IBM Security MaaS360

 View Only

Importance of Completing Enrollment Before Provisioning in DO/WPCO

By Priya Pareta posted Sun April 14, 2024 01:45 AM


In the fast-paced world of mobile device management, efficiency is key. One critical aspect that often gets overlooked is the enrollment process. Efficient management of mobile devices within enterprise environments is paramount in today's digital landscape. Among the tools available, Maas360 stands out as a comprehensive solution, particularly for Android device management. In this guide, we delve into the critical aspect of Maas360 Android device enrollment, emphasising the significance of completing enrollment before provisioning in Device Owner (DO) or Work Profile Corporate Owned (WPCO) scenarios. By understanding and implementing these, organisations can ensure smoother operations, enhanced security, and optimised device management workflows. Let's explore how to harness the full potential of Maas360 for effective Android device enrollment.

Introduction to Device Enrollment

Before we dive into the importance of completing device enrollment before provisioning, let's first understand what exactly device enrollment means. Device enrollment is the process of configuring and registering a new or existing device with the MaaS360 mobile device management (MDM) system. By enrolling their devices on MaaS360, employees allow their organisation to have control over certain features and settings such as security protocols, app installation restrictions, and network access.

Why is it important to complete device enrollment before provisioning?

In the case of Device Owner and Company Owned Profile Owner(WPCO) enrollments, device enrollment should be completed before device provisioning. This is because device enrollment sets up the device with the necessary security policies and configurations, which are essential for keeping the device and its data secure. 

MaaS360 executes device enrollment as a part of device provisioning to enforce management and policies before users start using the device, ensuring users cannot bypass crucial enrollment screens


Benefits of device enrollment before provisioning:

1. Enhanced Security

The foremost benefit of completing device enrollment first is enhanced security. organisations gain full control over the devices connected to their network by enrolling devices into MaaS360. This includes the ability to enforce password policies, remote wipe or lock devices in case of theft or loss, and restrict access to certain apps and data on managed devices. These measures provide an additional layer of protection against potential security threats and unauthorised access to company data.


2. Simplified Management

Completing the device enrollment process first also simplifies management for IT teams in charge of monitoring and maintaining corporate devices. Once a device is enrolled into MaaS360, it becomes much easier to distribute applications and updates uniformly across all enrolled devices without having to physically touch each one individually.


3. Time and Cost Savings

By completing the enrollment process before provisioning, organisations can save both time and money in the long run. With streamlined management enabled by MaaS360, IT teams spend less time managing individual devices and focusing more on other high-priorities work.


4. Seamless User Experience:

One of the most significant challenges faced by organisations when it comes to device enrollment is a lack of preparation among users. Many employees may not understand the importance of enrolling their devices before using them or may simply forget to do so. Completing device enrollment before provisioning makes it a part of the device setup. This will give surety of enrolling devices while onboarding new devices. Since all the necessary configurations are already in place after enrollment, employees can start using their new devices almost immediately without having to wait for manual setup from IT support.


5. Control over Corporate Data:

If device provisioning is done before device enrollment, the device may not be properly configured with the necessary security policies, leaving it vulnerable to security threats. This can lead to data breaches, which can be costly and damage an organisation's reputation. By doing enrollment before device provisioning, organisations can ensure that their devices are properly configured with the necessary security policies and configurations and that they are secure and protected from potential security threats. This will help ensure that corporate data is protected and that the organisation complies with regulatory requirements.


Risks of Incomplete enrollment :

1. Security Vulnerabilities: 

Provisioning resources without completing enrollment opens the door to security vulnerabilities. Incomplete configurations may leave critical elements unprotected, exposing the organisation to potential cyber threats.

2. Inefficient Resource Utilisation:

Without a thorough enrollment process, organisations risk inefficient resource allocation. This can lead to underutilised resources, increased costs, and diminished overall performance.

3. Compliance Concerns: 

Many industries and organisations are subject to regulatory compliance requirements. Incomplete enrollment can result in non-compliance, leading to legal consequences and reputation damage.

Prioritising Enrollment: How?

Enrolling your device to MaaS360 before device provisioning is essential for both Device Owners and WPCOs. It ensures that the device is registered and authorized before it is provisioned, thereby providing a secure and reliable framework for device management. 


Step-by-step guide on how to complete device enrollment before provisioning

In this section, we will provide you with a comprehensive, step-by-step guide on how to complete device enrollment before provisioning.




Step 1: Create a DO/WPCO enrollment request

Before beginning the process of enrolling your devices, first, create a DO/WPCO-based enrollment request on the MaaS360 portal, this can have all necessary information such as user information (names, email addresses), any required credentials, policies to apply on the targeted device etc. This can be a QR code-based/KME or a ZT enrollment type.

The path to do enrollment configuration in the MaaS360 portal: 

Devices > Other enrollment Options > Android > Android Device enrollment 

This will open a window to create an enrollment request, fill in the details and click on create, this will generate a QR code for the enrollment. For the KME/ZT enrollment type this will generate a downloadable JSON file which will be needed to set configuration on the KME/ZT portal.




Step 2: Prepare devices for enrollment

The device should be in factory reset condition or a fresh device before starting this. For ZT/KME-based enrollment, the device should be registered on the ZT/KME portal.


Step 3: Start the device and the enrollment

Turn the device on and start the enrollment process as per the enrollment type

QR code-based DO/WPCO enrollment -

Click 5-7 times continuously on the Device Welcome screen which will open the QR code reader screen, scan the enrollment QR code, and connect with the internet, on the next screen it will download the MaaS360 app to start the enrollment process, once it downloads the app successfully it will start the enrollment process and on completion, further device setup will start.


KME/ZT-based DO/WPCO enrollment - 

The device should be registered on the ZT/KME portal for this and the required configuration should be set for the device. Start the device and connect with the internet which will download the MaaS360 app and start the enrollment process, On completion of this further device setup will start.


Flow of the Device Owner enrollment process using a QR code


DO User 1

UE 2

WP 3

WP 4

WP 5


UE 8

User Enroll 3

User enroll 3

WP 9

WP 10

Do you still want to do enrollment later?

Though it's recommended to do enrollment before device provisioning, if the organisation wants to do it after the device is set up, they have to pass an additional attribute “force_enrollment_before_provisioning” as “NO” when creating the enrollment configuration for QR-code, KME, and Zero-Touch enrollment types. For token-based enrollments, users will always enrol before device provisioning, as there is no option to set the “force_enrollment_before_provisioning” configuration to NO.



While completing device enrollment before provisioning may seem like the obvious choice, there is an OS limitation that organisations may face while trying this process.

This is achievable only on Android OS 11 and higher devices. For lower versions, enrollment will be done after device provisioning only.

Conclusion: The impact of device enrollment before provisioning 

Maas360 Android device enrollment is not just about efficiency; it's about safeguarding organisational assets and ensuring seamless operations. By emphasizing the importance of completing enrollment before provisioning in Device Owner (DO) or Work Profile Corporate Owned (WPCO) scenarios, organisations can mitigate security risks, enhance user experience, and optimize device management workflows. By enrolling devices before provisioning, businesses can ensure that all devices are properly configured and secured before they are used by employees. This can help reduce the risk of data breaches or other security incidents, as well as ensure that all devices are compliant with company policies and standards. Additionally, enrolling devices before provisioning can help save time and reduce frustration for IT teams, as they can pre-configure devices with the necessary settings and applications before they are distributed to employees. This can lead to a more efficient and streamlined device deployment process, which can ultimately benefit both the IT team and the end-users. Overall, implementing a device enrollment process before provisioning can be a smart strategy for businesses looking to improve their device management and security practices.