IBM Security MaaS360

 View Only

Spring cleaning your devices in MaaS360!

By Margaret Radford posted Fri March 22, 2019 09:23 AM

  


Spring is in the air, and there’s no better time to talk about cleaning up devices in the MaaS360 portal!

Why should I clean up my devices?

 

The benefits are twofold:

For one, this allows you to free up unused licenses that can be reused on other devices.

Secondly, it allows you to keep accurate device counts in your reports and workflows.

Before we begin, let’s step back and review a couple things – like how devices get into the portal in the first place – and the key data to use when cleaning up your devices. If you know all of this already, go to the Cleaning up devices section of the blog.

How devices get into the MaaS360 portal – and their Managed Status

Devices get into the MaaS360 portal in the following ways:

  • Bulk enrollments by an administrator
  • Imports from Microsoft Exchange, Microsoft O365, IBM Traveler, or G Suite mail environments using MaaS360 Cloud Extender or API configuration
  • Administrator managed programs such as Android Zero-touch Enrollment (ZTE), Apple Device Enrollment Program (DEP), or Knox Mobile Enrollment program
  • Single enrollments by an end user


After a device has been enrolled in MaaS360, it periodically reports into MaaS360 and MaaS360 records that check-in time as Last Reported.


This Last Reported date and time is important in identifying devices that need to be cleaned up or require some administrative investigation.


In the example below, the device is Enrolled and has not reported into MaaS360 for over a month.  Enrolled devices might not report into the portal for extended periods of time: when a device is traded in, is no longer in commission, or wiped manually.  The enrolled device still counts towards your device license usage and is included in the device inventory view and reports.


When you enroll a device, an active device record is created in the MaaS360 portal. This record remains active until an administrator decides to Remove Control from the portal or Hide the device record.

 
Important: For auditing purposes, MaaS360 does not delete records from the portal; devices are marked with a Managed Status of Inactive. In fact, you can view your Inactive devices in the Device Inventory view by changing the Managed Status filter to show Inactive devices or by using Advanced Search.

 

When devices are imported from a messaging service such as O365, MaaS360 imports all device records that are visible to it which can also include old records that have not reported into the mailbox service for an extended period of time. Device records are imported with a Managed Status of Not Enrolled (ActiveSync Managed). When the device enrolls in MaaS360, the two records are merged into one Enrolled (ActiveSync Managed) record. But some of the old records, remain as Not Enrolled (ActiveSync Managed) and need to be cleaned up.

 

There are 3 device record fields you must pay attention to when cleaning up the portal: Last Reported, Mailbox Managed, and Managed Status.

Managed Status

Managed Status Definition

Displays in Device Inventory

Enrolled

The device is enrolled in MaaS360.

Yes

Enrolled (Mailbox Managed)

The device was imported from Microsoft Exchange, O365, IBM Traveler, or G Suite and the user enrolled the device in MaaS360.

Yes

User Removed Control

The device user removed control from the device. The device is no longer enrolled in MaaS360.

Yes

Pending Control Removal

The administrator initiated a remove control action on the device, but the device cannot be reached to complete the action.

Yes

Not Enrolled (Mailbox Managed)

The device was imported from Microsoft Exchange, O365, IBM Traveler, or G Suite. The user did not enroll the device in MaaS360.

Yes

Inactive

The MaaS360 Administrator removed control from the device or used the Hide action on a device.

No

 

In this example, the Device Inventory View shows device records with Last Reported, Mailbox Managed, and Managed Status. Note that by default, Inactive devices are not displayed in the view. You must change the filter in the Managed Status column to view Inactive devices or use Advanced Search.



Cleaning up devices

In this section you learn manual and automatic methods to clean up devices that are no longer reporting into MaaS360.


Manually clean up devices in the portal

In some cases, as an administrator, you might want to review devices with a long inactivity period (Last Reported more that X number of days)  before you Hide them. A suggested method is to use an alert in the My Alert Center. By default, a Long Inactivity alert is provided. You can update the default or create a new one based on the criteria you want to set for administrative review. 

long_inactivity.png


Set the criteria to the desired Last Reported length, for example 30 days and the Managed Status you want to review. In this example, you want to review Enrolled devices that have not reported in more than 30 days.

  • Search for: Active Devices
  • Last Reported: More Than 30 Days Ago (Define this based on your company guidelines)
  • Search Condition: Any (OR)
  • Search Criteria: Hardware Inventory (Managed Status) Equal to Enrolled


Click the Alert to manually review the list of devices, contact the device owner if necessary, and use the Hide action to set the devices to Inactive. 


Important:
Only Hide the device if you are sure it will not be checking in again. 

Note: You can also use the Hide action for each device record in Device Inventory to render a device inactive.

Automatically clean up devices in the portal


In this example, you use a device group with dynamic actions to automatically clean up devices in the portal without the need for Administrator intervention.

In the portal, create a device group with devices that have not reported into MaaS360 in a defined period, for example 30 days.

  • Click Devices > Groups and click Add > Device Group.
  • Enter Advanced Search criteria:
    • Search for: Active Devices
    • Last Reported: More Than 30 Days Ago (Define this based on your company guidelines)
    • Search Condition: Any (OR)
    • Search Criteria: Hardware Inventory (Managed Status) Equal to User Removed Control OR Hardware (Managed Status) Equal to Pending Control Removal


Note:
We did not include Enrolled devices with a Last Reported date of more than 30 days for automatic clean up. We suggest you review these devices by creating an alert with only Enrolled devices with a Last Reported you define, and review these manually.

The results are displayed. The Last Reported and Managed Type information should match your criteria.

  • Click Create New Device Group.
  • Enter a description and save the group. The group displays in the Groups pane.
  • To Hide devices in the group, click Hide Devices.


You also have the option to hide devices for all future device group members. This feature is enabled by default. This is the best option if you want the device group to automatically clean up devices based on the criteria you defined. This is considered a dynamic action group.

  • Click Submit. Device groups are evaluated for dynamic actions on a scheduled basis.



Auto-clean up Mailbox Managed devices (e.g., O365)


When devices are initially imported from the messaging service such as Microsoft Exchange or Office 365, there might be a large number of old device records that were never cleaned up in the source environment. This could be the first time that an administrator has a view into all the devices that have connected to a mailbox. Therefore, administrators might not want to immediately configure the automatic clean up settings and might opt to review these old records before deleting them from the mail service. When these old records are imported in Maas360, they are set with a Managed Status of Not Enrolled (ActiveSync Managed)

This section covers when the administrator would like the MaaS360 Cloud Extender to automatically clean up old devices on the source mail environment and also remove the Not Enrolled (Mailbox Managed) record in MaaS360.

  • In the MaaS360 portal, Click Setup > Cloud Extender Settings.
  • Click Exchange ActiveSync.
  • Click
  • Go to the Device Record Clean Up Settings
  • Click Enable Automated removal of old ActiveSync records.
  • Configure the time interval for the devices that you want removed, for example you select devices that have not reported into the messaging service mailbox in more than 30 days. Choose the frequency, day of the week, and time of day that you want the automated record cleanup to run.
  • You can also have the Exchange record automatically removed from the messaging service when the device is removed from MaaS360, by clicking Delete record in Exchange server on device removal in MaaS360.


License Management Considerations

If License Management is enabled for your portal, there are certain scenarios where the license can remain on an Inactive or Pending Control Removal device which counts toward your total Licenses Consumed. 

Review the product documentation on how to revoke and free up those licenses. https://www.ibm.com/docs/en/maas360?topic=devices-revoking-license-entitlements-from-device-in-inactive-pending-remove-control-state


Note:

In this blog we reviewed how to use the My Alert Center, Device Groups with dynamic actions, and Cloud Extender Settings to manually and automatically clean up devices. Always remember to only Hide devices that you don’t think will be checking in again. But if an old enrolled device comes back online and has not exceeded the OS maximum for last check in communication, it will revert from Inactive to Enrolled and display in Device Inventory again.



#MaaS360

3 comments
215 views

Permalink

Comments

Wed October 12, 2022 09:10 AM

Note: hiding removes devices from the inventory and clears a license. 
If an iOS device doesn’t communicate for 30+ days then it won’t ever communicate again and they will have to reenroll. 
If it's android they can communicate again. 

Tue August 27, 2019 11:47 AM

Fantastic  Margaret!!  Many thanks for doing this.

Wed May 15, 2019 11:04 AM

The replay of the webinar "Spring Clean Your Device Management"  is now available for viewing here
Ryan Schwartz (MaaS360 Product Marketing) and I talk about best practices for keeping your UEM environments, and specifically the MaaS360 portal streamlined and up to date.