Enrolling devices is the first step in managing mobile devices. In order to enroll devices, every user should be configured with user authentication level. MDM provides you with three authentication methods to ensure only the designated user can enroll his/her devices - Using OTP, using Directory credentials and a combination of both, each having its own set of advantages.
Comparison between the authentication methods
|PARAMETER||USING OTP||USING DIRECTORY SERVICES||USING BOTH|
|Security||Secure||More Secure||Most Secure|
|Time taken to enroll a device||Least||More||More|
|Scenarios to be used||For product evaluation/testing||For organization already using services leveraging directory||For organizations with stringent security compliance standards|
One Time Passcode
An one time password will be generated and sent to the user, along with the enrollment invitation. User should use the OTP to enroll their mobile device. The email invitation can be used only once and is valid for 7 days incase of on-prem and 3 days for cloud. If the Administrator sends an enrollment request with an OTP, that can be used only once. OTP cannot be used for enrolling more than one device.
Authentication using Directory Services/ Zoho Authentication
Directory credentials is used to authenticate the user while enrolling the device.Directory services' user name and password are used only for enrollment purpose, which means any changes made to the Directory server does not have impact on managing the mobile devices. Administrators should use this type of authentication, if they wanted to enable Self Enrollment. Users will use the domain credentials while using Self Enrollment process.
In case of MDM Cloud, integrate your Microsoft on-premises AD with MDM using Zoho Directory, our in-house solution. During the integration, the Zoho Directory Sync tool is downloaded and set up in order to sync your AD. Once integrated, you can use directory credentials to enroll devices and to configure policies based on AD-users and/or groups.
Two Factor Authentication
This is considered to be the most secure mode of enrolling the mobile devices. Administrators can use this mode to ensure that users use their domain credentials and the OTP which has been sent along with the enrollment invitation. This mode cannot be used for Self Enrollment, even if authentication type is enabled as "Two Factor Authentication", users will have to use their Directory services' credentials while enrolling Windows devices. Two factor authentication is not supported for devices running Windows operating system.
The above mentioned authentication types are used only while enrolling the devices. Any changes made the authentication type will have an impact on the devices which will be enrolled henceforth and it does not affect on the enrolled devices. Follow the steps mentioned below to configure the authentication that should be performed while enrolling the device;
- On the web console, click Enrollment
- Under Enroll click Authentication
- Choose the type of Authentication
- Click Save
You have successfully configured the authentication level for the device.