Category filter
How to securely disenroll devices from endpoint management platforms?
This document highlights the best practices to securely disenroll devices from corporate endpoint management platforms like Hexnode.
Device disenrollment action removes a device from Hexnode UEM when it is no longer necessary for the device to be managed by the organization. While enrollment marks device provisioning, disenrollment detaches the device from administration and is necessary when a device is being retired, repurposed, or returned by an employee.
However, before disenrolling a device, it is important to be aware of its impact on the device. Read on to learn more about these effects.
Loss of device management
Disenrolling a device will remove the policies, apps, configurations and any installed certificates that had been associated while it had been enrolled in the Hexnode portal. So, the device will no longer be under the control of Hexnode UEM, and any security features or app restrictions applied to it will not be effective anymore.
Let’s see how the deployed features will be affected:
Hexnode Email App
The email account associated with the user through the Hexnode Email app will also be removed from the device, deleting any configurations and settings associated with it.
Hexnode Access
Similarly, if Hexnode Access is set on the device, disenrollment will remove the configuration from the device, and it will return to an unmanaged state, erasing the previous accounts associated with the device via Hexnode Access.
Required Apps
Regarding the removal of apps, note that on Android and Windows devices, only the apps added through the Required Apps policy with the option ‘Remove apps from the device on policy removal’ enabled, will be removed from the devices on disenrollment. All other installed apps, including the Hexnode MDM UEM app, will remain on the device and must be uninstalled manually.
For iOS and macOS devices, all apps installed through the Hexnode portal will be removed upon disenrollment.
Before disenrolling a device from the MDM platform, it’s important to consider the ownership of the device and its associated user.
Ownership
The disenrollment of a device does not automatically ensure the removal of the assigned user of the device from the Hexnode UEM portal. However, if you intend to disenroll all the devices assigned to a user in case they are leaving the organization, then you can delete the user from the portal which will automatically disenroll all the devices that were assigned to them.
Alternatively, you can choose to reassign the devices (if corporate-owned) to a new user allowing continuity while ensuring that the user’s data and configurations are removed when they leave.
Pre-disenrollment preparation
User Communication
On disenrolling a device, its user may experience disruptions in service, especially if the device has access to corporate apps, or network resources that were managed by Hexnode. For instance, if the device is set up in kiosk mode and you mark the device as disenrolled (in case the disenrollment status is pending), Hexnode UEM loses control over the device, and it will be locked in kiosk mode forever. Hence, communication with the users prior to disenrollment is crucial to ensure they are not adversely impacted by the action.
Asset Recovery
Before disenrolling, the devices must be physically recovered to check and assess each asset’s functionality and its condition to determine its potential for reuse or resale. Each device should be verified by cross-referencing its make, model, serial number, and device ID against your organization’s asset inventory records. This process ensures accurate identification and helps prevent misplacement. Additionally, if the device is in an inactive state, recovering the asset becomes important to disenroll the device and avoid any disruptions.
Data Backup
Disenrollment triggers the removal of corporate data, apps, and configurations that were installed or managed through the platform. This includes any settings, security policies, and custom configurations applied to the device.
As a result, it’s vital to ensure that any important data (documents and app-specific files) are securely backed up before proceeding with disenrollment. The stored backups help you restore them later, if necessary.
Marking as Disenrolled
After considering all the factors mentioned above and initiating the device disenrollment, you may notice the status remains “Pending” on the portal. This can occur due to reasons such as the device being in an inactive state for an extended period or if the device has been factory reset already. If this happens, marking the device as disenrolled allows you to immediately free up the slot, enabling you to enroll a new device without waiting for the disenrollment process to complete on the current device. But keep in mind that Hexnode UEM will no longer be able to communicate with a device that is marked as disenrolled.
Device Wipe
Device wipe plays an important role in the disenrollment of devices. It ensures that all sensitive corporate data is securely wiped from the device on disenrollment. Additionally, if the device is to be reassigned to a new user, the wipe clears all information from the previous user, providing a clean slate for the next individual. However, it is essential to back up any crucial data before performing the wipe to prevent the loss of important information. Without a proper backup, important information could be permanently lost.
Corporate Wipe
Disenrolling a device from the Hexnode UEM portal automatically initiates corporate device wipe which removes all the corporate files, apps and configurations from device. The personal data on the device, however, will remain untouched. This feature of disenrollment is a powerful one especially in the case of disenrollment of BYO devices, as it ensures the preservation of the user’s personal data while wiping the corporate data and returning the device to an unmanaged state.
Complete Wipe
In cases where an organization-owned device, used for both personal and corporate purposes, is being disenrolled and reassigned to a new user, a complete wipe ensures that all data—both personal and corporate—is fully erased from the device and restored it to its default factory settings, providing a clean slate for the next user.
Note that, after a complete wipe of standard or rooted Android devices, unsupervised iPhones/iPads, Windows, or Macs, these devices will need to be manually re-enrolled. However, ADE-enrolled devices, Android devices enrolled via Samsung Knox, Zero-touch, ROM/OEM enrollment, or those with the Hexnode UEM or System Agent app as a system/privileged app will automatically re-enroll in Hexnode UEM once powered on and connected to the internet after a wipe. And, for Android devices enrolled in Device Owner mode, the device must be reset to its factory settings after disenrollment to allow the device to be re-enrolled into any MDM.
Inventory Audit
Inventory audit is a recommended practice before disenrolling a device. By conducting an audit prior to disenrollment, you can ensure that you have a comprehensive record of the device configurations, installed apps, and other device-related information, which may be helpful for future references or re-enrollments.
In Hexnode UEM, you can make use of the Reports tab to generate device reports including enrolled devices, compliance status, and any non-compliance issues which can help you understand the status of a device before disenrollment. This data can be exported as a PDF/CSV file ensuring that there is a backup of the information related to the device even after its disenrollment.
You can also view the status of the disenrollment actions-whether they are successful, pending or failed-and view a list of the disenrolled devices in the Reports tab.
Conclusion
In conclusion, disenrolling a device is a critical process in managing your organization’s devices, and it requires careful planning and consideration. By following the best practices outlined above you can ensure that the disenrollment process on the devices is carried out smoothly without any disruptions.
