advertisement
Chapter 11: Device Enrollment
Configuring Enrollment Restrictions
You can set up enrollment restrictions to control which users can enroll and which device types are allowed. After your organization evaluates the number and kinds of devices your employees own and determines which ones make sense to use in your work environment, you can configure the following settings.
Enrollment Restrictions
When integrating AirWatch with directory services, you can choose whether or not to restrict enrollment to only known users or configured groups. Known users are users that already exist in the AirWatch Admin Console. Configured groups are users associated to directory service groups if you choose to integrate with user groups. These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and choosing the
Restrictions tab.
For information about integrating your directory services groups with AirWatch, refer to the VMware AirWatch
Directory Services Guide document, available on
Setting Description
Restrict
Enrollment to Known
Users
Enable to restrict enrollment only to users that already exist in the AirWatch Admin Console. This applies to directory users you manually added to the AirWatch Admin Console one by one or through batch import. It can also be used to lock down enrollment after an initial deployment that allowed anyone to enroll. This enables you to selectively allow users to enroll.
Disable this option to allow all directory users who do not already exist in the Admin Console to enroll into
AirWatch. AirWatch user accounts are automatically created during enrollment.
Restrict
Enrollment to
Configured
Groups
Enable to restrict enrollment and only allow users belonging to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select this option if you have not integrated with your directory services user groups.
Disable this option to allow all directory users to create new AirWatch user accounts during enrollment. In addition, you can select the Enterprise Wipe devices of users not belonging to configured groups option to automatically enterprise wipe any devices not belonging to any user group (if All Groups is selected) or a particular user group (if Selected Groups is selected).
One option for integrating with user groups is to create an "MDM Approved" directory service group, import it to AirWatch, then add existing directory service user groups to the "MDM Approved" group as they become eligible for AirWatch MDM.
Note: For iOS devices enrolled through Apple's Device Enrollment Program (DEP), enrollment restrictions do not apply. This is because device information such as OS version, device model, etc. is only received after the device has been enrolled through DEP.
Policy Settings
Save your enrollment restrictions as a policy:
1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment.
2. Select the Restrictions tab and then selectAdd Policy located in the Policy Settings section. The Add/Edit
VMware AirWatch Mobile Device Management Guide | v.2016.02 | February 2016
Copyright © 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
104
Chapter 11: Device Enrollment
Enrollment Restriction Policy screen displays.
3. Add a new enrollment restriction policy:
Setting
Enrollment
Restriction Policy
Name
Organization
Group
Policy Type
Allowed
Ownership Types
Allowed
Enrollment Types
Device Limit
Description
Enter a name for your enrollment restriction policy.
Choose an organization group from the drop-down field. This is the OG to which your new enrollment restriction policy will apply.
Select the type of enrollment restriction policy, which can be either Organization Group
Default to apply to the selected organization group, or User Group Policy for specific User
Groups through Group Assignment Settings on the Restrictions tab.
Choose whether you will permit or prevent Corporate - Dedicated, Corporate - Shared, and
Employee Owned devices.
Choose whether you will permit or prevent the enrollment of devices using MDM (AirWatch
Agent) and AirWatch Container (for iOS/Android) apps.
Select Unlimited to allow users to enroll as many devices as they want.
Leave this box unchecked to enter values for the Device Limit Per User section, to define the maximum number of devices per ownership type: l
Maximum Devices Per User
l
Corporate Max Devices
l
Shared Max Devices
l
Employee Owned Max Devices
Allowed Device
Types
Select the Limit enrollment to specific platforms, models or operating systems checkbox to add additional device-specific restrictions.
Determine what kind of device limitations you should have by selecting the Device Level
Restrictions Mode. Your choices are: l
Only allow listed device types (Whitelist) – Select this option to explicitly allow only devices matching the parameters you enter and to block everything else.
l
Block listed device types (Blacklist) – Select this option to explicitly block devices matching the parameters you enter and to allow everything else.
For either device-level restrictions mode, select Add Device Restriction to choose a
Platform, Model, Manufacturer (specific to Android devices), Operating System, or
Enterprise Version. You may also add a Device Limit per defined device restriction. You may add multiple device restrictions.
You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices > Lifecycle > Enrollment Status and selecting Add. This is an effective way to block a single device and prevent it from re-enrolling without affecting other users' devices.
Preventing re-enrollment is also available as an option when performing an Enterprise Wipe.
4. Select Save and the Add / Edit Enrollment Restriction Policy screen will save your changes and close, taking you back to the Devices & Users / General / Enrollment screen.
VMware AirWatch Mobile Device Management Guide | v.2016.02 | February 2016
Copyright © 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
105
Chapter 12:
Device Profiles
Configuring General Profile Settings
VMware AirWatch Mobile Device Management Guide | v.2016.02 | February 2016
Copyright © 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
106
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement