Latest posts by Timothy Warner (see all)
- Sysmalogic Active Directory Report Builder - Lightning-fast AD search and report tool - Tue, Oct 17 2017
- Veeam Backup & Replication for VMware and Hyper‑V 9.5: New features - Thu, Oct 12 2017
- EventSentry SysAdmin Tools - Handy freeware utilities - Tue, Oct 10 2017
You know, it wasn’t too many years ago when IT department leaders were faced with a tough choice: either deploy company-issued mobile phones and therefore require employees to carry at least two devices, or allow employees to access corporate data with their own mobile devices.
Fortunately, the Bring Your Own Device (BYOD) landscape has changed. Mobile Device Management (MDM) solutions such as VMware AirWatch, Cisco Meraki, and Microsoft Intune allow the best of both worlds: employees can carry a mobile phone of their choosing, and the company can selectively manage the device to ensure that corporate data is secured.
What MDM Plus does ^
Specifically how does ManageEngine MDM Plus enable a secure and workable BYOD scenario? Well, let’s start by considering some of the most important things that IT managers want to do with fully or partially managed mobile devices:
- Platform management: Manage multiple mobile OS platforms, including Apple iOS, Google Android, and Microsoft Windows Phone.
- App management: Distribute in-house apps and selectively approve/block third-party apps.
- Asset management: View and manage a rich inventory of each mobile device’s hardware and software configuration.
- Security management: Track mobile devices and perform a remote wipe of lost or stolen devices.
Of course, MDM Plus can do all the above and more. Let’s take a closer look!
Initial setup and device enrollment ^
ManageEngine offers us a 30-day, feature-unrestricted trial of MDM Plus for cloud. I had my account created and was within the MDM Plus web portal within three minutes—it was that easy. Once again, you can also run MDM Plus on premises, but from my perspective you can’t beat the convenience of the cloud approach.
The portal home page, shown below, employs infographics to help you grasp the setup process. Sadly, some of these graphics are non-interactive. In my view, ManageEngine should make all these graphic elements clickable.
MDM Plus uses infographics to make it easier for you to grasp the setup workflow.
We’ll now head over to the Device Mgmt page to enroll my iPhone with MDM Plus. The enrollment setup process is largely the same regardless of the mobile operating systems in use:
- Create a management certificate (Apple Push Notification Service, Google Cloud Messaging, Windows Push Notification Services).
- Distribute management profile, policy profile, and MDM apps to clients.
- Verify devices in the MDM Plus console.
Once again, I created my Apple Push Notification (APN) certificate within five minutes. You can enroll your users’ devices in a number of ways:
- Bulk enrollment via CSV input file(s)
- Self-enrollment via e-mail invitation
- Administrative enrollment by using Apple Configurator
In my environment, I enrolled my iPhone via an e-mail invitation. As you can see below, I received an e-mail message from ManageEngine containing an enrollment link and a one-time password (OTP).
I’m invited to register my iPhone with MDM Plus.
NOTE: ManageEngine is technically a division of the Zoho Corporation. To wit, you’ll see various references to both names in the MDM Plus infrastructure.
All that users need to do on their end, besides click the e-mail link, is accept the management profile coming from your cloud server. At the end of the process, they will have the ME MDM app on their device. You can see all this in the following screen capture:
The user’s perspective of the MDM Plus device enrollment process
Inside the ME MDM app you can access the App Catalog, which is where your deployed apps appear to the end users.
As far as firewall exceptions are concerned, you should open TCP ports 5223, 5228, 5229, and 5230 for the IPv4 range 188.8.131.52/8.
You can verify that the device is successfully registered by checking the web portal, as shown below:
My iPhone has been registered successfully with MDM Plus.
Performing common management tasks with MDM Plus ^
I believe I know what you’re thinking: “Tim, how can I restrict our mobile users from jailbreaking/rooting their devices? How can we force users to use passcode security?”
The answer to this question is the policy profile. But, before we get there, how about obtaining a general device inventory? In the portal, click Admin > Enrollment from the navigation bar and click a managed device to see its inventory data:
Here we see the full configuration details of a managed iPhone.
Notice in the above screen capture that you can see at a glance whether the device has been jailbroken/rooted. By navigating to the Geo-Tracking tab, we can obtain the device’s location and optionally perform a remote wipe or passcode reset if necessary.
MDM Plus includes geo-tracking and remote wipe capability.
To create a management profile (where the “good stuff” lies), navigate to Device Mgmt > Profiles and create a new iOS, Android, or Windows Phone profile. As you can see in the following screenshot, you can make and enforce some useful mobile device policies, including:
- Passcode lock setting and lockout policy
- Wi-Fi and VPN connections
- E-mail configuration (including Exchange ActiveSync)
- Corporate calendars
- Selective allowances/blocks for built-in features such as the camera, screen capture, in-app purchase, etc.
You can deploy mobile device policies that enforce your IT security standards.
Speaking of apps, you can purchase, deploy, and manage your own internally developed apps as well as those you obtain from the Apple App Store, Google Play Store, or Windows Apps Store. The process of licensing and deploying so-called “Enterprise apps” is beyond the scope of our discussion today, but know that it’s possible.
ManageEngine MDM Plus also offers support for Samsung KNOX security. This is a cool technology that involves creating an encrypted “container” on managed devices where the user stores company data. I like this notion because it draws a hard boundary between the user’s own personal data and data that belongs to the organization and is likely under industry and/or governmental compliance regulations.
The bottom line ^
ManageEngine MDM Plus offers us Windows administrators a low barrier to entry in the mobility management market. What’s even cooler is that MDM Plus is completely free for up to 25 managed devices. The free tier supports one administrator (super) user, and one sub-administrative technician role. (I forgot to say that MDM Plus uses the role-based access control [RBAC] administration model.)
The prices of the on-premises and cloud options are comparable. As of this writing in February 2016, assuming 1 technician and 200 managed devices, an annual on-prem license is $3245 USD, and an annual cloud license is $4325.
Let me leave you with some useful overview and documentation links to help you learn more about MDM Plus: