IBM Support

New enhancements to Android agent enrollment workflows

Release Notes


Abstract

With DO/WPCO enrollments, users were able to skip the device enrollment process by restarting the device during the initial setup. This leaves the device insecure and open to inadvertent configuration changes that can make the device vulnerable. Moreover, the management of the device is not initiated automatically and needs to be manually initiated by the end user. To protect the device from these situations, MaaS360 adds a new flag in the enrollment process that allows administrators to enforce management and policies on the device before the initial setup. This flag prevents users from skipping the mandatory enrollment screens by securing devices from being left unmanaged and unsecured.

Content

In Android 8.0, MaaS360 revamped the Android agent enrollment screens with a new user interface and productivity enhancements. In the previous releases, the new enrollment enhancements were available only to Device Admin bulk enrollments by default. Administrators had to create and embed a custom URL in the HTML file to apply new enrollment changes to Profile Owner, Device Admin, and SPS.

New updates:

  • Extends new enrollment enhancements to all the enrollment modes (Device Admin, Profile Owner, and Device Owner). All devices automatically go through the new enrollment flow during the enrollment without requiring additional configuration.
  • Allows administrators to force device enrollment as part of device provisioning so that users cannot skip important device enrollment screens. MaaS360 executes device enrollment as a part of device provisioning to enforce management and policies before users start using the device. In the previous releases, users were able to skip the mandatory enrollment screens and then modify the security settings on the device.

    Administrators must add the following additional attribute when creating the enrollment configuration:

    • Key: force_enrollment_before_provisioning
    • Values:
      • user_controlled - Users can control whether they want to enroll the device before or after the initial device setup.
      • Yes - MaaS360 forces device enrollment on a factory reset before users start using the device.
      • No - MaaS360 starts device enrollment after users complete initial device setup.

      For more information about additional attributes, see https://www.ibm.com/docs/en/maas360?topic=guide-additional-android-enterprise-enrollment-attribute.

  • Replaces local authentication screens with a unified webview.
  • Removes the enrollment completion notification and displays the enrollment status directly on the enrollment screen.
    DO Status 1

  • Displays the number of retry attempts directly on the enrollment screen.

    retry attemps

New enrollment workflows

New enrollment screens are available only on devices running Android OS version 7 and later.

Device Owner enrollment using a QR code when force_enrollment_before_provisioning is set to user_controlled

DO User 1 UE 2 User Enroll 3 User enroll 3 User ENroll 5
UE 6 UE 7 UE 8 UE 9 UE 10
 

WPCO enrollment using a QR code when force_enrollment_before_provisioning is set to yes

DO User 1 UE 2 WP 3 WP 4 WP 5
UE 8 User Enroll 3 User enroll 3 WP 9 WP 10

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z000000070xAAA","label":"ENROLLMENTS"}],"Platform":[{"code":"PF003","label":"Android"}],"Version":"All Versions"}]

Document Information

Modified date:
13 March 2024

UID

ibm16841251

Page Feedback