Cloud Services MDM. Device Management Admin Guide

(1)

Cloud Services

MDM

(2)

DEVICE MANAGEMENT

OVERVIEW

Smart device management is centralized in the Admin Console. From the console, the administrator is able to leverage the following MDM features:

• Customize comprehensive asset tracking in the form of real-‐time device data across the mobile fleet, regardless of device type, carrier, or location.

• Navigate an interactive dashboard of mobile and telecom data to help the organization make more informed decisions based on actual mobile telecom usage.

• Perform remote actions on devices. • Generate a custom library of reports.

• Enable proactive alerts for both users and administrators when predetermined thresholds are reached.

The following sections describe how administrators can leverage the specific pages within the Admin Console to effectively and efficiently manage smart devices.

DASHBOARD NAVIGATION

The Dashboard page centralizes smart device monitoring by giving administrators high-‐level views of their entire fleet of mobile devices with the ability to drill down to the individual device level.

(4)

Administrators can see an overview of graphics and statistics for a particular location group, an entire device fleet, or quickly locate information on a specific device by clicking the Friendly Name highlighted in blue.

Location Group Sidebar

The Location Group Sidebar on the left of the screen allows administrators to view devices belonging to specific location groups, as well as all of its children groups. Administrators can also use the Search field to find specific location groups:

• Expandable Tree Structure – Find location groups and show lineage from parent to children groups. • Search Box – Search for specific location groups by name, partial name, or keyword.

• Expand / Collapse Feature—Fully expand or collapse the location group hierarchy. • Pin Feature – Pin the location group sidebar back onto the Dashboard sidebar.

Dashboard Views

There are also several views available from the Dashboard page, which enable administrators to view entire listings of devices based on each of the following metrics:

• Asset Tracking – View devices based on ownership type, platform, and last seen metrics. • Device Compliance – View devices based on their device rules compliance status, passcode

policy compliance, and data encryption status.

• Enrollment Status – View devices and track the complete enrollment lifecycle from registration to end-‐of-‐life, as well as identify devices that are pending a device wipe.

• Email Management – View status of devices that attempt to gain corporate email access through the Secure Email Gateway.

(5)

Advanced Views

There are also several Advanced views available that give administrators the ability to view entire listings of devices based on each of the metrics listed below:

• Device Groups – View all devices, statistics (i.e., total number of devices per group and percent of devices in that group), and other information explained in greater depth in Device Groups.

Graphical Portlets

The Graphical Portlets on the Dashboard page provide relevant statistics, as well as an easy way to select a group of devices according to a number of categories.

For example, the Asset Tracking default screen graphically represents Device Ownership, Platforms, and Last Seen data above the grid. The two icons in the right corner of the graphical representation box – when clicked, they display data graphically or in a textual table. To toggle between graphical and textual representation of data, do the following:

• Click the Pie Chart icon to view the data graphically (pie or bar chart). • Click the Data Group icon to view data in a textual table.

• While in textual mode, click any Data Group and the grid below begins to reload and display the information based on that specific data group. This feature is only available in this mode.

(6)

DYNAMIC DEVICE LIST

The Dynamic Device List on the Dashboard page contains a flexible list of devices and associated metrics that pertain to each view:

There are several ways for an administrator to select, order, identify, find, filter (etc.) specific devices from the Dynamic Device List page:

• Select any of the Available Views. For example, graphical, or textual tables shown above the grid. • Click any of the Data Groups from the Graphical Portlets.

For example, when in textual table format, click any line item to display data. • Click any of the Column Categories to re-‐sort the list.

For example, clicking Last Seen re-‐sorts the grid to either the oldest or latest seen devices. • On the top, right side of the grid, there are four more icons that provide additional sort, search,

export, and display tools that perform in the following ways:

o Change any one of the three graphical (e.g., pie chart) representations of data (portlets) above the grid from graphical to a textual table and the result is the Filter drop-‐down changes to represent your selection, as shown in the examples below:

o Enter in the Filter Grid field any keyword and then press <Enter>.

The result is the grid re-‐sorts and only displays those devices that contain the keyword(s) you entered, as shown in the example below:

(7)

o Click the Refresh icon to display the default Available Columns layout and all device data based on any search criteria in the Filter drop-‐down and Filter Grid field, as shown below:

o Click the Export All icon and the data in the grid exports into an Excel spreadsheet,

as shown in the example below:

o Click the Hide Chart icon to hide all graphical and textual table portlet data, so that

only the grid displays.

o Click the Tools icon to display Available Columns, which you can use to customize device data that displays in the grid. The example below displays when in the Asset Tracking view. The Available Columns change depending on the Dashboard view selected.

(8)

DEVICE CONTROL PANEL

Leverage the Device Control Panel, available from the Dashboard page, to view detailed information or perform remote actions on individual devices.

• To open the Device Control Panel, locate an individual device on the Dashboard page by using any of the available search tools, and select it.

The overlaid Device Control Panel window displays:

The Device Control Panel contains two primary menus:

• A Device Information menu to view detailed information and statistics. • A Remote Actions menu to perform administrative actions over the air.

NOTE: Information and actions in the Device Control Panel are subject to availability according to privacy settings and platform compatibility.

(9)

DEVICE INFORMATION MENU

The Device Information menu shows detailed information related to each of the listed categories.

Summary

The Summary section shows hardware, MDM, encryption, passcode compliance, and other general information.

• Hardware – Displays device hardware information.

• Security – Displays compromised device and encryption level data.

• Passcode – Displays if a passcode is present and whether or not it meets the passcode requirements.

• Network – Displays network information, such as SIM Card and roaming status. • Profiles – Displays all profiles and provides profile installation status.

• Certificates – Displays installed certificates, as well as expiration or near expiration status. • Applications – Displays the number of apps currently installed on the device.

• Content – Displays a configurable view of repositories and content.

Compliance

The Compliance view shows the compliance status of the device, including the name and level of all compliance policies in effect. The administrator can also see the current level of compliance actions and the next level of action that will be performed if the device continues to be non-‐compliant.

(10)

Profiles

The Profiles section shows all of the MDM profiles that have been sent to the device and the status of each profile.

• Status – Displays the profile installation status:

o Installed o Pending install o Not installed o Pending removal o Removed

o Blocked (by a Compliance Policy) o Failed for latest version

NOTE: Profile installation is blocked due to Compliance Settings. A failed status is reported when the installed profile is out-‐of-‐date.

• Type – Displays the profile type: automatic, optional, or interactive.

• Location Group – Displays the location group to which the profile is assigned. • Actions – Enables remote installation or removal of the profile.

(11)

Apps

The Apps section displays all applications that have been installed on the device.

NOTE: Information availability is subject to privacy settings as specified in Configuration ► System

Settings ► Device ► General ► Privacy.

Please note the following field descriptions:

• Status – Displays the profile installation status: o Installed

o Pending install o Not installed o Pending removal o Removed

o Blocked (by a Compliance Policy)

• Type – Displays the profile type: automatic, optional, or interactive. • Actions – Enables remote installation or removal of the profile. NOTE: Application installation is blocked due to Compliance Settings.

(12)

Content

Only applicable to devices equipped with the Content Locker.

The Content section displays information about the content available in the Secure Content Locker.

• All Content – Displays information about all available content.

o Active – Tap the gray circles to make the document available (left/green) or not available (right/red).

o Type – Displays the document format; hover over the icon to display the format type. o Name – Displays the document name as it appears both in the Admin Console and in the

Secure Content Locker.

o Storage – Displays the server on which the content is stored. o Description – Provides a brief document description.

o Assignment – Displays the group to which the document is assigned. o Effective/Expiration – Shows the date the document expires.

o Last Modified – Displays the date and time that the document was last modified. o Download Type – There are two options for deployment type:

§ On Demand – End-‐user must download document.

§ Automatic – Document is automatically downloaded to the end-‐user's device.

o Installed/Assigned – Displays the ratio of devices that have installed the assigned document.

o Actions – Provides the ability to install or delete content.

• Batch Status – Displays the successfully uploaded content or if it is experiencing errors.

Settings

The Settings section displays information on device settings. • Categories – Shows the file system for the content.

• Content Repository – Links to repositories and displays document ownership. • User Storage – Shows the amount of storage available to and used by each device.

(13)

Certificates

The Certificates section shows all of the certificates currently stored on the device, and provides basic supporting information.

NOTE: iOS devices should always show at least one current certificate for the MDM identity certificate issued during enrollment.

User

The User section shows user-‐specific information including Name, Status, Username, Email, Group,

Email Username, Security Type, and Contact Number. It also displays a list of all devices that the user

has enrolled.

(14)

GPS

The GPS section shows the GPS coordinates of the device. The default display is Last Known, which is the most recently received coordinates. To view GPS coordinates over a select period of time:

1. Select the time span to view GPS coordinates from the Period drop-‐down menu. 2. Click [Search].

The search results return the entire available GPS coordinate trail (breadcrumbs) over the requested period.

3. Click the Play Sound icon to play a sound on a lost device to facilitate location.

(15)

Event Log

The Event Log contains a comprehensive log of all interactions between the Admin Console and the device.

The administrator can further track device events through the following actions available on this view: 1. Click [Refresh Data] to instantly update the Event Log.

2. Enter an event keyword into the Search Filter to filter the event log according to a type of event. • Example: Security Events

3. Click the [Export All] button to export all events as a .csv file.

The administrator can also view all console and device events in the Administration Event Log, or integrate with Syslog on the Syslog settings page (located in Configuration ► System

Settings ► Admin ► Event Log).

Note the following important Event Log fields:

• Severity – Ranks the event severity level based on the event definition. • Source – Shows the source of the event.

o Example: Server

• Event – Provides a brief categorization/summary of the event. o Examples of events might include:

§ MDM Enrollment Complete § Install Profile Requested § Security Information Refused

(16)

REMOTE ACTIONS MENU

With the Remote Actions menu administrators can perform any of the listed actions on the selected device over-‐the-‐air.

Device Query

Place a manual request for remote devices to send the console a comprehensive set of MDM information. This immediate request overrides the timed device check-‐ins.

Clear Passcode

Clear the passcode on remote devices. This is leveraged when end-‐users forget passcodes or become locked out of devices.

Send Message

Send different types of messages to devices over-‐the-‐air.

• Email – Send remote emails to any address on properly configured SMTP settings.

• SMS – Send remote SMS text messages to any phone number with an SMS service account with CellTrust and properly configured credentials.

• Push Notifications – Push notifications are available for Apple iOS, Android, and Windows Phone 8 devices to provide faster command response time from the console, and migration from cloud to deprecated device management.

o Send APNs messages to iOS device end-‐users that have the Agent installed, displaying the message body in the notification.

o Implement Google Cloud to Device Messaging for Android devices enrolled in MDM. o Send Microsoft Push Notification messages to Windows Phone 8 device end-‐users

enrolled in MDM that have the Company Hub App installed.

(17)

Lock Device

Lock the device, requiring the device user to unlock the device with the appropriate passcode for continued use.

Enterprise Wipe

Remove the device from MDM by un-‐enrolling and selectively wiping all of the Enterprise data

contained on the device through MDM profiles, policies and internal applications. iOS devices are able to remove the Agent.

Device Wipe

Perform a full wipe of the device. Wiping the device removes all data, email, profiles, and MDM capabilities and the phone returns to a factory default state. Prior to the wipe, a device ownership confirmation message serves as a security precaution; a key code is a requirement for performing the device wipe.

NOTE: Device Wipe is subject to privacy settings as specified in Configuration ► System Settings ►

Device ► General ► Privacy.

Find Device

Make a set of audible notification tones in iOS devices, which facilitate device location by end-‐users.

Enable/Disable SD Card

Remotely enable or disable the SD card on the device.

Enforce Device Encryption

Encrypt internal storage in devices without encrypting the removable storage card.

DEVICE SEARCH

The Device screen is divided into three topics. Each topic is discussed in the following sections.

Device Search – Left Panel

• Location Group – Click the drop-‐down arrow to view the devices belonging to that location group and all child location groups.

• Saved Criteria – Click the drop-‐down arrow to select the last saved search criteria. This can save you time when you need to frequently perform the same search.

(18)

• Platform – Click one or more of the checkboxes to select the type of device for which you want to search in the grid.

• Model – Click the drop-‐down arrow to select the Model of the device based on the Platform you selected. If you choose more than one Platform, this feature is grayed out and no longer available.

• Ownership – Click any one of the four checkboxes to define who owns the device. It is recommended to leave Undefined unchecked, so that other console features are available to you when managing that device.

(19)

• Advanced Search – Click Advanced Search and the window below displays:

o Click one or more of the 13 available checkboxes to custom define an advanced Console search.

o For every checkbox selected, a respected field appears in which to enter search information, keywords, etc.

o Click [Search] to find devices that match the advanced search criteria.

The advanced search displays all the devices that match the search criteria in the grid.

Device Search - Top Panel

The top panel of the screen displays a bar with the following features:

Management

Management – Hover over to display a Lock Device and Enterprise Wipe drop-‐down window.

Select a line item from the grid by clicking its checkbox, and then do the following: 1. Select Lock Device to completely disable that device.

2. Select Enterprise Wipe to remove all corporate data from that device.

Support

Support – Hover over to display a Send Message and GPS drop-‐down window.

(20)

Admin

Admin – Hover over to display a Change Location Group and Delete Device drop-‐down window.

Select a line item from the grid by clicking its checkbox, and then do the following: 1. Select Change Location Group to move that device to a different location group. 2. Select Delete Device to remove that device from MDM.

Advanced

Advanced – Hover over to display a Warm Boot and Provision Now drop-‐down window.

Select a line item from the grid by clicking its checkbox, and then do the following: 1. Select Warm Boot to remotely reboot that device.

2. Select Provision Now to perform a number of configurations for that device.

Device Search - Main Panel

There are 11 column headings across the top of the grid: • Last Seen

• Friendly Name • C/E/S

• User

• First Name l Last Name l Email • Platform

• OS • Model • Display Name

Sorted Fields – Click any of these headings, as shown in the figure above to quickly reorganize device

information based on your selection.

Grid Search – Click in this field and enter any search words, such as device Friendly Name, Display Model, etc., as shown below, and then press the <Enter> key to filter the device information that

displays in the grid. You can use keywords (e.g., Group) and find all occurrences of line items in the grid that contain that keyword (e.g., Atlanta Group, Radiology Group, etc.).

(21)

DEVICE DETAILS

View device details to track detailed device information and quickly access user and device management actions. There are two ways to view the Device Details:

1. Click the Friendly Name of the device in the device dashboard. 2. When the Device Control Panel displays, click the name again.

OR

OR… use any of the available search tools to search for an individual device:

3. From the search results, click the Blue Friendly Name of the individual device to open the

Device Details page:

(22)

DEVICE INFORMATION

The Device Information view displays by default when the Device Details page opens (it is also the

General tab under Device Details).

§ Use the navigation bar on the left to access additional device information. iOS and Android devices offer different tabs in this bar.

General

From this view, administrators can see several general statistics about the current device, including: • Device Enrollment, Compliance, Last Seen, and Enrollment Date

• Platform/Model/OS

• Device Ownership/Device Category • Organization Group/Location

• Phone number (when available and subject to privacy settings as specified in Configuration ►

System Settings ► Device ► General ► Privacy)

• Serial Number/UDID/Asset Number

• Power Status/Storage Capacity/Physical Memory/Virtual Memory

(23)

Apps

The Apps tab displays apps that are currently installed on the device.

Certificates

Identify device certificates by name and issuant. This tab also provides information about certificate expiration.

Compliance

Display the status, policy name, date of the previous and next compliance check, and the actions already taken on the device.

Content (iOS)

Provide a configurable view of content, and allows administrators to view content on individual devices. This tab displays the Status, Type, Name, Priority, Deployment, Last Update, and date and time of views, and provides a toolbar for administrative action (install or delete content).

Location

Select the Location tab under Device Details to view current location or location history of a device. This shows the GPS coordinates of the device (subject to privacy settings as specified in System Settings

► Device ► General ► Privacy). Last Known, the default, displays the most recently received

coordinates.

To view GPS coordinates over a select period of time:

1. Select the time period for which you would like to view GPS coordinates from the Period drop-‐ down menu.

(24)

Network

To view the current network status of a device, select the Network tab under Device Details.

Profiles

Display the profiles on a device.

Device Restrictions (iOS)

To show the Device Restrictions view, select Restrictions under Device Details.

From here, administrators can see all of the security restrictions that have been placed on the device through the use of restrictions profiles. This information is organized into four separate views: Device,

Apps, Ratings, and Passcode.

Device

The Device tab displays all restrictions in effect for the device from a generic system-‐wide level. They are not limited in scope to individual applications or profiles like the other restrictions tabs.

(25)

Apps

The Apps tab shows the deployed application restrictions for the device.

• Allow use of YouTube will remove the YouTube application from the device so that end-‐users cannot use it.

• Allow use of iTunes Music Store and Allow explicit music and podcasts limit these specific features from within the iTunes applications.

• Allows use of Safari, Enable Autofill, Force Fraud Warning, Enable JavaScript, Enable Plugins,

Block pop-‐ups, and Accept Cookies all apply to the Safari web browser application.

Ratings

The Ratings tab shows all the restrictions that determine content control of movies, TV shows, and apps from iTunes and the App Store. If content filtering is applied, only specific media that has a lower age rating will be permitted for download.

Passcode

The Passcode tab shows all the current settings of the passcode policy that has been provisioned to the device.

Security

Show the security status on the device.

(26)

Telecom

The Telecom section provides details about:

• Calls – Total number of minutes used and detailed call logs. Call logs include call time, duration, direction (incoming or outgoing), phone number, carrier information, and roaming status. NOTE: Phone numbers and carrier details are only available in Android devices.

• Data – Total cellular data usage on the mobile device, including daily logs for data sent/received. • Messages – Total SMS/MMS messages that are sent and received (Android only) and detailed

message logs.

NOTE: Information provided is subject to privacy settings as specified in Configuration ► System

Settings ► Device ► General ► Privacy).

User (Android only)

Click this tab to access details about the user of a device, as well as the status of the other devices enrolled to this user.

(27)

DEVICE ACTIVITY

Alerts

To view all of the alerts that have been triggered by the current device, select Alerts under Device

Activity.

§ From here, administrators can see specific alerting details for Severity, Priority, Attribute,

Value, Duration, Alert Date, and Creation Policy.

CONFIGURATION

Attachments

To attach images, documents, or links that are relevant to the device, select Attachments under

Configuration. There are three views in the attachments tab: Images, Documents, and Links. These

categories are only used within the Group ID to help administrators organize attachments. Examples of relevant device information administrators may want to include in this area include:

• Copies of support tickets regarding the device. • Screen shots from the device.

• Device support documentation.

(28)

DEVICE DETAILS MANAGEMENT

The Device Details Management menu is located underneath the device friendly name on the Device

Details page. This menu provides shortcuts to quickly manage both the device and the user account

associated with the device.

Move your mouse over Query, Management, Support, or Admin to see the drop-‐down menu management options.

Query

The Query menu allows the administrator to request information from the device. Click the category to send a query to the device. Select Query All to request all of the categories, or send individual queries for the following device information:

• Device information • Security • Profiles • Apps • Certificates Management

The Management menu allows the administrator to instantly perform the following remote device actions:

• Clear Passcode – Clear the passcode on the remote device.

• Lock Device – Lock the device, requiring the end-‐user to unlock with a passcode for continued device use.

• Enterprise Wipe – Remove the device from MDM by un-‐enrolling and selectively wiping all enterprise data.

• Device Wipe – Perform a full wipe of the device.

• Set Roaming – Enable or disable the voice and data roaming options.

NOTE: Refer to the Remote Actions section for further explanation of the first four options.

(29)

Support

The Support menu provides options to instantly perform the following remote device actions on supported devices:

• Send Message – Allow administrators to send email, SMS, or push notifications to devices over-‐the-‐air. • Find Device – Force iOS devices to make a set of audible notification tones to help end-‐users can

locate their devices.

• Remote View – Provide a remote view of select BlackBerry and Windows Mobile devices and applications. The capture button takes screenshots to preserve any issues and errors.

• Request Device Check In – Send a message to the device requesting a check-‐in with the Agent. • File Manager – Browse the Android device file tree, creates folders and uploads or downloads

files remotely.

• Remote Control – Remotely control Windows Mobile and BlackBerry devices.

NOTE: Refer to the section on Remote Actions for further explanation of the first three options.

Admin

The Admin menu allows administrators to instantly edit the following device and user settings: • Change Location Group – Edit the end-‐user’s location group.

• Edit Device – Edit the following device settings: o Friendly Name

o Device Ownership type o Device Group

o Device Category

• Delete Device – Delete a device, as well as any information created for that device, from MDM. • Enroll – Enroll the device in MDM.

Advanced

Cloud Messaging (CM) provides the ability to securely communicate internally with devices. This functionality supports round trip request-‐reply messages, one-‐way push notifications with

confirmations, and direct communication channel interactions without using queues, durability on demand, and flexibility via configuration. In this menu, you have the following options:

• Start CM – Click to start Cloud Messaging. • Stop CM – Click to stop Cloud Messaging.

(30)

ADMINISTRATION EVENT LOG

The Admin Console records all administrative actions taken within the console and any device events sent to or received from devices and stores them in the Event Log. Administrators can view these events by using the Event Log dashboard, which can be accessed by navigating to Administration ►

Event Log.

MDM tracks all events that occur in the Admin Console and on managed devices, and presents this data on both this primary event log, and on the device-‐specific event log found in the Device Control Panel. Administrators can select from the views on the left in order to view Device Events or Console Events.

From the dashboard, administrators can filter and/or sort events in a number of ways, including:

• Severity • Date Range

• Device Friendly Name • Source of event • Category • Event

The administrator can further track device events through the following actions available on this view: 1. Click [Refresh Data] to instantly update the Event Log.

2. With certain even types, administrators can also view more detailed event data by clicking the

Event Data link in the right-‐hand column.

3. Type an event keyword into the Search Filter to filter the event log according to a type of event (for example, security events).

4. Additionally, the administrator can configure Syslog integration on the Syslog settings page (located in Configuration ► System Settings ► Admin ► Event Log).

(31)

End-User Self-Service

The Self-‐Service Portal allows end-‐users to remotely monitor and manage their smart devices. The Self-‐ Service Portal gives administrators the ability to view relevant device information for any of their enrolled devices and to perform remote actions such as clear passcode, lock device, or device wipe.

Enabling the Self-‐Service Portal

End-‐users of iOS and Android devices can access the Self-‐Service Portal directly from their device. • Allowing managed devices to access the Self-‐Service Portal simplifies the administrative

experience by allowing end-‐users to:

o View important compliance information. o Download optional profiles.

o Manage multiple devices on one device from the Self-‐Service Portal.

For end-‐users to access the Self-‐Service Portal from their device, the administrator must first deploy a Web Clip (iOS) or bookmark (Android) profile containing the Self-‐Service Portal web-‐based application URL.

(32)

For Android Devices:

1. Navigate to Profiles & Policies ► Profiles. 2. Select [Add].

3. Enter in Basic Profile Information in the General Settings. 4. Select the device platform.

5. Name the profile.

For Example: Self-‐Service Portal Web Clip for iOS Devices.

6. Specify root location groups to manage the profile and be assigned the profile. 7. You may also specify User Groups to which to deploy the profile.

8. Select the Web Clip (iOS) or Bookmark (Android) icon on the left sidebar.

9. Enter in the Profile Information.

(33)

For iOS Devices:

1. Navigate to System Settings ► Device ► Agent Setting. 2. Check the Self-‐Service Enabled box.

• Label – The text displayed beneath the Web Clip icon on an end-‐user’s device.

o For example, Self-‐Service Portal.

• URL – The URL that the Web Clip will display.

o This field supports lookup values so that the administrator can more easily configure the custom SSP URL.

• Removable – Check the box to allow the end-‐user to remove the SSP web clip. • Icon − To add a custom icon, select a graphic file in .gif, .jpg, or .png format.

o For best results, provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic will be automatically scaled and cropped to fit, if necessary and converted to .png format. Web clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices.

3. When complete, click [Save and Publish] to immediately send the profile to all appropriate devices.

Privacy Settings NOTE: Access to information and Remote Actions in the Self-‐Service Portal is

determined by both Privacy settings (Configuration ► System Settings ► Device► General► Privacy) and Role settings (Users ► Admin Accounts). If multiple settings are in place, the strictest policy is enforced.

(34)

Retiring a Device

In the event that a device must be removed from mobile device management, there are several possible methods to unenroll the device from different sources.

• Automatic Unenrollment – The Compliance Engine can be configured so that when devices do not comply with Application or Device compliance policies, they are automatically unenrolled from mobile device management.

• Administrative Unenrollment – Administrators can also unenroll devices over the air in one of two ways:

o The administrator may manually perform an Enterprise Wipe from the Device

Dashboard page or the Device Details page.

o An administrator may also set up the MDM environment to automatically perform an

Enterprise wipe on the devices of deactivated users. The administrator must first make sure the Default Action for Inactive Users is set to Enterprise Wipe Currently Enrolled

Devices. This can be done from the Enrollment page (Configuration ► System Settings ► Device ► General ► Enrollment). Once this has been configured:

§ The admin can manually deactivate users by navigating to Administration ►

User Accounts, checking the user accounts, and then clicking the Deactivate link

at the top. This will unenroll all devices under that user.

§ If AD/LDAP has been integrated with the MDM environment, any users that are deactivated/removed from AD/LDAP will automatically be deactivated from the MDM environment, thus causing their device(s) to be automatically unenrolled. o End-‐User Unenrollment – If an end-‐user decides to opt out of corporate mobile device

management, then they can initiate the unenrollment process from their own devices. Although the process is different for each manageable platform, the general process involves removing the administrative privileges of MDM and removing any agents from the device.

(35)

BYOD CONFIGURATION BEST PRACTICES

An increasing number of corporations are implementing BYOD programs, and it is easy to configure MDM settings to take into account device ownership type when deploying profiles, restrictions, compliance policies, and other important settings. The following configurations are recommended for BYOD deployments:

Assign Profiles and Policies by Ownership Type

• Leverage the Ownership field when specifying the assignment criteria for applications, profiles, content, and compliance policies to ensure that employee-‐owned devices receive fewer restrictions than corporate-‐dedicated devices.

Configure Privacy Settings

Configure the Privacy settings (System Settings ► Device ► General ► Privacy) to protect the personal data of your employees:

(36)

• Disable the ability to issue a full device wipe on personal devices:

Isolate Corporate Content

Use the Secure Content Locker to isolate and protect corporate content on personal devices. The following settings enforce maximum restrictions for content:

• Allow Online viewing only • Force encryption

• Disable Open in Email

• Disable Open in Third Party Application

KEEP IN MIND…

• Before performing remote actions on a device, take into account the device ownership type. • The administrator may also want to use privacy settings (specified in Configuration ► System

Settings ► Device ► General ► Privacy) and role permissions (specified in Users ► Admin Accounts ► Roles) to restrict lower-‐tier administrator access to employee-‐owned device data.