Category Filter

How to choose the right enrollment method for specific enterprise features?

While analyzing an MDM solution, an organization may be looking out for specific features that can meet its growing needs. Hexnode UEM offers the comprehensive MDM toolkit that helps enterprises cover every possible aspect of device management. However, some MDM features are specific to certain enrollment methods. For instance, silent installation of iOS apps works only on supervised devices. So, businesses can make use of specific enrollment methods to unlock several features and controls.

This article will run down the various features available for different enrollment methods available in Hexnode. In this way, organizations can choose the most suitable method depending on their essential features.

Choose the right method for enrolling Apple devices

Supervision is a special management mode mainly designed for institutionally-owned iOS, iPadOS and tvOS devices. Supervising a device unlocks advanced management controls that are not available for non-supervised devices. So, in order to supervise a device, you must either use Apple Business/School Manager or the Apple Configurator method.

Here are some of the features that can be unlocked by supervising iOS devices by either ABM/ASM or Apple Configurator:

Version Features
iOS 6+
  1. Lock down devices to a single application (Single App kiosk mode)
  2. Set up Global HTTP Proxy
  3. Allow or restrict:
    • iBook store
    • iMessage
    • Game Center
    • Use profanity filter
    • Install configuration profile
iOS 7+
  1. Set up autonomous single app mode
  2. Enforce web content filtering
  3. Silent installation of store and enterprise apps
  4. Activation Lock bypass
  5. Restrictions on:
    • AirDrop
    • Prevent pairing with non-Configurator hosts
    • Apps can modify cellular data usage
    • Modify Find My Friends
    • Modify an account
    • Siri can access user-generated content
iOS 8+
  1. Always-on VPN
  2. Set Wallpaper
  3. Restrictions on:
    • Show web results using Spotlight Search
    • Add or remove Touch ID (iOS 8.3+)
    • Erase content and settings
    • Modify Restrictions/Screen Time
    • Predictive keyboard
    • Definition lookup
    • Auto-correct words
    • Suggest words on misspellings
    • Podcasts
iOS 9+
  1. Blacklist/Whitelist apps (iOS 9.3+)
  2. Enable Lost Mode
  3. App Notifications (iOS 9.3+)
  4. Add Google accounts (iOS 9.3+)
  5. Lock Screen Message (iOS 9.3+)
  6. Home Screen Layout (iOS 9.3+)
  7. Lock down devices to multiple apps (Multi App kiosk mode)
  8. Website kiosks (iOS 9.3+)
  9. Restrictions on:
    • News
    • Keyboard shortcuts
    • Modify passcode
    • Modify device name
    • Modify wallpaper
    • Download all purchased apps automatically
    • Apple Music (iOS 9.3+)
    • Pair with Apple Watch
    • iTunes Radio
    • Users can turn notifications on/off
    • Modify diagnostic data submission settings
iOS 10+
  1. Power Off (iOS 10.3+)
  2. Restart Device (iOS 10.3+)
  3. Remotely Ring Device (iOS 10.3+)
  4. Restrictions on:
    • Modify Bluetooth settings
    • Use voice to type
    • Connect to MDM-configured Wi-Fi networks only
iOS 11+
  1. Delay software updates (iOS 11.3+)
  2. Restrictions on:
    • Remove system apps
    • Add or remove Face ID
    • Create VPN configuration
    • Modify cellular plan settings
    • AirPrint
iOS 12+
  1. Restrictions on:
    • Force Automatic Date and Time
    • Autofill Passwords
    • Request passwords from nearby devices
    • Share passwords via Airdrop Passwords feature
    • Users can modify Personal Hotspot settings
    • eSIM Modification
iOS 13+
  1. Restrictions on:
    • Camera
    • FaceTime
    • Show App Store on the device
    • iTunes Store
    • Force user to enter iTunes store password for each purchase
    • Safari
    • Autofill (Safari)
    • Add friends in Game Center
    • Backup
    • Sync documents
    • Explicit music, podcasts and iTunes U services

Supervising and enrolling Apple TV devices via ABM/ASM or Apple Configurator will unlock the following benefits:

In the case of Mac devices, almost all features work for all types of enrollments. However, the following features require macOS to be enrolled via ABM/ASM:

In addition to the above features, enrolling Apple devices via ABM/ASM has added benefits over other enrollment methods.

Select the suitable enrollment method for Android devices

Hexnode offers a plethora of techniques for onboarding Android devices with deployment methods varying from simple QR codes to zero-touch enrollment.

However, certain MDM features are available only with devices that are enrolled in the Android Enterprise program. Android Enterprise is a robust platform that enables organizations to use Android devices and apps in the workplace by providing numerous enterprise-specific device functionalities. The Android Enterprise program empowers enterprises to run their businesses in the way they want while managing the endpoints with end-to-end security. You can enroll in Android Enterprise either as Device Owner or Profile Owner.

Here are some general features available for all devices enrolled as either Device Owner and Profile Owner-enabled devices:

  • Clear Password action (Android 7.0+)
  • Request application feedback
  • App Configurations
  • App Permissions
  • Android Enterprise – Compliance
  • OEMConfig restrictions
  • Restrictions on:
    • Users can adjust volume
    • Beam from the device
    • Configure cellular network
    • Configure Wi-Fi
    • Configure user credentials
    • Users can enable location sharing
    • Read any connected physical external media
    • Trust Agents for Smart Lock
    • Unredacted Notifications
    • Fingerprint Unlock
    • Iris Scanner
    • Face Unlock
    • Control apps
    • Verify apps before install
    • App Runtime Permissions
    • Parent profile app linking

The features specific to the different management modes in Android Enterprise are listed below:

Version Features
Device Owner Bypass Factory Reset Protection (Google Account Verification)
Schedule OS Updates
Lock Task Mode
  1. Restrictions on:
    • Backup Service
    • Make a call
    • Display dialogs/windows
    • Keep Screen On while charging (Android 6.0+)
    • Bluetooth configurations
    • Cell broadcast configurations
    • Users can reset network settings
    • Update date and time automatically
    • Set time zone automatically
    • Lock Screen Camera
    • Lock Screen Notifications
Profile Owner Work Profile Password to set up a password for the work container.
Prevent copying contents between normal and work profiles

Some organizations prefer enrollments that deliver a zero-touch deployment experience for the users. In that case, make use of Android zero-touch enrollment or Samsung Knox enrollment.

If an organization prefers remote deployment of large-scale OS updates on Android devices, go for ROM/OEM enrollment.

Some MDM configurations and restrictions available for Android devices are device-specific. For instance, some restrictions such as disabling NFC, configuring VPN, customizing boot/shutdown animation, etc., works only on Samsung Knox devices.

Choose the right enrollment method for Windows devices

Hexnode houses several methods to enroll Windows devices. Almost all features work on all types of enrollment methods. However, go for enrollment via the Hexnode Installer method if your organization has the following requirements:

  • Executing custom scripts on Windows devices to automate specific routine or time-consuming operations.
  • To perform real-time diagnosis of devices using the remote viewing functionality.
  • Deploy enterprise (MSI) apps without any manual intervention.
  • Dynamically fetch the hardware information of a device from the Hexnode portal, which will be displayed on its Device Summary page.