Category Filter

How to restrict users from removing MDM administration?

MDM simplifies your work by helping you manage your devices. You can only manage your devices as long as the devices are enrolled in your MDM. In case if a user disenrolls a device, then you would no longer be able to manage the device, and you would get a message showing “Agent Removed” on the device details page. So how can we prevent the users from revoking management?

Corporate Devices

Corporate devices are owned by the enterprise and should be managed all the time. These devices should be able to prevent users from revoking management. This can be accomplished by using various corporate enrollment methods. These methods prevent the device from removing management even if the device has been factory reset. The device automatically gets re-enrolled to the MDM after the factory reset.

iOS
macOS
Android
Windows
  • Restriction can be applied to prevent the users from removing management. You can enable the restriction from Policies > Windows > Restrictions > Security > Manual MDM administration removal.

Personal Devices

Hexnode MDM supports BYOD, so your enterprise will also have personal devices in play. Since they are personal devices, it isn’t practical to restrict a user from removing management. But we can notify the admin through email when a device is disenrolled. The notification settings would be enabled as default, but you can manage the notifications by navigating to Admin > Notifications > MDM agent removed from the device.

We also provide a configuration to prevent the removal of management on Samsung Knox and LG Gate devices. You would be able to enable the restriction by navigating to Policies > Android > Restrictions > Security >Allow MDM administration removal.

Hexnode also helps you keep track of your devices by providing detailed reports. You can view the list of inactive devices on your portal by navigating to Reports > Device Reports > Inactive Devices.

As users could disenroll the devices, it is recommended to configure the corporate accounts and install enterprise apps through the MDM. So once the device is disenrolled from the MDM, the configurations and the apps installed would also be removed, protecting the corporate data.