How to choose an enrollment method that suits your business scenario?
The growing pool of mobile devices deployed in businesses exercises greater responsibility on device administrators to manage them efficiently. The device management process commences with the organizations obtaining suitable devices for their workforces. This could either be fully enterprise-owned devices or employees’ personal devices in the case of Bring Your Own Device (BYOD). These devices are to be enrolled into the Mobile Device Management console in either case. There are multiple ways to execute this process. Some processes involve direct user intervention for device enrollment, while others involve zero user involvement, where the devices get automatically enrolled once they are switched on. Hexnode UEM proposes various enrollment solutions that organizations may use depending on their enrollment needs.
Devices are classified on the grounds of device ownership – corporate and personal. Hexnode supports various enrollment techniques to enroll both corporate and personal devices.
Businesses acquire devices with various operating systems and capabilities to satisfy enterprise-specific needs. Since the organization owns all the corporate devices, it is advisable to initiate enrollment within the organization before issuing them to the workforce. There are numerous techniques for platform-specific enrollment that can be proceeded with minimal or no user involvement.
The out-of-box enrollment options are optimal for provisioning devices in bulk. It is effective when there is a multitude of different devices to be deployed. They are often referred to as auto-enrollment techniques because endpoints get automatically added to Hexnode as users turn on the device for the first time. These enrollment methods also offer extended functionalities to organizations for provisioning devices as fully functional corporate devices.
- Apple Business/School Manager: Apple Business/School Manager enables bulk enrollment of corporate devices. Large enterprises that distribute a huge number of newly purchased Apple devices to employees would benefit from this method. It offers advanced management capabilities to organizations that can be pre-provisioned on devices beforehand. As the user unboxes the device and turns it on initially, all the configurations get instantly associated with it.
- Android Zero-Touch: Organizations that carry out large-scale rollout of corporate-based Android devices make the most out of Zero Touch enrollment. Devices purchased directly from Zero Touch Reseller partner/Google partner and added to the Zero Touch portal are automatically enrolled into the UEM console. Do you prefer a one-time setup for configuring devices without physically touching them? Then, this is the right choice. The user has to power on the device and connect it to the internet to get it enrolled.
- Samsung Knox Mobile Enrollment: Before moving forward to learn what Knox Mobile Enrollment (KME) is, let’s understand the pre-requisites to initiate a KME.
- A Samsung account
- A Knox portal account
- Samsung Knox devices running Knox version 3.0 or higher.
- The proper firewall exemptions need to be extended beyond the local and protected network domain to securely connect to the Knox Mobile Enrollment server.
If your organization can meet all these requirements, this is a viable enrollment option for bulk enrollment of Samsung Knox devices. Samsung Knox enrollment enables automatic device setup and secure device deployment options for enterprises. It involves no manual setup procedure and enforces auto re-enrollment even if the device undergoes factory reset.
- Android ROM/OEM: Have you ever customized a ROM to prepare devices based on your organizational needs? A custom-made ROM gives you more control over the device’s hardware. It helps you replace the existing operating system with newer versions, remove bloatware applications that clutter disk space, customize settings, set up application permissions and much more. Organizations configure tailor-made devices by flashing custom ROMs onto the devices. Hexnode supports a simple, straightforward approach to enroll such devices with Android ROM enrollment. You can set up the Hexnode UEM app while configuring the ROM to auto-enroll the device as the user turns it on.
These enrollment strategies aim at medium-scale enterprises with a relatively smaller number of devices to be managed. However, it demands some form of user involvement at the device end to complete the enrollment.
- Android Enterprise Device Owner: The Android Enterprise program is an initiative led by Google to enable easy deployment and management of Android devices within corporate environments. Provisioning the devices as Android Enterprise – Device Owner enables organizations to exert complete control over corporate-owned devices. It involves a series of steps to finish the enrollment process. Hence, this enrollment is performed by administrators before distributing the devices to the users.
- PPKG enrollment: Provisioning packages are written instructions that organizations use to configure Windows devices. It is a beneficial method for device deployments over a range of tens to a few hundred devices. A provisioning package acts as a container for applying configuration settings to the endpoints straightaway. When the user installs the package, the device is enrolled with Hexnode UEM. The administrator may use the same package to provision other devices as well.
- Apple Configurator: Apple Configurator is a complimentary utility installed on a macOS device that enables enrollment, configuration, and deployment of Apple devices in enterprises with the help of a USB connection. Suppose your organization wants to unleash the Supervision capabilities on Apple devices. If there are only a few devices, and if your organization doesn’t have an ABM account, you can go for Apple configurator enrollment. The administrator can associate the necessary profile and enable supervision on the device before handing it over to the users.
- Migrate to Hexnode: This enrollment method is beneficial when organizations with alternate UEM solutions have outgrown their UEM capabilities and want to migrate their devices to Hexnode UEM. The Hexnode Gateway app facilitates this migration from the device end without performing a device wipe. But for that, the app must be installed on the device by creating a configuration file from the Hexnode console and then deploying the PKG file, using either the existing UEM or, by other means, to the devices. This configuration file specifies the configurations for the Hexnode Gateway app and the device-specific network settings necessary to process the migration.
Authenticating user legitimacy during enrollment adds another layer of security as it ensures that the users are authorized to add the devices to the UEM console. However, when the administrator must provision the devices themselves, it would be impractical and time-consuming to individually authenticate thousands of devices. Quick enrollment techniques facilitate easy authentication of the devices to be enrolled.
- QR code – Open enrollment: The most straightforward way of enrolling the devices is by scanning the QR code displayed on the UEM portal. The devices get enrolled once the QR code is scanned by the Hexnode UEM app installed on them – simple and seamless.
Hexnode promotes numerous options for onboarding personally owned devices. The administrator can opt for any techniques based on the business scenario and configure the corresponding enrollment settings from the UEM console. The user may proceed with the enrollment from the device end.
- Email/SMS: The administrator sends an enrollment request to the user containing the enrollment instructions, server URL, username, password, and QR code. This is a selective, authenticated enrollment technique where the admin forwards enrollment invitations only to particular users. This enrollment technique can be selected when there are comparatively fewer devices to be enrolled, or if you want only a subset of specific users to enroll their devices. Since the enrollment request is sent via email/SMS, it also requires subscriptions to email/SMS service providers. Hence, after considering all these pre-requisites, you can decide whether to choose this method.
- QR Code enrollment with authentication: The enrollment request sent to the users via email contains a QR code that Android users can use to streamline the enrollment process. Rather than typing in the username and password, users can scan the QR code to perform device onboarding. This technique exempts the admin from the hassle of enrolling the devices by themselves while authenticating the user who enrolls the device.
- Android Enterprise Profile Owner: Android Enterprise Profile Owner enrollment enables containerization on personal devices whereby the work and personal data is segregated between two different encrypted spaces. This is the perfect enrollment model for personal devices. However, your organization should enroll in the Android Enterprise program to enable this enrollment technique.
- User enrollment: The enrollment method is designed for unsupervised iOS and iPadOS for Bring Your Own Device (BYOD) deployments. It creates an encrypted Apple File System (APFS) volume for managed apps and data on the device. This separation allows organizations enrolled in Apple Business Manager, to manage corporate data without interfering with end users’ personal data. User Enrollment requires Managed Apple IDs, owned and managed by the organization for access to certain Apple services. The method ensures user privacy and enterprise security. However, it supports only a limited set of payloads and restrictions on the device.
Enrollment methods common to both corporate and personal devices
This section focuses on enrollment models that can be utilized for enrolling both personal and corporate devices. Based on your business scenario, you may choose any of the following methods:
- Open enrollment: This is the quickest enrollment technique, where you can enroll the devices by entering the UEM server URL on the installed Hexnode app. Administrators use open enrollment to add devices to UEM console when it is necessary to enroll devices before distributing them to users. Organizations prefer this enrollment over other options when corporate devices are to be shared. It is also a hassle-free method of enrolling personal devices to get them provisioned quickly. Small scale businesses that do not have subscriptions to identity or access management solutions can also make the most out of open enrollment.
- Self-enrollment: The management requisites for organizations vary with scale, complexity and necessity. Some organizations are small-scale and require only a few devices to be managed. They need an easy or quick enrollment technique. Others might prefer device security over every other factor, requiring users to be authenticated before enrollment. Are your enrollment requirements similar?
- Does your organization manage user directories to maintain user information? Do you want only the domain users to enroll the devices?
- Do you need to extend just the basic management capabilities on corporate-owned devices after enrollment?
- Do you want the users to be authenticated as they enroll their personal devices?
- Do you find it tedious to send out enrollment requests to numerous users?
In either of these situations, you can choose the self-enrollment method. Hexnode permits self-enrollment to authenticate users by their directory credentials from Active Directory (AD), Microsoft Entra ID, Okta, and Google Users. This enrollment method gets around the issue even when the organization does not integrate with an identity management solution to manage users. In such a situation, administrators employ pre-assigned passwords to permit users for self-enrollment. Whatever your enrollment requirements be, Hexnode resolves them strategically with self-enrollment.
Pre-approved enrollment: Have you ever wondered if you would be able to restrict enrollment only to a pre-defined set of devices? Apart from the out-of-box experience, Hexnode permits organizations to import devices into the UEM console even before the enrollment is completed from the user end. Pre-approved enrollment involves the bulk import of devices via a CSV file. Once imported, the endpoints are added to the UEM portal, and the administrators undertake device management activities prior to enrollment. Further, the user or the administrator can proceed with the enrollment using the enrollment request email automatically sent to them. You may make pre-approved enrollment mandatory to ensure that only a pre-determined collection of devices is enrolled in the UEM console.