IBM Security MaaS360

 View Only

Unlocking Efficiency: A Comprehensive Guide to Device Deletion in MaaS360

By Nikath Kothacheruvu posted Fri February 23, 2024 03:03 AM

  

Authored by: nkothach@in.ibm.com CoAuthored by: anok.angadi@ibm.com

In the ever-evolving landscape of Mobile Device Management (MDM), the journey of devices within the MaaS360 ecosystem unfolds through diverse phases, each requiring meticulous attention. One persistent challenge confronted by administrators centres around the effective management of inactive devices post-enrolment removal.

While these inactive devices may not be prominently visible in the device inventory, they can still be accessed through a filtered view in the device inventory and located via the Advance search option. Notably, the presence of these devices, albeit concealed, can occasionally impact performance, particularly in terms of API responses. The accumulation of a substantial number of inactive devices may pose concerns for administrators.

To address this nuanced dilemma, administrators navigate the critical terrain of device deletion—a fundamental aspect of MaaS360's functionality that demands both caution and strategic implementation.

In this guide, we will navigate through the nuances of device deletion in MaaS360, shedding light on the types of deletion, cautionary measures, and the indispensable customizable features that empower administrators to tailor the deletion process to their unique needs.

Caution with Device Deletion:

 Device details will be completely removed from the portal, and there will be no way to recover the device data once it has been deleted. Hence, device deletion should be used with caution.

Types of device deletion:

An 'MDM Enrolled' device can be deleted through the following methods:

  • Individual inactive device deletion
    • Step 1 : When a single 'MDM Enrolled' device becomes inactive, it can be deleted using the delete option available on both the device inventory page and the device view summary page. as shown below. Home → Devices -> Inventory → Select Delete option
      Inactive Device Deletion option in device inventory
    • Home → Devices -> Inventory → Select View on any inactive device → Select Delete button
      Inactive Device Deletion option device view
    • Step 2: This is a confirmation message for deletion. Please follow these steps: Select Continue → Enter Password → Continue.
      Confirmation
    • Step 3: Success message is shown as below:
      success
  • Inactive device deletion when the user deleted.

            When a user is queued for deletion, any associated inactive devices are also scheduled for deletion.

    • Step 1: Select Home → Users → Directory → Select more on any user with inactive devices → Select Delete user.
      Delete User
    • Step 2: After selecting the action, a confirmation message will be displayed as follows:
      warning
    • Step 3: Upon confirming the action, a Security Check prompt will be presented, and upon successful completion, the following success message will be displayed. The device will then be deleted as part of the scheduled job.
      success

 Bulk device deletion.

               In the preceding two methods, we observed that individual inactive "MDM Enrolled" devices can be deleted via the device view, or associated inactive devices can be deleted when a user is deleted. When a customer desires to delete devices in bulk, the preferred method is Bulk device deletion, also referred to as Automated Device Clean up. This can be accomplished through a group hide action on a customer with the Auto device clean up feature enabled. 

Customizable Deletion Delay Feature:

This feature allows the customer to enable a delay over different days. By setting the delay, devices can be deleted:

  • Same Day (0 Days Option): Devices will be deleted on the same day.
  • 1 Day: Devices can be deleted one day after the designated delay.
  • 30 Days: Devices will be deleted after a 30-day delay.
  • 60 Days: Devices will be deleted after a 60-day delay.

This customization provides flexibility in determining when devices are deleted based on the specific needs of the customer.

Note to Customer: Please Contact Support to enable this feature.

Now that we understand the functionality of the feature, let's proceed to delve into the details of how the customer admin can implement this functionality.

As a Customer admin seeking to clean up devices, we may identify the device list based on specific criteria, such as the device CSN, devices that haven't reported for more than 90 days, or devices with a particular policy compliance status or custom attribute value. We can create a group with that certain criteria from advance search. Additionally, it's important to note that the search for devices should include all devices or inactive devices, never active devices. Once the group hide action is initiated, the active devices are made inactive and then enqueued for deletion. However, since the group criteria doesn't support inactive devices, these devices fall out of the group, and no devices will be picked up for deletion.

Once we have created a group with a notable name and specified criteria, we can perform a group hide action from the Groups page and submit the action. As shown in the screenshot sample below, the number of active devices is 6, which will be hidden and enqueued for deletion.

Confirmation

 After enabling Hide on the group, a batch job is triggered, which hides all devices belonging to this group, changing their managed status to inactive. Subsequently, these devices are enqueued for deletion after a specified number of days set when the feature is enabled. When the conditions are met, the Deletion Batch Job selects the records and cleans the device records.

Customer Scenarios:

Scenario 1:

Imagine a scenario where a customer has accumulated a significant number of devices that haven't reported any activity for more than a year. Alternatively, there might be a specific set of devices that the admin deems obsolete and wishes to delete from the system. A device group is created with the defined criteria. This allows the customer to gather all relevant devices under one umbrella for targeted management.

With the device group in place, the customer initiates the Auto Hide device action.

Advance search conditions for valid bulk delete

 

After a successful hide action, all active devices belonging to the group will be hidden (i.e., their managed status marked as inactive). Subsequently, the inactive devices within the group will be queued for deletion.

Scenario 2:

Let's delve into a situation where the successful execution of the Auto Hide device action leaves devices hidden but not enqueued for deletion.

The admin sets up a device group with meticulous criteria tailored to the devices they want to delete. This could include specific attributes, usage patterns, or any other relevant parameters. This group is further refined with the "Search for" condition set to "Active Devices," ensuring a focus on currently active devices. With the device group in place, the customer initiates the Auto Hide device action. As a result, all active devices meeting the specified criteria have their managed status marked as inactive, effectively hiding them.

Advance search conditions for invalid bulk delete

   

As devices have their managed status marked as inactive due to the hide action, they no longer meet the criteria of the device group. Consequently, they fall out of the group dynamically, aligning with the changed status. When the batch job runs to enqueue devices for deletion based on the group criteria, the device group is empty. The absence of devices meeting the specified conditions results in no devices being enqueued for deletion. The devices will only get hidden and not be deleted for the same reason.

Good practices:

Examine practical instances from real-world scenarios, showcasing effective device clean-up strategies in line with industry best practices

  • It is recommended to turn off the Auto Device Clean up Feature after all devices belonging to the group are deleted.
  • Create device groups with unique criteria to ensure that only the necessary devices are part of the group and queued for deletion. Once the devices are deleted, device data cannot be recovered.
  • Maintain the size of devices in the group below 1000. If necessary, create multiple groups, especially when using the device identifier as a criterion.

Embark on a journey through MaaS360's device deletion landscape, equipped with insights, caution, and best practices for a streamlined and efficient Mobile Device Management experience.

0 comments
48 views

Permalink