicate with MDM Server once every 60 minutes, hence it is not possible to carry out on-demand actions such as remote lock, complete wipe etc. immediately.
On choosing this option, the ME MDM app which is required for device enrollment, can be downloaded by default, only from the MDM Server.

  1. It is recommended not to switch between Immediate mode and Polling mode frequently, to avoid problems in communication between the server and managed mobile devices.
  2. When you switch from Polling mode to Immediate mode as the preferred mode of communication, it is necessary to check if there is internet access and that the mobile devices are registered with Google i.e., they have a Google Account linked to them.

Download Mode of ME MDM app

As a part of enrollment, every device downloaded the ME MDM app. ME MDM app can be downloaded from the Google Play Store or MDM Server. You can choose to configure the mode from which the download should happen. You can configure it by following the steps mentioned below :

      1. On the web console, click Enrollment
      2. Under Android click ME MDM app
      3. Under distribute ME MDM App settings, choose the mode, for the users to download ME MDM App. You can choose to download the App either from the Google Playstore or from MDM Server.
      4. Click Save Changes

        If you choose Polling mode, you will have to ensure that the server is reachable at port 8020/9020, for the users to initiate download.

You have successfully configured the download mode for ME MDM app.

Security Settings

On identifying rooted devices

The option Remove Device if selected, automatically wipes the corporate data present on the managed device if the device is rooted. Rooting an Android device, provides the user with additional capabilities including removal of profiles/configurations distributed by MDM as well as revoking MDM management itself. Rooted devices accessing corporate data is not ideal for organizations as it can lead to unauthorized data access/data leak. This ensures the corporate data present on the device is removed before it can be accessed by unauthorized sources.

Windows

Allowing user to delete MDM Workspace account

In case the user no longer requires the device or leaves the organization, it is necessary to remove all your enterprise details from the mobile device. When this option is enabled, users can delete the ME MDM Workspace account on the device.
If you allow users to delete ME MDM Workspace account from the device, the device becomes unmanaged on deleting the account. Hence, it is recommended to disable this option.

Communication Type

You can choose one of the following modes of communication to enable efficient communication between your MDM server and managed mobile devices.

  1. Immediate mode(using WNS)
  2. Polling mode

Immediate
You can choose this mode of communication when you have uninterrupted internet access for server-device communication. All communications between MDM server and managed mobile devices will occur instantly via Windows Notification Service(WNS).

Polling Mode (Enroll devices within the corporate network/Wi-Fi)

Polling mode is an alternative to Immediate Mode and is the preferred mode of communication between MDM server and mobile devices, when there is limited public internet access within your organization or if the organization has stringent security standards. In this mode the managed mobile devices communicate with MDM Server once every 60 minutes, hence it is not possible to carry out on-demand actions such as remote lock, complete wipe etc. immediately.

  1. It is recommended not to switch between Immediate mode and Polling mode frequently, to avoid problems in communication between the server and managed mobile devices.
  2. When you switch from Polling mode to Immediate mode as the preferred mode of communication, it is necessary to check if there is Internet access..
If you allow users to delete ME MDM Workspace account from the device, the device becomes unmanaged on deleting the account. Hence, it is recommended to disable this option.

Copyright © 2017, ZOHO Corp. All Rights Reserved.
ManageEngine