pdf icon
Category Filter

Deprovisioning Devices

Keeping track of all the mobile devices in an organization is a crucial device management task to be performed by any mobile device management solution. IT admins need to have complete information about the devices that are in use and the ones that are not currently a part of the workforce. The admin should also be able to deprovision the devices that are not in use. Using Mobile Device Manager Plus, all that the IT admin has to do, is to mark the devices to be deprovisioned.

Why deprovision devices?

Deprovisioning devices completely removes it from management. In case of lost devices, devices requiring maintenance, and devices of employees who are leaving the organization, have to be removed from management. Such devices have to be deprovisioned.

For workspace-managed devices, the work profile can be revoked. In case of fully managed devices, they can be factory reset. So, a different user can be assigned and managed.

How to deprovision a device?

Deprovision can be done either for a single device or multiple devices. For deprovisioning individual devices, navigate to Enrollment > Devices > Managed > Actions > Deprovision. You can also choose multiple devices from this tab and then deprovision them.

Revoke MDM

Revoke MDM

Wiping off device data of employee's personal devices to revoke management might lead to loss of personal data. In such cases, the device can be removed from management and all the corporate data can be deleted.

Note:The data once deleted cannot be backed up.

Factory reset device

Factory reset device

If a complete wipe is performed, both corporate and personal data will be deleted.

  • Complete wipe can be performed on both Supervised and Unsupervised Apple devices based on the permissions configured in the device privacy settings in MDM.
  • Complete wipe can be performed only on fully managed and WPCO android devices but not workspace managed devices.
  • You can deprovision the corporate data for up to 25 devices at once.
  • You can perform complete wipe for up to 10 devices at once.

Move devices to

Personal devices can be moved to retired. Corporate devices can be moved to stock, repair, or retire.

  • In Stock - When employees leave the organization, their mobile devices can be assigned to another user. Such devices that are ready to be managed but awaiting user assignment will come under In Stock. You can assign users and then manage the devices.
  • Repair - Mobile devices generally require frequent servicing and while they are in repair they cannot be a part of the workforce but might have corporate data that could fall into the wrong hands. Therefore, when a device is being repaired, the device can be marked as a device in Repair in the MDM server. The device can be re-enrolled once it has been repaired. If for some reason the device cannot be repaired and needs to be permanently removed from MDM, the status can be changed to Retire.

    Note: If the device was enrolled using KNOX, ABM/ASM, Zero-touch, and Chrome enrollment the device will get re-enrolled automatically upon boot up.

  • Retire - This will unmanage the devices in cases of enrollments other thanZero-touch, ABM/ASM, and Chrome enrollment. For these enrollment methods, the devices will have to be manually removed from their respective portals. Additionally, the devices will be wiped and the personal devices will be available on the server for 90 days, after which they will be removed.
  • Note: Specify the reason for deprovision as it is used for audit log purposes.

Deprovisioning Settings

Admins can deprovision the devices from MDM when a device is no longer in use or when an employee leaves the company. Deprovisioning devices will completely erase all the corporate data present on the device. This helps to protect corporate data associated with unmanaged devices. In MDM, admins can configure certain settings to predefine the device deprovisioning process.

  1. Revoke MDM from devices once users are deactivated in Okta - Admin can configure to automatically deprovision devices associated with the users who are disabled or removed from the Okta directory.
  2. Note:

    • Deprovisioning is not possible when a user has more than three associated devices and when the device count exceeds 50.
    • Desktops and laptops cannot be deprovisioned.
  3. Upon deprovisioning, sign-out the associated Google Workspace (G Suite) users across all apps - This will remove all data and accounts associated with G Suite users from the device.
  4. The ME MDM app or MDM profile must be present on the device for continued management - In some cases, the user may try to unmanage the device and prevent the admins from managing it any further by removing the ME MDM app or MDM profile from the device. In the case of corporate-owned devices, admins can prevent users from revoking management through Supervision using ABM or fully managed device provisioning methods using ZTE or KME. But for personal devices, since users cannot be restricted completely from revoking management, admins can instead make sure that they are notified when a user unmanages the device by enabling the option Notify when the device becomes unmanaged . Admins can specify more than one email address if the notifications have to be sent to multiple persons.

Remove deprovisioned DEP devices

If a device enrolled using DEP is deprovisioned, the device will be unmanaged but not removed from the DEP portal. Follow the steps given below to remove the device from the ABM(DEP) portal.

  1. Login to the ABM portal using your credentials.
  2. Under Manage Devices enter the serial numbers of the devices that were deprovisioned.
  3. Select Unassign Devices from Actions .

Follow these documents to remove devices from other enrollment methods like Zero-touch, Chrome and Knox.

Jump To