advertisement
Chapter 11: Device Enrollment
Configuring Enrollment Restrictions
You can set up enrollment restrictions to control which users can enroll and which device types are allowed. After your organization evaluates the number and kinds of devices your employees own and determines which ones make sense to use in your work environment, you can configure the following settings.
Enrollment Restrictions
When integrating AirWatch with directory services, you can choose whether or not to restrict enrollment to only known users or configured groups. Known users are users that already exist in the AirWatch Admin Console. Configured groups are users associated to directory service groups if you choose to integrate with user groups. These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and choosing the
Restrictions tab.
For information about integrating your directory services groups with AirWatch, refer to the VMware AirWatch
Directory Services Guide document, available on
Setting Description
Restrict
Enrollment to Known
Users
Enable to restrict enrollment only to users that already exist in the AirWatch Admin Console. This applies to directory users you manually added to the AirWatch Admin Console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This enables you to selectively allow users to enroll.
Disable this option to allow all directory users who do not already exist in the Admin Console to enroll into
AirWatch. AirWatch user accounts are automatically created during enrollment.
Restrict
Enrollment to
Configured
Groups
Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select this option if you have not integrated with your directory services user groups.
Disable this option to allow all directory users to create new AirWatch user accounts during enrollment. In addition, you can select the Enterprise Wipe devices of users not belonging to configured groups option to automatically enterprise wipe any devices not belonging to any user group (if All Groups is selected) or a particular user group (if Selected Groups is selected).
One option for integrating with user groups is to create an "MDM Approved" directory service group, import it to AirWatch, then add existing directory service user groups to the "MDM Approved" group as they become eligible for AirWatch MDM.
Note: For iOS devices enrolled through Apple's Device Enrollment Program (DEP), enrollment restrictions do not apply. This is because device information such as OS version, device model, etc. is only received after the device has been enrolled through DEP.
Policy Settings
Save your enrollment restrictions as a policy:
1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment.
2. Select the Restrictions tab and then selectAdd Policy located in the Policy Settings section. The Add/Edit
VMware AirWatch Mobile Device Management Guide | v.2016.02 | February 2016
Copyright © 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
104
Chapter 11: Device Enrollment
Enrollment Restriction Policy screen displays.
3. Add a new enrollment restriction policy:
Setting
Enrollment
Restriction Policy
Name
Organization
Group
Policy Type
Allowed
Ownership Types
Allowed
Enrollment Types
Device Limit
Description
Enter a name for your enrollment restriction policy.
Choose an organization group from the drop-down field. This is the OG to which your new enrollment restriction policy will apply.
Select the type of enrollment restriction policy, which can be either Organization Group
Default to apply to the selected organization group, or User Group Policy for specific User
Groups through Group Assignment Settings on the Restrictions tab.
Choose whether you will permit or prevent Corporate - Dedicated, Corporate - Shared, and
Employee Owned devices.
Choose whether you will permit or prevent the enrollment of devices using MDM (AirWatch
Agent) and AirWatch Container (for iOS/Android) apps.
Select Unlimited to allow users to enroll as many devices as they want.
Leave this box unchecked to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type: l
Maximum Devices Per User
l
Corporate Max Devices
l
Shared Max Devices
l
Employee Owned Max Devices
Allowed Device
Types
Select the Limit enrollment to specific platforms, models or operating systems checkbox to add additional device-specific restrictions.
Determine what kind of device limitations you should have by selecting the Device Level
Restrictions Mode. Your choices are: l
Only allow listed device types (Whitelist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
l
Block listed device types (Blacklist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.
For either device-level restrictions mode, select Add Device Restriction to choose a
Platform, Model, Manufacturer (specific to Android devices), Operating System, or
Enterprise Version. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.
You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices.
Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.
4. Select Save and the Add / Edit Enrollment Restriction Policy screen will save your changes and close, taking you back to the Devices & Users / General / Enrollment screen.
VMware AirWatch Mobile Device Management Guide | v.2016.02 | February 2016
Copyright © 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
105
Chapter 12:
Device Profiles
Configuring General Profile Settings
VMware AirWatch Mobile Device Management Guide | v.2016.02 | February 2016
Copyright © 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
106
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 9 What's New
- 10 Introduction to Mobile Device Management (MDM)
- 10 Before You Begin
- 10 Supported Browsers
- 11 Supported Devices
- 13 Overview
- 13 Logging into the AirWatch Admin Console
- 13 Setting Your Security PIN
- 14 Using the Getting Started Wizard
- 15 The AirWatch Admin Console at a Glance
- 17 Using the Global Search
- 18 Viewing Notifications
- 18 Using the Mobile Console
- 20 Overview
- 20 Generating an APNs Certificate
- 20 Creating a Privacy Notification
- 21 Configuring Privacy Settings
- 23 Privacy Best Practices
- 25 Setting Up Autodiscovery
- 26 Configuring Terms of Use
- 28 Configuring Console Branding
- 29 Configuring Restricted Actions
- 31 Integrating with Other Enterprise Systems
- 34 Overview
- 35 Creating Organization Groups
- 37 Creating Organization Group Types
- 38 Comparing Organization Groups Using Settings Comparison
- 41 Overview
- 41 Choosing User Authentication Types
- 47 Creating Basic User Accounts
- 50 Creating Directory-Based User Accounts
- 53 Managing User Accounts
- 55 Using the Bulk Import Feature
- 57 Creating an Admin Account
- 58 Managing Admin Accounts
- 60 Overview
- 60 Default and Custom Roles
- 62 Creating and Managing User Roles
- 63 Creating and Managing Administrator Roles
- 66 Comparing Admin Roles
- 68 Added Resources
- 70 Overview
- 70 Adding User Groups Without Directory Integration (Custom)
- 70 Adding Directory-Based User Groups
- 72 Editing User Groups Permissions
- 72 Accessing User Details
- 73 Managing User Groups
- 75 Device Assignments
- 79 Overview
- 79 Creating a Smart Group
- 80 Assigning a Smart Group
- 82 Managing Smart Groups
- 86 Overview
- 86 Using Assignment Groups
- 89 Overview
- 89 System Capabilities
- 89 Supported Platforms
- 90 Organizing Shared Devices
- 91 Provisioning Devices for Multi-User Device Staging
- 91 Using Shared Devices
- 93 Overview
- 93 Required Information
- 93 The Enrollment Process
- 94 Additional Enrollment Workflows
- 94 Performing Device Staging
- 96 Registering Devices
- 100 Configuring Enrollment Options
- 102 Customizing Enrollment Messages
- 103 Blacklisting and Whitelisting Device Registration
- 104 Configuring Enrollment Restrictions
- 107 Overview
- 107 Configuring General Profile Settings
- 109 Managing Device Profiles
- 113 Editing Device Profiles
- 114 View Device Assignment
- 115 Compliance Profiles
- 115 Geofences
- 117 Time Schedules
- 120 Compliance Overview
- 121 Navigating Compliance Policies List View
- 123 Compliance Policies by Platform
- 125 Adding a Compliance Policy
- 131 Overview
- 131 Creating a New Tag
- 132 Adding Tags
- 133 Managing Tags
- 133 Filtering Devices by Tag
- 134 Tags and Smart Groups
- 136 Overview
- 136 Using the Device Dashboard
- 137 Using the Device List View
- 141 Using Device Details
- 144 Using Device Actions
- 150 Using the Enrollment Status Page
- 152 Using Lifecycle Notifications
- 153 Using Wipe Protection
- 155 Using AirWatch Hub
- 161 Overview
- 161 Managing Digital Certificates
- 161 Certificate Integration Resources
- 164 Overview
- 164 Creating Custom Attributes
- 165 Assigning Organization Groups Using Custom Attributes
- 167 Overview
- 167 Accessing the Self Service Portal on Devices
- 167 Using the My Devices Page of the SSP
- 171 Performing Actions in the SSP
- 174 Self-Service Portal Actions Matrix
- 175 Customizing the Self Service Portal (SSP)