IBM MaaS360

IBM MaaS360

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

You've got questions - we've got answers! Dynamic device management (Ask Me Anything)

By Margaret Radford posted Thu July 06, 2023 05:48 PM

  

The IBM MaaS360 Customer Success team recently hosted an Ask Me Anything about Dynamic device management.  You can expect more Ask Me Anything's in the future, with our next one planned for Sept 2023! Have an idea for a topic, comment below or send a suggestion to the IBM MaaS360 Customer Success team at csmaas@us.ibm.com  

Topics in the June 21, 2023 Ask Me Anything included:

  • Dynamic Policy Assignment
  • Policy Precedence
  • Open Q&A 

If you have any additional questions, post them as a reply to this blog. You can also reach out to your account representative or you can contact the IBM MaaS360 Customer Success team by selecting Contact Us at our success hub located here. https://ibm.biz/maas360csm

For reference here are the answers to your questions that you posed during the session and a link to the presentation and replay. Thanks to all who joined us, we had a great discussion! 

Link to Presentation

Link to Replay 

Ask Me Anything Questions and Answers (the replay above also has demonstrations for each answer) 

Q: Does MaaS360 have an historical view of a devices location for a defined period of time, i.e. several days or a week.

A: Yes, In the Device Inventory record, select Summary Location Information. By default the last known location is displayed. You can then select the Filter icon next to the Time Column and choose the time criteria, Last 1 Days, Last 7 Days or you can enter a Custom time period.

Note: By default Location History is disabled. In the same screen as noted above, you can enable Location History for all devices. The device itself must have Location Services enabled in order to track the history.

Q: What's the time frame between the device being added to a device group and a notification from MaaS360 ?

A: It should be pretty quick as we saw in the demo. User groups tend to be faster. Device groups can take up to 24 hours to refresh. But Device Groups also have a Device Refresh action below each group in the Groups Workflow.  The refresh forces the Device Group to do a scan, and any actions that are a push action will go out to the devices. If the device is not online or not communicating,  MaaS360 cannot send an action at that time.

Q: Is there any way to remotely set the location for MaaS360 to always allow without manually needing to do so on the device?

A: This is going to be different based on what operating system your devices are running. So for Apple devices, we have little to no control directly over location services, even if the devices are fully corporate owned,  supervised and connected to Apple Business Manager. Apple does not let MDMs fully control location services. So for Apple devices controlling location services will be manual. For example, you can create a Device Group with criteria that selects all devices with Location Services disabled and use a Compliance Rule’s group based rule to take actions such as alerting the user, changing the policy, or selectively wiping the device after initial warnings.

For Android, if the devices are enrolled through Android Enterprise device owner mode to the fully corporate owned mode for Android Enterprise. You do have options inside of the policy to enable location services on the device itself and the runtime permissions inside policy for the MaaS360 App enable locations.

Q:  What happened with applications not installing automatically, it seems you have to distribute apps manually?

A: App distributions are all going be based on what you have specifically set on your applications in the MaaS360 App Catalog. In any case, you want to ensure  it is distributed to a group or device in the App Summary section. 

When you distribute iOS Apps, you can select to Install Automatically and to Retry app install on failure up to five times.

For Android devices, in the App Catalog under Install Settings, you can select Install Automatically and also select Retry installation.

It’s worth double checking your device to make sure it's in the correct groups to do the installs. If it is, and you’re using the Volume Purchasing Program, there is a chance that you may have something misconfigured, such as the license type for the installation. In this case, you want to reach out to IBM Technical Support or your support providing IBM Business Partner to help you troubleshoot the issue.

Q: How do I save a device group, it only gives me the option to search.

A: After you select your Search Criteria and select Search button in the Advanced Search, the next screen shows your results and at the very top there is a Create New Device Group button to create the group.  If you do not see the Create New Device Group button, this could be based on your portal permissions or a caching issue with your browser – clear cache and try again.

Q: Is there a way to force bulk iOS updates?

A:  Yes, there is. Go to Devices> Groups, you do have to be looking at a device group, not a user group to see this action. For example, find the iOS Device Group and select the More option and then Push iOS Update . There are three different actions you can take:  download and install, download only,  and install previously downloaded. You can also specify the specific OS versions as well, based on what you need. Download is going to generally need wi- fi to complete and have enough power. I believe some newer Apple devices can download over 5G  if they are 5G enabled and then install does require the device to be idle.

Install needs at least 30 percent battery while plugged in or fifty percent while not plugged in to complete the install. Generally it's going to try to install when the device is asleep on wi- fi and plugged in wich tends to be overnight for most users.

Q: MaaS360  used to be able to do factory reset on a managed iPhone that has the user's iCLoud account. Can you bring that back?

A: We can still send out factory reset actions to devices. If you are referring to disabling activation lock, that is available in the Device Record’s More Menu by selecting the Wipe action. The device must be in supervised mode in order to see the clear activation lock option.

Q: Have an Android that says out of compliance reason enable usage access permission in the portal. Is there a way to enable remotely?

A: That should be one of the options in policy. Go to the Android Security Policy. Go to the Security section of the policy and search on “permissions” . Under Security> App Security you can set Default runtime permissions for apps. You can also enable Configure runtime app permissions , enter the specific appid for your app and the specific permissions to Default, Always Deny, and Always Allow.

Q: How do I enter a Request for Enhancement?

A: In the portal, select the ? icon in the upper right, and then select Submit an Idea.

Q: What’s the best way to do the OS updates for the phones, either iOS or Android? 

A: For iOS Supervised devices you have one policy option and one policy option only for updates. Go to your iOS Security Policy and expand  Supervised Settings> Restrictions & Network and expand Software Updates Force Delay Settings. When you enable that, updates can be delayed for up to 90 days. That is the only option Apple provides to do anything through policy on application updates. Otherwise, for supervised devices, you can push the policy updates through a Device Group as mentioned earlier.  

For Android devices, use the System Update Settings in the Android policy. Enable System Update Settings which apply to Android device enrolled in Device Owner or Work Profile Corporate Owned. You have the option to Install immediately, Install during maintenance window only, and Postpone updates. You also have the option of entering a Freeze period so as not to allow updates in a certain timeframe.

If you have Zebra or Bluebird devices, you have the option of using a Device Group and selecting the Manage Android Devices action to push updates.

Q: After wipe and clearing activation lock, the users iCloud (Apple ID)  account is still on the device. Is there anything else that can be done to clear the activation lock from the phone.  

A: You have the option in iOS Security policy under Supervised Settings, to disallow Activation Lock – but this is not retroactive. So if they have already enabled it, it does not disable it.

A: When you select Clear Activation Lock from the More menu for device in Device inventory, MaaS360 attempts to clear it automatically. But in some scenarios, this is not possible and a manual code is made available.   When you start up the device and are prompted for the iCloud account credentials,  you leave the username blank, and enter the supplied bypass code into the Password field. The following article provides instructions on how to clear the activation lock manually:

https://www.ibm.com/support/pages/clearing-activation-lock-manually-ios

0 comments
11 views

Permalink

https://community.ibm.com/community/user/blogs/margaret-radford/2023/07/06/youve-got-questions-weve-got-answers-dynamic-devic