The IBM MaaS360 Customer Success team recently hosted an Ask Me Anything about Security Policies. You can expect more Ask Me Anything's in the future, with our next one planned for Jan 17, 2023! Have an idea for a topic, comment below or send a suggestion to the IBM MaaS360 Customer Success team at csmaas@us.ibm.com
Topics in the November 15, 2023 Ask Me Anything included:
- Policy workflow features
- Key policy components, tips and best practices
- Stay up to date with new policy changes
If you have any additional questions, post them as a reply to this blog or you can also reach out to your account representative or you can contact the IBM MaaS360 Customer Success team by emailing csmaas@us.ibm.com.
For reference here are the answers to your questions that you posed during the session and a link to the presentation and replay. Thanks to all who joined us, we had a great discussion!
Link to Presentation and Replay
Ask Me Anything Questions and Answers (the replay above also has demonstrations for each answer)
Q: How do you completely remove a user and device? I have tried but in MaaS360 it shows the user's device as "Pending Control Removal". Follow up Q: Will that remove the license that is associated with that device?
A: If the device is in Pending Control removal, that typically means it's no longer reachable so the remove control/wipe action could not complete. In device inventory, you can choose the device and then select Hide for the device. The device needs a connection to remove the MaaS360 agent but hiding the device will remove it from inventory. Pending Control Removal devices do not count towards your used License count.
Q: Is there a way around having to set a username and password for Android devices when enrolling via Samsung Knox?
A: There are two ways to do this:
- There is Userless Enrollment with the KME integration, "This option applies to Corporate Shared mode enrollments. If you select this option, the user-specific fields Enrollment Email ID, Username, Password, and Domain are unavailable. MaaS360 skips the user authentication during the enrollment process and enrolls the shared device in a signed-out state without attributing the device to a specific user." The user does ultimately have to sign in. It's just let them complete set up without having to enter a username.
- Alternatively, you can hard code in a generic username, a fake username/domain and fake password. The Google Play account type must be Device for this. You can have every single device in your portal enrolled against the same exact credentials and your users don't have to type in any credentials at the device level during the setup, but the biggest gotcha here is when it comes to Android, your Android devices are always displayed as username dash model number. So you're going to want to at least either prompt for an asset number or prompt for a device name, so that during setup you can put in something like Truck one truck two truck three, if you're a trucking company or front desk lobby two and so forth. Otherwise, you will have to search by serial number or IMEI number to identify an individual device.
Q: For the iOS passcode, is there a way to keep it as 4 numbers for the passcode?
A: A description of iOS passcode settings are found here: https://www.ibm.com/docs/en/maas360?topic=device-passcode
Q: Question on Allowed Apps vs Disabled Apps on the security settings. I have noticed that we can not use both options at the same time, but they each have an element that is nice to be implemented at the same time. We would like the option to have only specific apps allowed and all other apps not able to be downloaded. Disabled apps has been difficult to use since we have to list ALL apps we don't want used so we tried the allowed apps but then the ones we want disabled are still being allowed, especially the apps that come with the tablets.
A: In Android Enterprise Settings App Compliance, Configure allowed system applications, Configure Restricted Apps, and Configure Disabled Apps can all be set in parallel. You might also need to "Restrict Personal Accounts in Google Play" so users cannot use personal Google Accounts to access the Play Store. Android Enterprise Settings>Accounts.
Q: Having a device in Supervised mode is there a way to back up and restore to a new device and still be supervised?
A: A Restore cannot Supervise a device, the only way to Supervise a device is use Apple configurator or Apple DEP . General practice is not to restore to a Supervised device. https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide
Q: For my iOS policies, under "Supervised Settings", I only see DNS Proxy and Bluetooth.
A: Generally if you're not seeing all of your options under supervised settings and you only see two or three, that means you most likely turned off the option for supervised settings or somehow it was disabled. Go to Setup>Settings> Directory and Enrollment>Advanced Enrollment Setting> Advanced Management for Apple Devices> Advanced enrollment Settings and ensure Setup Supervised Devices Using Apple Configurator is checked. Save your settings page and then when you go back to your policy, you should see the rest of the settings displayed.
Q: Which way does it make more sense to manage device groups? We are currently using the device's names that we set?
A: Ultimately going to be whatever is going to be the easiest way for you to get your devices in a group together. You can use a custom attribute on a device, so you tag a device with the attribute. You can even consider the device name as an attribute, if you have a systematic naming convention, use that to make your device groups. So, for example, if you're using Apple Business Manager and DEP and the autoname feature and you have devices one through fifteen you have all of them appearing in one group they're all doing the same work. For Android, maybe you're using an automated enrollment program like Knox Mobile enrollment and you're typing in store twelve or truck four, you make it so anything with the word truck in it is always going to be in the same group and they're always going to receive the same policy, use that to your advantage.
Q: Where is the setting that prevents Android phone users from installing any Apps that are not in the MaaS360 App Catalog?
A: When it comes to Android enterprise and MaaS360, the only applications that are going to show up in your app store or your Google Play store on the device are going to be the applications you have added to your MaaS360 App catalog and made available to your users. So a user is not going be able to just follow a link to the Facebook app and install it if the device is enrolled into Android Enterprise because the Play Store does not know it as an approved application. So as long as you you're not allowing users to add personal Google accounts, or if you are letting them use Google accounts, you can enable Restrict Personal Accounts in Google Play which will only allow them to use the personal account for email, photos, etc., but they're not going to be able to access that account inside the Google Play Store. Because that's what allows you users to toggle what account they are using and download any app that is available. Go to Android Enterprise Settings > Accounts to configure.
Q: Can I export the template settings so that I can compare with my active policies?
A: Yes, create a test policy based on the template settings, export that policy, then export your existing policy and compare. Export option can be found below the policy setting name in Security>Policies or by opening the policy and selecting the 3 vertical dots in the upper right and selecting Export Policy.
Q: How can we enroll a device in Knox without reseller involvement?
A: You can do this in the Knox portal which is outside of MaaS360 completely if you're looking to use Knox Mobile enrollment to get the device to become part of MaaS360 or Knox in general; they do have a Knox Deployment App that can be used to to sideload devices into the KME portal without using a reseller. This will require you to touch every device because you're physically touching every single device to go through the process of sideloading them into the KME portal. Alternatively, if you're going to be physically touching them all anyway, you can leverage our QR code enrollment. The only downside with our QR code enrollment over KME is going to be your devices that are enrolled with QR code can in theory be lost because if a device is factory reset and it was enrolled via our QR code, it's going to just become a standard device if it's wiped.