Registration methods

Registering a device designates it for management by Ivanti EPMM.

Support for Android 5.0 and 5.1 has ended. Ivanti EPMM server will still allow existing registered devices with Android 5.0 / 5.1 to run.

Before you begin 

Setting the registration PIN code length for device user registration

The following registration methods are available:

The process resulting from these methods may vary by device OS.

Invite users to register

In-app registration

One way to reduce the load on IT personnel is to instruct iOS, macOS, and Android users to download the Ivanti EPMM app directly from the App Store on iTunes or from Google Play and initiate registration from within the [email protected] app.

If the administrator has not enabled Server Name Lookup, the email the device user gets will ask them to enter the full URL of Ivanti EPMM into [email protected] If the administrator enabled Server Name Lookup, the email sent to the device user will ask them to enter the email domain.

For iOS devices

  1. Go to Settings > System Settings > iOS > MDM and select the Send email to device user and notification to client if MDM profile is not installed check box.

  2. Device users of iOS 12.2 and later will need to download [email protected], manually navigate to Settings view and download the MDM profile.

  3. Device users then complete the registration process by responding to registration prompts. If Ivanti EPMM detects that the MDM profile has not yet been installed, upon the next device check-in, [email protected] will display a notification asking the device user to re-enroll.

    In iOS 13, the option to "Allow Always" was removed from the iOS Settings app. Instead, a dialog box displays requesting device users to enable tracking when the [email protected] app is running. [email protected] opens iOS Settings where device users can choose "Ask Next Time" or "Never". Ivanti recommends device users to enable tracking. This change applies to all versions of iOS 13 or supported newer versions. [email protected] for iOS does not track device users' location without consent.

For macOS devices

  • Applicable to macOS 11.0 or supported newer versions.

  • Once completed, the mac device is a supervised device.

Procedure 

For macOS device registration in the self-service portal, a device user must perform the following steps:

  1. Log in with their credentials.

  2. In the Install Management Profile page, the device user grants permission for the download of the profile. The profile is downloaded to the device user's local system.

  3. Double-click the downloaded profile (macenroll.mobileconfig) to make it visible in the device user's System Preferences. There is limited time for the device user to install the profile before it becomes invalid.

  4. Go to System Preferences > Profiles.

  5. Select Install to install the management profile.

  6. Continue and finish the installation procedure. Enter the system password when prompted.

Administrator tasks

  • This feature depends on access to the Ivanti EPMM Gateway; therefore, the corresponding port must be properly configured. See the Pre-Deployment Checklist in the On-Premise Installation Guide for details. The User Portal role must be assigned to the user.

  • For iOS devices, you must enable the MDM profile in the Admin Portal.
    • Go to Settings > System Settings.

    • Expand iOS and select MDM. The MDM page displays.

    • Select the Enable MDM Profile check box. 

    • Select Save.

  • To auto-populate the Ivanti EPMM server name during registration, the following setup is required:
    • The user associated with the device must be known as an LDAP user or defined as a local user.

    • To auto-populate based on the email address, you must register your VSP with Ivanti EPMM

  • Set up the registration email template, see Customizing registration messages

  • Schedule email reminders, see Customizing registration messages

  • Send the email invitation to device users.

Customized registration using a URL or a QR Code

As a convenience, instead of device users entering registration credentials, you can setup an infrastructure to use a QR Code or URL link to automatically enter the registration credentials. This feature is applicable for iOS and macOS devices.

Before you begin 

The company administrator must set up an infrastructure to generate a web page containing a QR Code or URL link from the credentials generated by UEM (see Implementing infrastructure for QR code with device PIN.)

  • In the case where the web page generated by the company is viewed on a computer, a QR Code would be appropriate to present. When constructing the QR code, it should contain a URL and follow this format:

    mirp://<server host name>&user=<Username>&pin=<PIN>

    Example: mirp://your.server.rock.com&u[email protected]&pin=4444

    It is recommended that the web page created by the administrator to provide a QR code also provides the instructions to download the app from the iTunes App Store or Google Play and the instructions to scan the QR code.

  • In the case where the web page is viewed on the device where [email protected] is being registered, a URL link would be appropriate.

Implementing infrastructure for QR code with device PIN

The below procedure works for iOS devices and utilizes the PIN code as part of the registration.

1. Enable the PIN code registration

  1. Go to Settings > Users & Devices > Device Registration.
  2. Select the appropriate field for the type of Android device:

    • For unmanaged Android devices, change the In-App registration requirement to Registration PIN.

    • For managed Android devices, change the Zero Touch and Samsung Knox Mobile Enrollment field OR the Managed Devices / Device Owner (afw#, QR code, NFC) field to Registration PIN.

2. Enable the QR code integration

  1. Go to Settings > Users & Devices > Device Registration.

  2. Select on Templates tab > Registration Templates.

  3. Select your language and then select the Edit button.

  4. In the Registration Email section, PIN field, replace the default text with this code: 

    <li>Registration PIN: <i>$PASSCODE$</i> (valid for $PASSCODE_TTL$ hours)

    <p>

    Or Scan the QR Code:

    </p>

    <P>

    <img id=&#39;barcode&#39;

    src="https://api.qrserver.com/v1/create-qr-code/?data=mirp%3A%2F%2F$SERVER_URL$%26user%3D$USER_ID$%26pin%3D$PASSCODE$"

    width="200"

    height="200" />

    </P>

  5. Select Save.

    When this code has been added, administrators can directly register a device from the Device Registration screen in Ivanti EPMM and / or the device user can initiate the registration from the e-mail invitation.

Registering using a web page on a desktop computer

Below is a sample implementation where the web page is viewed on a desktop computer.

Procedure 

  1. Ivanti EPMM administrator sends device user an email with a link to the company's webpage.

  2. In the email, the device user taps on the link.

    The link opens to the company web page displaying a QR code on it.

  3. On the user's device, the user goes to the iTunes App Store or Google Play and downloads [email protected]

  4. User launches the phone's camera.

    The Scan QR Code page may open. Device users will need to allow access to the device camera for scanning the QR code. Tap on Open Settings, slide the camera on, then return to [email protected]

  5. User scans the QR code that is on the web page.

    The [email protected] login page opens with the username, server address and PIN/password fields populated.

    If the PIN field is not automatically populated, the device user will need to manually enter it.

  6. User taps Go or Register and continues the registration process.

Note the following:

  • On launching the [email protected] app, the user can tap on the QR code icon (to the right of the user name field), and launch the in-app camera. This camera can then be used to scan the QR code and continue with the registration process.

  • On devices running iOS 11.0 or later, the native camera can be used to scan the QR code. Upon scanning the QR code, the device user is prompted to launch [email protected] Tapping on the prompt launches [email protected] with the device user’s credentials filled in. The device user can then tap Go or Register to continue with the registration process.

  • On devices running iOS 10, the native camera lacks the ability to scan QR codes. To work around this, the device user can launch the [email protected] app, tap on the QR code icon (to the right of the user name field), and launch an in-app camera. This camera can then be used to scan the QR code and continue with the registration process.

Registering using a web page on an iOS device

Below is a sample implementation where the web page is viewed on an iOS device.

Procedure 

  1. Administrator sends device user an email with a link to the company's web page.

  2. In the email, the device user taps on the link.

    The company's web page opens displaying two links.

  3. Device user taps on the first link and downloads the [email protected] app from the iTunes App store or from Google Play.

  4. Device user taps on the second link, the [email protected] login page opens with the username, server address and PIN/password fields populated.

    If the PIN field is not automatically populated, the device user will need to manually enter it.

  5. User taps Go or Register and continues the registration process.

    In iOS 13, the option to "Allow Always" was removed from the iOS Settings app. Instead, a dialog box displays requesting device users to enable tracking when the [email protected] app is running. [email protected] opens iOS Settings where device users can choose "Ask Next Time" or "Never". Ivanti recommends device users to enable tracking. This change applies to all versions of iOS 13 or supported newer versions. [email protected] for iOS does not track device users' location without consent.

Customized registration using SAML IdP

As a part of the registration process, device users log into a third-party identity provider (IdP), such as Ping. Once the authentication is successful, the device user is prompted to download the profile, completing the registration process.

Before you begin 

You must have SAML enabled. See "Configuring SAML/IdP support" in the Ivanti EPMM System Manager Guide.

Procedure 

  1. Enable SAML in the System Manager.

  2. Configure an identity provider.

  3. In the Admin Portal, go to Settings > Users & Devices > Device Registration page.

  4. In the Apple Web-based Registration Requirement field, select SAML-based registration. If this field is not selected, there will be no change in the registration.

    Once SAML on iReg or DEP is set, SAML configuration from the System Manager can be either disabled or deleted. You must first de-select the "SAML-based registration" check box in the Device Registration page in Ivanti EPMM before you can disable the IdP SAML connection in the System Manager.

  5. Select Save.

Users register additional devices

Once a device has been registered, an authorized user can use the user portal to register additional devices without administrative help. This is often used with adding devices for users who do not require assistance.

  • Users must have the User Portal role assigned, with the Device Registration option enabled.

  • The user needs to know the following information for the device:
    • phone number (if any)

    • country

    • platform

Self-service User Portal

Administrator registers ActiveSync devices

If you have a Sentry configured, then you can see the devices that are connecting to your ActiveSync server. To incorporate these devices into your Ivanti EPMM inventory, you can use the Register button in the ActiveSync Associations screen. This is often used with devices accessing email via ActiveSync.

  • Sentry must be installed and configured.

  • The user (local or LDAP) associated with the device must be available for selection at the time of registration.

  • For iOS, Android, and Windows devices, the User Portal role must be assigned to the user.

  • You need to know the following information for the device:
    • phone number (if any)

    • country code

    • platform

ActiveSync device registration

Registering an Apple TV

You can register an Apple TV to Ivanti EPMM only through Apple Configurator.

Before you begin

The Apple TV must be connected to your corporate network. You can do this by configuring Wi-Fi on the Apple TV or connecting the Apple TV to your Ethernet.

Procedure

Using the Apple TV Assistant to import the MDM profile results in an error message. Cancel out of the Apple TV Assistant.

You can do the following when you manage an Apple TV with Ivanti EPMM:

  • View device information.

  • Distribute Wi-Fi profiles to the Apple TV.

  • Retire the device.

Registration via user portal

The user portal can be used to streamline the registration process. See Self-service User Portal for more information.