Customize ME MDM app

iOS

Distributing ManageEngine MDM app to managed iOS devices

ManageEngine MDM app is required to detect jailbroken devices, distribute documents, remotely view device screens, and track the location of managed devices. The option "Distribute ME MDM app to managed iOS devices" is enabled by default and ensures the ManageEngine MDM app is installed on all managed iOS devices. You can also configure the mail template for distributing the app, if needed. Further, ManageEngine MDM app can also be used for securing E-mail attachments as explained here.

NOTE: If the users have not logged into their iTunes accounts on the devices, the ManageEngine MDM app will be available in the App Catalog. The users should enter their iTunes credentials to complete the app installation. Upon installation of the ManageEngine MDM app the App Catalog will be removed from the devices.

Android

If you have to manage Android devices, you need to configure the ME MDM app settings. The app is installed in all the managed Android devices. You can customize the following:

Profile Settings

Every time you distribute a profile with a few policies and restrictions to some devices, the user is notified to accept the policy. This can be customized by specifying a time limit for the user to accept the policy. If the policy is not installed within the specified time, then the policy is moved to Violated Policies. If the user accepts the policy, then it is moved to Imposed Policies. If Passcode policy has been distributed to the devices and passcode has not been set according to the configured policy by the time specified, then all the apps except the ME MDM app, Settings, and the Launcher app are disabled in the device. After the user sets the passcode, the disabled apps would be enabled. This is to protect corporate data when a corporate policy has been violated.

ME MDM app Settings

ME MDM app settings can be configured to allow/restrict user from removing the app, hide the app on the device, etc.

Allowing user to remove ME MDM app

If the user removes ME MDM app from the device, the device is unmanaged i.e., you can no longer manage the user's device as ME MDM App is mandatory for device management. In case you still want to allow users to remove ME MDM app, you can configure a warning, which is displayed when the user attempts to remove the ME MDM app. This is not applicable for devices provisioned as Profile Owner(Work Profile).

You can restrict users from removing ME MDM app. This is supported for Android devices running 5.0 or later versions and the device should be provisioned as Device Owner. For devices enrolled via DEP, users can be restricted from removing ME MDM app as explained here.

Hiding ME MDM app on device

You can choose to hide the ME MDM app on managed devices to ensure users don't revoke management by manually uninstalling it. However, hiding the ME MDM app makes the App Catalog that is required for downloading the distributed apps, as well as features such as content management, remote troubleshooting, and other benefits of the app, unavailable to the user. 

When you unmanage a device, the ME MDM app is removed from the device automatically. But in some cases, if the device is removed from management when the ME MDM app is hidden on the device, the app may not be removed from the device due to certain server connectivity problems.

To avoid such issues, you can consider the following:

You can also make the ME MDM app temporarily visible on the device by following the steps given below:

On the device, the ME MDM app is then visible and can be opened. The app is hidden again once closed. Follow the above mentioned steps each time the app has to be shown on the device.

Revoke Administration Password

 Follow the steps mentioned below to set a Revoke Administration Password:

 Revoke Administration Password can be used in the following scenarios:

By default, Revoke Administration Password is already set, which can be viewed using icon.

Rebranding ME MDM App

If you want to use your enterprise's logo as the icon for ME MDM app or rename the ME MDM app, then you can use this feature. ME MDM app can be rebranded, the display name of the app can be renamed, the app icon can be modified, and even the startup screen image can be customized. You can thus white label the ME MDM app which is beneficial especially when you do not want your employees to know that their devices are being managed by MDM. Follow the steps mentioned below to rebrand ME MDM app:

You can now see that ME MDM App is rebranded as required.

Configuring Mode of Communication

You can choose one of the following modes of communication to enable efficient communication between your MDM server and managed mobile devices.

Immediate
You can choose this mode of communication when you have uninterrupted internet access for server-device communication. All communications between MDM server and managed mobile devices will occur instantly via Firebase Cloud Messaging(FCM).

On selecting Immediate mode, you should choose either Google Play Store or MDM server to download ME MDM App which is required during device enrollment.

  • It is recommended to download ME MDM app from the Google Play Store.
  • You can choose to download ME MDM app directly from MDM server in circumstances when access to Google Play Store is restricted or when the device is not registered and does not have a Google Account linked to it.

Polling Mode (Enroll devices within the corporate network/Wi-Fi)

Polling mode is an alternative to Immediate Mode and is the preferred mode of communication between MDM server and mobile devices, when there is limited public internet access within your organization or there is no access to Google apps and/or services. In this mode the managed mobile devices communicate with MDM server once every 60 minutes, hence it is not possible to carry out on-demand actions such as remote lock, complete wipe, etc. immediately.
On choosing this option, the ME MDM app which is required for device enrollment, can be downloaded by default, only from the MDM server.

  • It is recommended not to switch between Immediate mode and Polling mode frequently, to avoid problems in communication between the server, and managed mobile devices.
  • When you switch from Polling mode to Immediate mode as the preferred mode of communication, it is necessary to check if there is internet access, and that the mobile devices are registered with Google i.e., they have a Google Account linked to them.

Download Mode of ME MDM app

During enrollment, the ME MDM app is downloaded onto each device. The app can be downloaded from the Google Play Store or MDM server. You can choose to configure the mode from which the download should happen. You can configure it by following the steps mentioned below :

You have successfully configured the download mode for ME MDM app.

Security Settings

On identifying rooted devices

The option Remove Device if selected, automatically wipes the corporate data present on the managed device if the device is rooted. Rooting an Android device, provides the user with additional capabilities including removal of profiles/configurations distributed by MDM as well as revoking MDM management itself. Rooted devices accessing corporate data is not ideal for organizations as it can lead to unauthorized data access/data leak. This ensures the corporate data present on the device is removed before it can be accessed by unauthorized sources. You can also choose to deprovision the device by clicking

Windows

Allowing user to delete MDM Workspace account

In case the user no longer requires the device or leaves the organization, it is necessary to remove all your enterprise details from the mobile device. When this option is enabled, users can delete the ME MDM Workspace account on the device.
If you allow users to delete ME MDM Workspace account from the device, the device is unmanaged on deleting the account. Hence, it is recommended to disable this option.

Communication Type

You can choose one of the following modes of communication to enable efficient communication between your MDM server and managed mobile devices.

Immediate
You can choose this mode of communication when you have uninterrupted internet access for server-device communication. All communications between MDM server and managed mobile devices will occur instantly via Windows Notification Service(WNS).

Polling Mode (Enroll devices within the corporate network/Wi-Fi)

Polling mode is an alternative to Immediate Mode and is the preferred mode of communication between MDM server and mobile devices, when there is limited public internet access within your organization or if the organization has stringent security standards. In this mode the managed mobile devices communicate with MDM server once every 60 minutes, hence it is not possible to carry out on-demand actions such as remote lock, complete wipe, etc. immediately.

  • It is recommended not to switch between Immediate mode and Polling mode frequently, to avoid problems in communication between the server and managed mobile devices.
  • When you switch from Polling mode to Immediate mode as the preferred mode of communication, it is necessary to check if there is Internet access.
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine