9.10 Enrolling Mobile Devices

9.10.1 Enrolling an iOS DEP Device

Enrolling a DEP device is simple for an end user, as you can enable the user to skip most of the device activation prompts by modifying the DEP Profile. Before enrolling a DEP device, ensure that you meet the following prerequisites:

Prerequisites

  • Add a DEP Server in ZCC that links the ZENworks MDM Server and the virtual MDM Server in the Apple portal.

  • Assign devices to the virtual MDM Server in the Apple portal. These devices are then discovered by ZENworks and populated in ZCC.

  • (Optional) Assign users to the device, if you want only this user to be associated with the device during DEP enrollment.

  • (Optional) Modify the DEP profile settings to enhance the enrollment process.

  • (Conditional) If you modify the DEP profile, ensure that modified DEP profile is successfully assigned to the Apple Portal.

Additionally:

  • Assign a Mobile Enrollment Policy.

  • (Conditional) If you are re-enrolling a device that was retired by another user, then ensure that the earlier device object is deleted in ZCC.

  • (Optional) Assign a Mobile Email Policy to configure the email account on the device.

For more information on each of these tasks, see ZENworks 2017 Mobile Management Reference.

Procedure

Follow the setup prompts to enroll the device. After the user configures the Wi-Fi settings, log-in to the device with the user credentials. If the device is assigned to a specific user, then the credentials of only this user should be specified or else enrollment will fail.

After the device enrolls, you can view the Deployment Status of the device in ZCC, which should have changed from Discovered to Managed. You can view this status on the device’s summary page.

9.10.2 Enrolling an iOS Device using Apple Configurator

Apple Configurator is a Mac OS X tool, that assists administrators in the deployment of iOS devices in business or education settings. Apple Configurator makes reassigning devices quick and simple, allowing the next user to start with a clean slate of content.

Prerequisites

  • Assign a Mobile Enrollment Policy.

  • Copy the Apple Enrollment URL, which specifies the MDM Server to which the device will enroll. To obtain this, in ZCC navigate to Configuration > Infrastructure Management > MDM Servers. Select a MDM Server and click Apple Enrollment URL.

  • (Optional) Assign a Mobile Email Policy to configure the email account on the device.

For more information on each of these tasks, see ZENworks 2017 Mobile Management Reference.

Procedure

  1. Connect the device through the USB port to the Mac.

  2. Right-click and select Prepare or select Prepare from the top menu bar in the Apple Configurator.

  3. Select Manual in the Configuration drop down menu. Click Next.

  4. Select the MDM Server to which you want the device to enroll. If you do not have the MDM Server saved in the drop-down menu, then select New Server.

  5. Specify a name for the server and paste the Apple Enrollment URL copied from ZCC. To obtain this, in ZCC navigate to Configuration > Infrastructure Management > MDM Servers. Select a MDM Server and click Apple Enrollment URL. Copy the URL and paste it in the Define an MDM Server page in the Apple Configurator. This MDM Server will be saved for future use.

  6. Select Supervise devices, if you want to set the device as supervised. The check box to Allow devices to pair with other computers is automatically enabled.

  7. Select the organization that will supervise these devices.

  8. Select the appropriate option from the Setup Assistant drop-down menu, if you want to skip certain setup steps during enrollment of the device. Check the setup items that should be presented during device enrollment.

  9. Click Prepare to prepare the connected device.

After the preparation stage, the iOS device will reset to its factory settings. After the device is reset, follow the prompts that will be displayed on the iOS device as configured in the Configure iOS Setup Assistant page in the Apple Configurator. After entering the Wi-Fi password, the user will be prompted for the user credentials.

9.10.3 Enrolling an iOS Device using the ZENworks User Portal

This scenario shows you how to enroll an iOS device as a fully managed device in your ZENworks Management Zone. This type of enrollment creates an MDM profile on the device using which you can apply restrictions and deploy apps on the device.

Prerequisites

  • ZENworks supports devices on running iOS version 8 and newer.

  • A user source is configured and enabled for mobile device enrollment.

  • An enrollment policy is created and assigned to the user.

  • An MDM role is assigned to a Primary Server.

  • Push notifications for iOS devices.

  • To enable ZENworks to synchronize emails for Exchange ActiveSync accounts, an ActiveSync server should be configured. Also, create and assign a Mobile Email Policy with the ZENworks Server configured as the proxy server for the ActiveSync Server. This will enable ZENworks to manage the corporate emails sent and received on the device.

  • Enrollment of iOS devices using the Safari browser running in the private mode is supported only on iOS versions 11 or later.

Procedure

  1. Enters ZENworks_server_address/zenworks-eup, where ZENworks_server_address is the DNS name or IP address of the ZENworks MDM Server, in the Safari browser on the device.

    The login screen for the ZENworks User Portal is displayed.

  2. Enter the user’s user name and password. If Allow Simple Enrollment option is selected for the user source to which the user belongs, then the registration domain need not be specified or else specify the registration domain.

    All devices associated with the user, are displayed in the ZENworks User Portal.

  3. Tap Enroll in the upper-right corner to display the enrollment options for the device.

  4. Tap Managed Device Only to display the Enroll Device Options screen. If you have configured your Mobile Device Enrollment policy to allow the user to specify the device ownership (corporate or personal), you are prompted for that information. Select the appropriate device ownership option and click OK.

  5. Tap Download Certificate to display the Install Profile screen.

  6. Tap Install and follow the prompts to install the certificate and return to the Enroll as Managed Device screen.

  7. (Conditional) Enable the enrollment certificate on the device. This step will appear on devices running on iOS versions 10.3 or newer. To enable the certificate:

    1. Navigate to the Settings menu on the device and click General.

    2. Click About.

    3. Click Certificate Trust Settings.

    4. Enable the root certificate displayed on the screen.

  8. Tap Download Profile in the Enroll as Managed Device screen, to display the profile install screen. Tap Install and follow the prompts to install the profile and return to the Enroll as Managed Device screen.

  9. Tap Home to return to the Home page. The device is displayed in the My Devices list with the status as Enrollment in Progress. You need to refresh the browser to update the status to Device is Active.

    At this point in time, you can view the enrollment mode on the Device Information page in ZCC. To view the device information, from the left hand side navigation pane in ZCC, click Devices > Mobile Devices (or navigate to the folder as configured in the Mobile Enrollment Policy) and select the appropriate device. The enrollment will be displayed as iOS MDM.

  10. An email account is automatically set up on the device based on the Mobile Email Policy assigned to the user or the device.

9.10.4 Enrolling Android Devices in the Work Profile Mode

The work profile mode creates dedicated containers on devices for corporate apps and data, thereby enabling the organization to manage only the corporate data. This mode is intended for the BYOD scenario, where the user gets to bring their own devices to the workplace.

Prerequisites

Mandatory Settings

  • Create an Android Enterprise Subscription.

  • Create and assign a Mobile Enrollment Policy.

  • Create and assign an Android Profile Enrollment Policy.

  • Ensure that the Android version is 5.0 or newer (for the work profile mode) or 6.0 or newer (for work-managed device mode.

Optional Settings

  • Invite users to enroll their devices.

For more information on each of these tasks, see ZENworks 2017 Mobile Management Reference.

Procedure

The scenario elaborated in this section is meant for users who are enrolling their devices to ZENworks for the first time. For users who have already enrolled their devices in the basic mode (Android App only) and want to enroll in the work profile mode, see Work Profile Enrollment for Existing Users.

Procedure

  1. Install the ZENworks Agent App from Google Play Store. Alternatively, the user can follow the procedure mentioned in the invite letter to download the ZENworks Agent app.

  2. Click Open, after installation. A brief description of the ZENworks Agent is displayed. The user clicks Continue.

  3. Click Activate this Device Administrator to enable device management using the app.

  4. Log into the app by specifying the following:

    Username, Password, Domain, Server URL: Specify the username, password, and registration domain (if Allow Simple Enrollment is disabled for the user) along with the server URL of the ZENworks MDM Server. The user can obtain this information from the invite letter.

  5. Specify the device ownership (corporate or personal) if you configured the Mobile Enrollment policy to allow the user specify the ownership. Tap OK.

  6. Follow the prompts appearing in the remaining screens and the device will automatically set up a work profile and enroll to ZENworks.The ZENworks Agent App Home screen is displayed that shows the device as enrolled and active.

  7. View the device information in ZCC. Click Devices > Mobile Devices (or navigate to the folder as configured in the Mobile Enrollment Policy) from the left hand navigation pane in ZCC. Click the appropriate device and view its details in the Summary page. The enrollment mode is displayed as Android App and Work Profile Mode is also enabled.

After your device is enrolled, a Badge icon attached to the ZENworks Agent App icon and other system apps will help differentiate work apps from personal apps.

Work Profile Enrollment for Existing Users

For users who have already enrolled to ZENworks using the basic mode of enrollment (Android App only) and now want to be enrolled in the work profile mode, assign the Android Profile Enrollment Policy to these users.

After assigning the Mobile Enrollment Policy, the users receive a notification on their devices to set up a work profile when they open the ZENworks Agent app.

The user clicks Set Up and follows the prompts to set up the work profile. The device will automatically set up the work profile.

9.10.5 Enrolling an Android device in the work-managed device mode

The work-managed device mode enables administrators to manage the entire device, thereby restricting the device to corporate use only. This mode is mainly intended for corporate-owned devices.

Prerequisites

Mandatory Settings

  • Create an Android Enterprise Subscription.

  • Create and assign a Mobile Enrollment Policy.

  • Create and assign an Android Profile Enrollment Policy.

  • Ensure that the Android version is 5.0 or newer (for the work profile mode) or 6.0 or newer (for work-managed device mode.

Procedure

  1. Follow the initial setup screens such as language setup and Wi-Fi configuration.

  2. Specify the AFW identifier (afw#zenworks) in the setup screen that displays the Email ID field.

  3. Click Next in the Android Enterprise page to proceed with the ZENworks App installation.

    The ZENworks agent app will be automatically downloaded on the device.

  4. Click Install to install the app on the device and follow the prompts to complete setting up the device.

  5. Follow the prompts appearing in the remaining screens to set up a work-managed device. The device is now setup but is yet to be enrolled as a work-managed device.

  6. Login to the app with the following details:

    Username, Password, Domain, Server URL: Specify the username, password, and registration domain (if Allow Simple Enrollment is disabled for the user) along with the server URL of the ZENworks MDM Server.

    The work-managed device is automatically setup on the device.

View the device information in ZCC. Click Devices > Mobile Devices (or navigate to the folder as configured in the Mobile Enrollment Policy) from the left hand navigation pane in ZCC. Click the appropriate device and view its details in the Summary page. The enrollment mode is displayed as Android App and Work-managed Device Mode is also enabled.

9.10.6 Enrolling an ActiveSync-only device

Prerequisites

Before enrolling a mobile device as a fully managed device or an email only device, you need to ensure that the following prerequisites are met:

  • ZENworks supports devices running on ActiveSync 12.1 and newer versions.

  • A user source is configured and enabled for mobile device enrollment.

  • An enrollment policy is created and assigned to the user.

  • An MDM role is assigned to a Primary Server.

  • Push notifications for an Android device.

  • To enable ZENworks to synchronize emails for Exchange ActiveSync accounts, an ActiveSync server should be configured. Also, create and assign a Mobile Email Policy with the ZENworks Server configured as the proxy server for the ActiveSync Server.

Procedure

This scenario shows you how to enroll a device as an Email Only device in your ZENworks Management Zone. This scenario details the procedure to enroll an iOS device as an Email Only Device.

  1. Enter ZENworks_server_address/zenworks-eup, where ZENworks_server_address is the DNS name or IP address of the ZENworks MDM Server, in a browser on the device.

    The login screen for the ZENworks User Portal is displayed.

  2. Enter the user’s user name and password in the ZENworks User Portal. If Allow Simple Enrollment option is selected for the user source to which the user belongs, then the registration domain need not be specified or else specify the registration domain.

  3. Tap Enroll on the upper-right corner, to display the enrollment options for the device.

  4. Tap Email Only to display the Enroll as Email Only screen. Use the displayed information to create an email account for the user.

    After the user configures the email account, an email is sent to the user stating that the enrollment process needs to be completed. You can edit the contents of this email in ZCC, by navigating to Configuration > Management Zone Settings > Event and Messaging > Email Notifications.Click the relevant email and edit its contents.

  5. Click the link to the ZENworks End User Portal provided in the email or visit the ZENworks End User Portal as described in Step 1.

    On the ZENworks User Portal, the device is displayed in the My Devices list. At this point, the device has been added to the ZENworks Management Zone but is pending enrollment.

  6. Tap Complete Enrollment.

    If you configured your Mobile Enrollment policy to allow the user to specify the device ownership (corporate or personal), you are prompted for that information. On the device, provide the required enrollment information, then tap OK.

    The My Devices list is updated to show that the device is enrolled and active.

  7. Verify that the device is receiving emails, by sending an email to the user from another account.

    After the device is enrolled to the ZENworks Management Zone, the enrollment mode of the device is displayed as ActiveSync on the Device Information page in ZCC. To view the device information, from the left hand side navigation pane in ZCC, click Devices > Mobile Devices (or navigate to the folder as configured in the Mobile Enrollment Policy) and select the appropriate device.