Hi Darren
There are a number of scenarios that can map to customer requirements:
1. Devices are replaced in a 'round robin' approach. This means that a customer acquires an excess of devices, say 5-10% so they have a rolling stock. They enroll a device and get it fully set up and send it out to the user who then has a working DO mode device with no downtime - just if there is a SIM card swap this can take a few minutes. The user then sends back the old device which can either be wiped and sent to the next person, or just recycled / removed from fleet if being replaced. There is a net advantage to 'mission-critical' type operations here, but with the caveat that you need a budget for device replacement over a shorter period of time.
2. Depending on whether there is an imperative to get the project completed quickly, devices can be replaced using the above approach or instead in a "as-and-when" approach, so when a device is set to be replaced, the new device is enrolled by admins or sent to user for enrollment. This takes longer, but removes the need to have a large budget for device replacement in a short time frame. However it does have the impact of forcing users to remain on DA mode for longer.
3. If there is a requirement to have a device enrolled to a specific MaaS360 user, this can be done using the "Enroll on behalf of" which assigns the device to the user but doesn't log on as them, the admin does everything up to the point of putting in the user's credentials and this can be done by the user themself when they receive the device. See a Support question / answer about this:
https://www.ibm.com/mysupport/s/question/0D50z00005pey8f/what-is-enroll-on-behalf-of-in-maas360?language=en_US4. In addition to this you may want to simplify the enrollment process, whether setting up in bulk in your office or the user just wants to reduce time spent. Have a look at Android Enterprise Zero Touch enrollment, and Samsung Knox Mobile Enrollment, both supported by MaaS360:
https://www.ibm.com/docs/en/maas360?topic=mode-zero-touch-enrollmenthttps://www.ibm.com/docs/en/maas360?topic=mode-samsung-knox-mobile-enrollment-kme-program5. Standard DO mode doesn't allow for recovery of user data on the new device. This is because the DO-mode enrollment sets up a Google account (unless you're using G-Suite, which most don't), which doesn't have storage attached to it and therefore can't retrieve a backup. However, if this is a requirement, there is a solution Google have come up with, called WPCO configuration (Work profile on Corporate Owned) which will work on Android 11 and later devices (the previous approach from Google has been removed by them). So a user with a Device Admin device, could back up
personal data to their personal Google account (remember to enable on settings in Android policy). After this, when the DO mode has been set up they can add the personal account to the device, and retrieve their data that way. However the apps which can retrieve the backup will only be for
personal use (photos, text messages etc) and not the enterprise ones. Don't worry, corporate email and docs will synch once more once configured correctly, so there should be no concern here. Some device manufacturers have data migration apps, but which are completely outside of our control or configuration.
Document:
https://www.ibm.com/docs/en/maas360?topic=operation-work-profile-corporate-owned-devices-wpco------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------
Original Message:
Sent: Fri April 30, 2021 07:16 AM
From: Darren Tiday
Subject: Manual enrolments for Android devices
Thank you for this response, very helpful.
Basically going forward, all new portals and enrollments need to have Android for Enterprise whether it be for Profile or Device Owner. I don't think this will be too much of an issue as even with Device Owner, you can still give access to users through the policy of adding their own account if customers are flexible on what users can do with the handsets. Profile Owner seems to be more BYOD which we don't get many requests for this as most customers want control and a corporate setup.
Our biggest issue are the current customers that already have legacy as the migration only seems to be for Work Profiles and most will want a full Device Owner mode. Some of our customers have estates of up to 2000 devices, so this is going to be a huge challenge.
------------------------------
Darren Tiday
Original Message:
Sent: Thu April 29, 2021 04:43 AM
From: Eamonn O'Mahony
Subject: Manual enrolments for Android devices
Hi Darren
Great question!
For new portals since January 2021, Device Admin (the old/legacy mode) enrollment has been disabled. This follows Google's announcements since 2014 and IBM's discussion of this since 2016.
There are 2 enrollment types in Android Enterprise:
1. Profile Owner mode: installs a partial (application-level) control on devices, but has a very simple migration process from existing enrollment and very simple enrollment.
2. Device Owner mode: takes over full Operating System and hardware controls, but requires full device factory reset/wipe and builds the profile "from the ground up".
Generally speaking for employeee-owned devices we recommend Profile Owner mode, and for corporate-owned devices we recommend Device Owner mode.
Here's a link to documentation to get you started:
IBM Docs on Android Enterprise - https://www.ibm.com/docs/en/maas360?topic=android-enterprise-enrollment
Security Learning Academy (training portal) - https://www.securitylearningacademy.com/local/navigator/index.php?search=android+enterprise&level=moma01
The 2nd requires IBMid login. The content is very varied and includes some videos of less than ten minutes' duration, going to full deep-dive sessions.
I highly recommend you get started using these 2 links and let us know here if you have any further questions.
Best
------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
Original Message:
Sent: Wed April 28, 2021 05:56 AM
From: Darren Tiday
Subject: Manual enrolments for Android devices
I may have completely missed this and wither someone has already posted about this before, however, having had 2 new customer portals setup recently, options for Device and Advanced settings on an Android policy is no longer available. When adding a new device a message appears saying that all Androidn enrolments have to be done with Android for Enterprise.
I know that it has been said that standard/manual enrolments would be phased out at some point, so is this now the case with maas that all enrolments have to be done this way. We have many customers with portals whereby the enrolments are done manually, so is there any easy way to migrate those all to AfE going forward, or is it just a case of resetting devices and re-enrolling them as and when?
New to the group, so any help would be appreciated.
------------------------------
Darren Tiday
------------------------------