Category Filter

How to choose an enrollment method that suits your business scenario?

The growing pool of mobile devices deployed in businesses exercises greater responsibility for device administrators to manage them efficiently. Earlier, the device management process commenced with the organizations obtaining suitable devices for the workforces. Then, the endpoints were added to the device management console by the administrators much before handing them over to the users. But, with the adoption of enterprise mobility, businesses also permit the employees to bring in their own devices. In either case, the organizations should get the devices enrolled in the Mobile Device Management console. But, reaching out to every device for enrollment would be a cumbersome task for the administrators. If the users themselves can get their devices enrolled seamlessly, device enrollment becomes more manageable. Hexnode UEM proposes various enrollment solutions that may be used by the organizations depending on their enrollment needs.

Enrollment Techniques

Devices are classified on the grounds of device ownership – corporate and personal. Hexnode supports various enrollment techniques to enroll both corporate and personal devices.

Corporate devices

Businesses acquire devices with varying operating systems and capabilities to satisfy enterprise-specific needs. Since the organization completely owns corporate devices, it is advisable to initiate enrollment within the organization before issuing the devices to the workforce. There are numerous enrollment techniques for different device platforms that can be proceeded with minimal or no user involvement.

Out-of-box experience

The out-of-box enrollment options are the optimal choices for provisioning the devices in bulk. It is effective when there is a multitude of different devices to be deployed. They are often referred to as auto-enrollment techniques because endpoints are automatically added to Hexnode as the users turn on the device for the first time. Apart from other enrollment processes, these methods offer extended functionalities to organizations for provisioning the devices as fully functional corporate devices.

  1. Apple Business/School Manger: Apple Business/School Manager enables bulk enrollment of corporate devices. Large enterprises that distribute a huge number of newly purchased Apple devices to the employees would benefit from this method. It offers advanced management capabilities to the organizations that can be pre-provisioned on the devices beforehand. As the user unboxes the device and turns it on initially, all the configurations are associated instinctively.

    Supported on:

  2. Android Zero-Touch: Organizations that carry out large-scale rollout of corporate-based Android devices make the most out of Zero Touch enrollment. Devices purchased directly from Zero Touch Reseller partner/Google partner and added to the Zero Touch portal are automatically enrolled in the UEM console. Would you prefer a one-time setup for configuring devices without physically touching them? Then, this is the right choice. The user has to power on the device and connect the device to the internet to get enrolled.
  3. Samsung Knox Mobile Enrollment: Before we move forward to learn what Knox Mobile Enrollment (KME) is, we shall understand the requirements for KME.
    • A Samsung account
    • A Knox portal account
    • Samsung Knox devices running Knox version 2.4 or higher.
    • The proper firewall exemptions need to be extended beyond the local and protected network domain to connect to the Knox Mobile Enrollment server securely.

    If your organization can afford all these requirements, this is a considerable enrollment option for bulk enrollment of Samsung Knox devices. Samsung Knox enrollment enables automatic device setup and secure device deployment options for enterprises. It involves no manual setup procedure and enforces auto re-enrollment even if the device is the factory reset.

  4. Android ROM/OEM: Ever customized a ROM to prepare devices based on your organizational needs? A custom-made ROM gives you more control over the device’s hardware. You can replace the existing operating system with newer versions, remove bloatware applications that clutter disk space, customize settings, set up application permissions and much more. Organizations configure tailor-made devices by flashing custom ROMs onto the devices. Hexnode supports a simple, straightforward approach to enroll such devices with Android ROM enrollment. You can set up the Hexnode MDM app while configuring the ROM to auto-enroll the device as the user turns on the device.

Enterprise-specific enrollment

These enrollment strategies aim at medium-scale enterprises with a relatively smaller number of devices to be managed. It demands some form of user involvement at the device end to complete the enrollment.

  1. Android Enterprise Device Owner: Android Enterprise program is an initiative led by Google to enable easy deployment and management of Android devices within corporate environments. Provisioning the devices as Android Enterprise – Device Owner enables organizations to exert complete control over corporate-owned devices. It involves a series of steps to finish the enrollment process. Hence, this enrollment is performed by administrators before distributing the devices to the users.
  2. PPKG enrollment: Provisioning packages are a set of written instructions that organizations use to configure Windows devices. It is a beneficial method for device deployments over a range of tens to a few hundred computers. A provisioning package acts as a container for applying configuration settings to the endpoints straightaway. When the user installs the package, the device is enrolled with Hexnode UEM. The administrator may use the same package to provision other devices.

    Supported on:

  3. Apple Configurator: Apple Configurator is a complimentary utility installed on a macOS device that enables enrollment, configuration, and deployment of Apple devices in enterprises with the help of a USB connection. Suppose your organization wants to unleash the Supervision capabilities on Apple devices. If there are only very few devices, and if your organization doesn’t have an ABM account, you can go for Apple configurator enrollment. The administrator can associate the necessary profile and enable supervision on the device before handing the devices over to the users.

    Supported on:

Quick Enrollment

Checking out the user’s legitimacy during enrollment adds another layer of security as it ensures that the users are authorized to add the devices to the MDM console. However, when the administrator has to provision the devices themselves, it would be impractical and time-consuming to authenticate thousands of devices. Quick enrollment techniques facilitate easy enrollment of devices.

  1. QR Code – Open Enrollment: The most straightforward way of enrolling the devices by scanning the QR code displayed on the MDM portal. The devices get enrolled once after the QR code is scanned by the Hexnode MDM app installed on the device. Simple and seamless.

    Supported on:

Personal Devices

Hexnode promotes numerous options for onboarding personally owned devices. Based on the business scenario, the administrator can opt for any techniques and configure the corresponding enrollment settings from the MDM console. The user may proceed with the enrollment from the device end.

  1. Email/SMS: The administrator sends an enrollment request to the user containing the enrollment instructions, server URL, username, password and QR code. This is a selective, authenticated enrollment technique where the admin forwards enrollment invitations only to particular users. When there are comparatively fewer devices to be enrolled, or if you want only a subset of users specifically to enroll their devices, this enrollment technique can be selected. Since the enrollment request is sent via email/SMS, it also requires subscriptions to email/SMS service providers. Hence, after considering all the pre-requisite factors, you can decide whether to choose this method.

    Supported on:

  2. QR Code enrollment with authentication: The enrollment request send to the users via email contains a QR code that Android users can use to streamline the enrollment process. Rather than typing in the username and password, the users can scan the QR code to perform device onboarding. This user enrollment technique exempts the admin from the hassle of enrolling the devices by themselves while authenticating the user who enrolls the device.

    Supported on:

  3. Android Enterprise Profile Owner: Android Enterprise Profile Owner enrollment enables containerization on personal devices whereby the work and personal data is segregated between two different encrypted spaces. This is the perfect enrollment model for personal devices. However, your organization should enroll in the Android Enterprise program to enable this enrollment technique.

Enrollment methods common to both corporate and personal devices

This section focuses on enrollment models that can be utilized for enrolling both personal and corporate devices. Based on your business scenario, you may choose any of the following:

  1. Open Enrollment: This is the quickest enrollment technique, where you can get the devices enrolled by entering the MDM server URL on the Hexnode app installed. Given the role of administrators, it is often expected to roll out devices in bulk. When it is necessary to enroll them before distribution to the users, administrators use open enrollment to add devices to the MDM console. Organizations prefer this enrollment over other options when the corporate device is to be shared. It is also a hassle-free method of enrolling personal devices to get the devices provisioned quickly. Small scale businesses that do not have subscriptions to identity or access management solutions can also make the most out of open enrollment.

    Supported on:

  2. Self enrollment: The management requisites for organizations vary with scale, complexity and necessity. Some organizations are small-scale and require only a few devices to be managed. They need an easy or quick enrollment technique. Others might prefer device security over every other factor, requiring the users to be authenticated before enrollment. Are your enrollment requirements similar?
    • Does your organization manage user directories to maintain user information? And you want only the domain users to enroll the devices?
    • Do you need to extend just the basic management capabilities on corporate-owned devices after enrollment?
    • Do you want the users to be authenticated as they enroll their personal devices?
    • Do you find it a tedious task to send out enrollment requests to numerous users?

    In either of the situations, you can choose self-enrollment. Hexnode permits self-enrollment to authenticate users by their directory credentials from Active Directory (AD), Azure AD, Okta and Google Users. This enrollment method gets around the issue even when the organization does not integrate with an identity management solution to manage users. In such a situation, administrators employ pre-assigned passwords to the users to permit self-enrollment. Whatever be your enrollment requirements, Hexnode resolves them strategically with self-enrollment.

    Supported on:

  3. Pre-approved enrollment: Have you ever wondered if you would be able to restrict enrollment only to a pre-defined set of devices? Apart from the out-of-box-experience, Hexnode permits organizations to import devices into the MDM console even before the enrollment is completed from the user end. Pre-approved enrollment involves bulk import of devices via a CSV file. Once imported, the endpoints are added to the MDM portal, and the administrators undertake device management activities prior to enrollment. Further, the user or the administrator can proceed with the enrollment using the enrollment request email sent to them automatically. You may make pre-approved enrollment mandatory to ensure that only a pre-determined collection of devices is enrolled in the MDM console.

    Supported on:

    • iOS
    • macOS
    • Android