MDM

On the MDM page, you can choose if you want to use DME for Mobile Device Management (MDM) or an external MDM provider.

DME has partnered with an external MDM/MAM provider, SOTI, to integrate their advanced MDM capabilities called MobiControl into DME. This is described in detail in Appendix B - see Appendix B: External MDM integration.

To go with standard DME MDM, leave the Enable external MDM switch Off. You then have these options for enrolling devices:

• Using OMA DM (legacy Symbian devices only; see OMA DM installation)
• Using Apple MDM enrollment (see MDM on Apple iOS)
• Configure devices as Corporate device (Android only; see Android security settings)

For a stronger and more coherent MDM integration, you can choose to integrate with an external MDM provider. If you do so, and the external MDM provider has been set up, you can, set the Enable external MDM switch to On.

1. If you have previously been using Apple MDM, you have uploaded an Apple MDM Certificate and its public and private keys. Switching to external MDM, the certificate and associated keys will be deleted.

   Furthermore, all enrollment information for all enrolled Apple devices will be deleted, and any existing enrollment will no longer work. This is made clear by a dialog:

   

   If you are sure that you know what you are doing, select Yes, stop using DME MDM, and click Delete. If not, click Cancel, and read Appendix B.

2. When you choose to use an external MDM provider, the DME Administration Web Interface will change:
   • The Provisioning tab will go away.
   • The Device information page will now include the External MDM device ID in the Device properties section.
   • Various MDM-related options are removed from the interface, as they are now handled by the external MDM provider:

     Block / unblock device function

     Apple MDM and Apple profiles subtabs on device

     Android security settings

     Options to Allow Basic MDM devices and Lock jailbroken/rooted devices

     The Applications panel section for blocking apps at device, group, and default level

     The Apple MDM status is not shown in Server configuration > Monitor

     The Apple MDM enrollment page is disabled

   • The option to allow devices to switch users is moved from to this window from Server configuration > Authentication.

When external MDM is enabled, enter the following details:

• Path to external MDM

  This is the path to the server where the external MDM system is installed. The following is an example of a path:

  https://mobi.company.com

• User name

  This is the name of a user with administration permissions on the external MDM system.

• Password

  This is the password for the user above.

• Use REST API

  With MobiControl 13 or later, it is recommended to use the REST API, as this is the only supported interface. For more information about the MobiControl REST API, please click on the link: External MDM REST API below the Use REST API button.

• Client ID and Client Secret

  The REST API uses OAuth2 authentication, and therefore requires a Client ID and a Client Secret created by the MobiControl server. The Client ID and Client Secret can be generated this way:

  1. Log in to the MobiControl server
  2. Launch a command prompt, and navigate to the MobiControl installation directory
  3. Execute the command: MCAdmin.exe APIClientAdd -n:DMEServer1
• Allow devices to switch users

  When an external MDM provider is selected, we recommend that devices are allowed to switch users. If this is not allowed, a device is currently prevented from passing to another user unless the device is completely removed from DME first. This option has been moved from Server configuration > Authentication to this window to remind you to consider whether it should be allowed or not.

• Allow un-enrolled devices

  If this switch is OFF, DME checks all devices that try to access DME to see if they are enrolled with the external MDM system, active in the system, and not blocked by the external MDM system. If a device fails either of these tests, it is denied access to DME.

  If this switch is ON, you allow devices access to DME, even if they are not enrolled with the external MDM system. An un-enrolled device is only denied access if it has been blocked in DME. This is a more relaxed setting which allows you to include Bring Your Own Device (BYOD) in your device mix, even when integrating with an external MDM system.

• Link to external MDM

  Below these options is a link to the administration interface of the external MDM provider, based on what you entered in the field Path to external MDM.

Click Save to complete the switch to or from external MDM control. For more information, see Appendix B: External MDM integration.