MAM-only Android devices

You can specify that Ivanti EPMM provides MAM-only features to some registered Android devices, but both MAM and MDM features to other Android devices.

Your choice has no impact on the Ivanti EPMM capabilities for other device platforms, such as Android Enterprise devices, iOS devices, and Windows devices.

To make an Android device MAM-only, you configure an Android quick setup policy in which you disable device administration. When you apply this policy to Android devices, Ivanti EPMM supports app installation using Apps@Work and most policies and configurations. However, Ivanti EPMM cannot perform any features that require the device administrator on the device. Specifically, Ivanti EPMM cannot do the following on the MAM-only Android devices:

  • Cannot enforce device password requirements from the security policy.
  • Cannot enforce device encryption requirements from the security policy.

EXCEPTION: Ivanti EPMM can enforce device log encryption from the security policy.

  • Cannot enforce Android-related lockdown policies from the lockdown policy.
  • Cannot apply Samsung-specific features, which include:
    • Samsung Knox features, including per app VPN
    • Samsung native email
    • Samsung-related policies: Samsung kiosk policy, Samsung general policy, Android firmware policy
    • Samsung-related configurations: Samsung APN, Samsung browser, Samsung kiosk, and Samsung Knox container
    • Samsung-related VPN configurations: OpenVPN, Samsung Knox IPsec, and Tunnel (Samsung Knox Workspace)
    • Silent installation of apps
  • Cannot apply silent installation of apps on Zebra devices
  • Does not support silent installation of certificates
  • The device user is always prompted to accept a certificate.
  • Cannot enforce blocking smart lock or blocking fingerprint from the security policy.
  • Cannot enforce common criteria mode from the security policy.
  • Cannot enforce compliance actions for the following security violations on the security policy:
    • When data encryption is disabled
    • When the device administrator is deactivated
    • When Samsung Knox device attestation fails
  • Cannot wipe the MAM-only device.

Note the following:

  • Ivanti Mobile@Work on the device also cannot wipe the device, even if the AppConnect global policy or the security policy specify wipe as a device-initiated compliance (local compliance) action.
  • When using Android Custom ROM menus, if you choose wipe as a compliance action, the device is not wiped if the security violation occurs. Instead, the device is retired.