Category filter

How to choose the right enrollment method for specific enterprise features?

While analyzing a UEM solution, an organization may be looking out for specific features that can meet its growing needs. Hexnode UEM offers a comprehensive UEM toolkit that helps enterprises cover every possible device management aspect. However, some UEM features are specific to certain enrollment methods. For instance, silent installation of iOS apps works only on supervised devices. Businesses can use specific enrollment methods to unlock several features and controls according to their needs.

This article summarizes the enterprise-specific device enrollment methods facilitated by Hexnode. Hence, organizations can choose the most suitable method depending on the features essential to them.

Choose the right method for enrolling Apple devices

Supervision is a unique management mode mainly designed for institutionally owned iOS, iPadOS and tvOS devices. Supervising a device unlocks advanced management controls that are not available for non-supervised devices. So, to supervise a device, you must either use Apple Business Manager (ABM)/Apple School Manager (ASM) or the Apple Configurator method.

Here are some of the features that can be unlocked by supervising iOS devices by either ABM/ASM or Apple Configurator:

Version Features
iOS 6+
  1. Lock down devices to a single application (Single App kiosk mode)
  2. Set up Global HTTP Proxy
  3. Always-on VPN
  4. Restrictions on:
    • iBooks store
    • iMessage
    • Game Center
    • Install configuration profile
iOS 7+
  1. Set up autonomous single app mode
  2. Enforce web content filtering
  3. Activation Lock bypass (iOS 7.1+)
  4. Restrictions on:
    • AirDrop
    • Prevent pairing with non-Configurator hosts
    • Apps can modify cellular data usage
    • Modify Find My Friends
    • Modify an account
    • Siri can access user-generated content
iOS 8+
  1. Set Wallpaper
  2. Restrictions on:
    • Show web results using Spotlight Search
    • Add or remove Touch ID (iOS 8.3+)
    • Erase content and settings
    • Modify Restrictions/Screen Time
    • Predictive keyboard
    • Definition lookup
    • Auto-correct words
    • Suggest words on misspellings
    • Podcasts
iOS 9+
  1. Blocklist/Allowlist apps (iOS 9.3+)
  2. Silent installation of store and enterprise apps
  3. Enable Lost Mode
  4. App Notifications (iOS 9.3+)
  5. Add Google accounts (iOS 9.3+)
  6. Lock Screen Message (iOS 9.3+)
  7. Home Screen Layout (iOS 9.3+)
  8. Lock down devices to multiple apps (Multi App kiosk mode)
  9. Website kiosks (iOS 9.3+)
  10. Restrictions on:
    • News
    • Keyboard shortcuts
    • Modify passcode
    • Modify device name
    • Modify wallpaper
    • Download all purchased apps automatically
    • Apple Music (iOS 9.3+)
    • Pair with Apple Watch
    • iTunes Radio
    • Users can turn notifications on/off
    • Modify diagnostic data submission settings (iOS 9.3+)
iOS 10+
  1. Power Off (iOS 10.3+)
  2. Restart Device (iOS 10.3+)
  3. Remotely Ring Device (iOS 10.3+)
  4. Restrictions on:
    • Modify Bluetooth settings
    • Use voice to type
    • Connect to MDM-configured Wi-Fi networks only
iOS 11+
  1. Delay software updates (iOS 11.3+)
  2. Restrictions on:
    • Remove system apps
    • Add or remove Face ID
    • Create VPN configuration
    • Modify cellular plan settings
    • AirPrint
    • Use profanity filter
iOS 12+
  1. Restrictions on:
    • Force Automatic Date and Time
    • Autofill Passwords
    • Request passwords from nearby devices
    • Share passwords via Airdrop Passwords feature
    • Users can modify Personal Hotspot settings (iOS 12.2+)
    • eSIM Modification (iOS 12.1+)
iOS 13+
  1. Restrictions on:
    • Camera
    • FaceTime
    • Show App Store on the device
    • iTunes Store
    • Force user to enter iTunes store password for each purchase
    • Safari
    • Autofill (Safari)
    • Add friends in Game Center
    • Backup
    • Sync documents
    • Explicit music, podcasts and iTunes U services

Supervising and enrolling Apple TV devices via ABM/ASM or Apple Configurator will unlock the following benefits:

In the case of macOS devices, almost all features work for all types of enrollments. However, the following features require macOS to be enrolled via ABM/ASM:

In addition to the above features, enrolling Apple devices via ABM/ASM has added benefits over other enrollment methods.

Select the suitable enrollment method for Android devices

Hexnode offers many techniques for onboarding Android devices with deployment methods varying from simple QR codes to zero-touch enrollment.

However, certain UEM features are available only with devices that are enrolled in the Android Enterprise program. Android Enterprise is a robust platform that enables organizations to use Android devices and apps in the workplace by providing numerous enterprise-specific device functionalities. The Android Enterprise program empowers enterprises to run their businesses as they want, while managing the endpoints with end-to-end security. You can enroll in Android Enterprise either as a Device Owner or Profile Owner.

Here are some general features available for all devices enrolled as either Device or Profile Owner enabled devices:

  • Clear Password action (Android 7.0+)
  • Request application feedback
  • App Configurations
  • App Permissions
  • Android Enterprise – Compliance
  • OEMConfig restrictions
  • Restrictions on:
    • Users can adjust volume
    • Beam from the device
    • Configure cellular network
    • Configure Wi-Fi
    • Configure user credentials
    • Users can enable location sharing
    • Read any connected physical external media
    • Trust Agents for Smart Lock
    • Unredacted Notifications
    • Fingerprint Unlock
    • Iris Scanner
    • Face Unlock
    • Control apps
    • Verify apps before install
    • App Runtime Permissions
    • Parent profile app linking

The features specific to the different management modes in Android Enterprise are listed below:

Management Mode Features
Device Owner Bypass Factory Reset Protection (Google Account Verification)
Schedule OS Updates
Lock Task Mode
  1. Restrictions on:
    • Backup service
    • Make a call
    • Display dialogs/windows
    • Keep Screen On while charging (Android 6.0+)
    • Configure Bluetooth
    • Configure cell broadcast
    • Users can reset network settings
    • Update date and time automatically
    • Set time zone automatically
    • Lock Screen Camera
    • Lock Screen Notifications
Profile Owner Work Profile Password to set up a password for the work container.
Prevent copying contents between normal and work profiles

Some organizations prefer enrollments that deliver a zero-touch deployment experience for their users. In that case, make use of Android zero-touch enrollment or Samsung Knox enrollment.

If an organization prefers remote deployment of large-scale OS updates on Android devices, opt for ROM/OEM enrollment.

Some UEM configurations and restrictions available for Android devices are device specific. For instance, some restrictions such as disabling NFC, configuring VPN, customizing boot/shutdown animation, etc., work only on Samsung Knox devices.

Choose the right enrollment method for Windows devices

Hexnode houses several methods to enroll Windows devices. Almost all features work on all types of enrollment methods. However, opt for enrollment via the Hexnode Installer method if your organization has the following requirements:

  • Executing custom scripts on Windows devices to automate specific routine or time-consuming operations.
  • Perform real-time diagnosis of devices using the remote viewing functionality.
  • Deploy enterprise apps without any manual intervention.
  • Dynamically fetch the hardware information of a device from the Hexnode portal, which will be displayed on its Device Summary page.
  • Enrolling Devices