Home » Enrollment settings
pdf icon
Category Filter

Enrollment settings

Enrollment is the first step in managing mobile devices using Mobile Device Manager Plus (MDM). It involves onboarding the device to the MDM Server for further management. MDM offers multiple enrollment methods pertaining to every organization and their needs. For instance, organizations that provide devices to employees can use admin enrollment methods such as Zero Touch Enrollment (ZTE), Knox Enrollment (KME), EMM Token or Apple Business Manager (ABM) enrollment methods to gain complete control over the corporate owned devices. Whereas organizations that deploy personally owned devices (BYOD) can utilize enrollment methods such as Enrollment through invites or Self Enrollment method to ensure control only over the corporate data and apps on the devices. You can customize the enrollment settings by navigating to the Enrollment tab -> Enrollment Settings on the MDM Server.

Minimum OS version Criteria

MDM allows you to limit the OS versions from which enrollment should be allowed for devices. Administrators can specify the minimum OS versions that are allowed for enrollment. For example, admin can configure that only devices running on iOS 12 and above or Android 9 and above are allowed to enroll. The devices running below the specified OS versions will be automatically blocked from enrollment. This ensures that devices with outdated or unsupported OS versions are not enrolled into MDM.

Device Manufacturer Restriction

MDM allows administrators to control which Android device manufacturers are permitted to enroll into management. This helps organizations standardize their device fleet, enforce hardware-level security and compliance requirements, and prevent enrollment of devices from unsupported or untrusted OEMs. Administrators can configure manufacturer restrictions by navigating to Enrollment tab -> Enrollment Settings -> Restrictions -> Set Device Manufacturer Restriction. The following options are available:

  • Allow all manufacturers: Devices from any manufacturer are permitted to enroll. This is the default setting and places no restriction based on the device's OEM.
  • Allow only specific manufacturers: Only devices from the manufacturers specified by the admin are allowed to enroll. Devices from any other manufacturer will be automatically blocked during enrollment. This is useful when an organization standardizes on a specific set of OEMs (for example, Samsung and Google).
  • Block only specific manufacturers: Devices from the specified manufacturers will be blocked from enrollment, while devices from all other manufacturers can enroll. This is useful for excluding OEMs that do not meet organizational security or compliance requirements.

Note:

  • Device manufacturer restriction is applicable only for Android devices.
  • The manufacturer name is fetched from the device during enrollment and is matched against the available manufacturers list. Devices that do not meet the configured criteria will be denied enrollment, and the user will be notified accordingly.
  • This restriction applies to all Android enrollment methods, including Invite Enrollment, Self Enrollment, QR Code Enrollment, NFC Enrollment, ADB Enrollment, Zero-touch Enrollment, and Knox Mobile Enrollment.
  • Note: If the required manufacturer is not available in the manufacturers list, contact ManageEngine MDM Support for assistance.

Invite Enrollment

Admins can configure the settings used when inviting users to enroll their devices via email. These settings can be customized by navigating to Enrollment tab -> Enrollment Settings -> Invite Enrollment. The following options are available:

  • Device Type Selection: Determines how the device ownership label (Owned By) is assigned during invite enrollment. When enabled, the admin can specify whether each enrolled device should be marked as Corporate or Personal while sending out the invite, and this label is displayed under the Owned By column in the Enrollment tab. When disabled, the ownership type is not prompted during invite creation, and devices will be labelled with the default ownership type (Personal) configured on the MDM Server.
  • Authentication Type: Specifies the authentication method that users must complete before enrolling their device through the invite. The supported methods are One Time Passcode, Directory Services or Zoho Authentication, or a combination of both. If both are selected, users must successfully complete two-factor authentication before enrollment proceeds.
  • Enrollment Invite Expiration: Defines the validity period of an enrollment invite. By default, the invite expires after 7 days, after which the user can no longer enroll using the same invite link. Admins can customize this duration in days or hours based on organizational requirements.
  • Enable email reminders: When enabled, MDM automatically sends reminder emails to users who have not yet enrolled their devices, to encourage timely enrollment. This option requires the Mail Server to be configured on the MDM Server (applicable only for on-premises). Once enabled, the following reminder parameters can be configured:
    • Start sending reminders after: Specifies the waiting period (in days) after the invite is sent, before the first reminder email is dispatched to users who have not yet enrolled.
    • Number of reminders to be sent: Defines the total number of reminder emails that will be sent to a user before reminders stop. This helps prevent excessive notifications to end users.
    • Frequency: Determines how often reminder emails are sent (for example, Everyday or on alternate days) until either the user enrolls, the invite expires, or the configured reminder count is reached.
    • Time of day: Specifies the time (in 24-hour format) at which the reminder emails will be sent on the configured days, allowing admins to align reminders with users' working hours. Reminders will be initiated within a one-hour window starting from the selected time.

Deprovisioning Settings

Admins can deprovision the devices from MDM when a device is no longer in use or when an employee leaves the company. De-provisioning devices will completely erase all the corporate data present on the device. This helps to protect corporate data associated with unmanaged devices. In MDM, admins can configure certain settings to predefine the device deprovisioning process.

  1. Revoke MDM from personal (BYOD) devices once users are disabled from the Okta directory: Admin can configure to automatically deprovision devices associated with the users who are removed from Okta directory.

    Note:

    • If an user has associated with more than 3 devices, deprovisioning cannot be done for those devices.
    • Desktops and laptops cannot be deprovisioned.
  2. Upon deprovisioning, sign out the associated Google Workspace (G Suite) users across all apps: This will remove all data and accounts associated with G Suite user from the device.

    Note:G Suite should be configured. In case if you have already configured it, you need to re-authenticate and make sure that Manage data access permissions for users on your domain is enabled when the Google consent screen is prompted.

  3. Notify via email when device unmanaged by user: The ME MDM app or MDM profilemust be present on the device for continued management. In some cases, users may attempt to unmanage the device by removing the ME MDM app or MDM profile, preventing admins from managing it further.

    In case of corporate owned devices, admins can prevent users from revoking management through Supervision using ABM or Device Owner provisioning using ZTE or KME.

    For personal devices, users cannot be completely restricted from revoking management. However, admins can take steps to stay informed when a user unmanages the device. To do this:

    • Enable the Allow User to Remove ME MDM App option in the ME MDM app configuration. Refer to the following link for guidance: Customize ME MDM App Configuration.
    • Enable the Notify via email when device becomes unmanaged option in the enrollment settings for deprovisioning.

    When these settings are enabled, if a user removes the ME MDM app from their personal device, the configured admin email(s) will receive a notification. Admins can also specify multiple email addresses to ensure notifications are sent to all relevant mailboxes.

  4. Show Revoke Management option in the ME MDM App: This will allow the users to unmanage their devices directly from the app.

Inactive Device Policy

MDM contacts the managed devices, once a day, to check for the availability of the devices even when there is no command to be executed. If any device remains unresponsive, it signifies that the device has lost contact with the MDM Server.

Below are the scenarios when a device may lose contact with the server. If the device is,

  • switched off.
  • not connected to the Internet.
  • factory reset and is unmanaged.
  • removed from management by the user when it did not have internet connectivity.
  • connected to any network, internal or otherwise, that blocks certain URLs thereby preventing the device from contacting the MDM server. To verify this, try accessing mdm.manageengine.com from the device browser.

By default if no response is received from a device for more than 7 days, the device will be marked inactive. The admin can also specify the duration after which unresponsive devices will be marked inactive in the Inactive Devices Policy. Admins can view the list of inactive devices in the Homepage dashboard on the MDM Console or as reports. Admins can also Schedule Inactive devices report by navigating to Reports tab -> Schedule Reports -> Add Schedule Report, to be notified of devices that have lost contact with the server via email.

Android device policy controller settings

A Device Policy Controller (DPC) is the agent application that communicates with the MDM server to enforce policies, restrictions, and configurations on Android devices. MDM allows administrators to choose which DPC app should be used to manage enrolled Android devices. This setting can be configured by navigating to Enrollment tab -> Enrollment Settings -> Android device policy controller settings.

  • Device policy app: Specifies the DPC app to be installed on Android devices during enrollment for management. The following options are available:
    • ME MDM App: Uses the ME MDM app as the device policy controller. This is the default option and is recommended for most deployments, as it provides the complete set of MDM features, including custom configurations, app management, security policies, and remote troubleshooting capabilities.
    • Android Device Policy App: Uses Google's Android Device Policy app as the DPC. This option leverages Google's native DPC for managing Android Enterprise devices and is suitable for organizations that prefer to use the Google-provided agent for policy enforcement.

Note:

  • This setting applies only to Android devices enrolled through Android Enterprise enrollment methods.
  • The selected DPC app will be used for all subsequent Android enrollments. Devices already enrolled will continue to be managed by the DPC app that was configured at the time of their enrollment.
  • Click Save Settings to apply the changes, or Cancel to discard them.

 

 

Jump To

< Previous

Next >