Registration methods

Registering a device designates it for management by Ivanti EPMM.

Support for Android 5.0 and 5.1 has ended. Ivanti EPMM server will still allow existing registered devices with Android 5.0 / 5.1 to run.

Before you begin 

Setting the registration PIN code length for device user registration

The following registration methods are available:

You can also register Android devices using the Provisioning app. See Provisioning an Android Enterprise device

The process resulting from these methods may vary by device OS.

Administrator invites device users to register

For device users who are mobility savvy and do not require significant assistance, you can send an invitation and enable them to register their own phones. You can send an invitation to multiple users from the Users Management screen. The invitation includes instructions on how to log into the user portal to register phones.

The administrator needs to know the following information for the device:

  • Phone number (if any)

  • Country

  • Platform

In-app registration

One way to reduce the load on IT personnel is to instruct iOS, macOS, and Android users to download the Ivanti EPMM app directly from the App Store on iTunes or from Google Play and initiate registration from within the Ivanti Mobile@Work app.

If the administrator has not enabled Server Name Lookup, the email the device user gets will ask them to enter the full URL of Ivanti EPMM into Ivanti Mobile@Work. If the administrator enabled Server Name Lookup, the email sent to the device user will ask them to enter the email domain.

Administrator tasks

  • This feature depends on access to the Ivanti EPMM Gateway; therefore, the corresponding port must be properly configured. See the Pre-Deployment Checklist in the On-Premise Installation Guide for details. The User Portal role must be assigned to the user.

  • To auto-populate the Ivanti EPMM server name during registration, the following setup is required:
  • Schedule email reminders, see Customizing registration messages

Registering Android devices

In Ivanti EPMM 11.3.0.1 and newer versions, all new registrations for devices with Android 10 and later versions will be blocked by Ivanti EPMM by default IF they meet the following requirements:

  • The Android 10+ device is in Device Admin mode (DA)

  • There is no Android Enterprise configuration assigned to the correct label

Note the following:

  • An Android 10+ device that is already registered on Ivanti EPMM in Device Admin mode will be allowed to migrate to Cloud.

  • The Android 10+ device will be retired if there is no Android Enterprise configuration in place.

  • MAM-only scenarios will still be supported, but the Quick setup policy with Device Admin mode will be disabled. However, in AppConnect, the Ivanti EPMM administrator will be able to register devices and SAM-wrapped apps using Android Quick Setup. For more information, see the AppConnect Guide for EPMM.

As with other types of devices, you can configure whether you want Android device users to enter a password, PIN, or both during registration. This can be done with managed and un-managed Android devices.

You can also set the device ownership to Company-owned or Employee-owned at registration.

If upgrading to Ivanti EPMM 10.6.0.0, and you have your Device Registration set to a specific authentication setting (Password, Registration PIN or Password and Registration PIN), the setting will be retained as a default. If you are registering devices for the first time using Ivanti EPMM 10.6.0.0 or supported newer version, the default setting is Password.

Before you begin 

Setting the registration PIN code length for device user registration

Procedure 

  1. Upload the APK file for Ivanti Mobile@Work for Android to a secure server. This server must be accessible to device users.

  2. For unmanaged Android devices:
    1. Go to Settings > System Settings > Users & Devices > Device Registration.

    2. In the In-App Registration Requirement field, select one of the following:

      • Password - device user will be required to enter username and password.

      • Registration PIN - device user will be required to enter a registration PIN.

      • Password and Registration PIN - device user will be required to enter a username, password, and registration PIN.

      • User and Registration PIN - prompts device user to enter username and PIN. Device user is allowed five login attempts before Ivanti EPMM blocks the device. When this occurs, an error message "Authentication Failed: Invalid Credentials" displays.

    3. Select Save.

  3. For Zero Touch and Samsung Knox Android managed devices:
    1. Go to Settings > System Settings > Users & Devices > Device Registration.

    2. In the Zero Touch and Samsung Knox Mobile Enrollment field, select one of the following:

      • Password - device user will be required to enter username and password.

      • Registration PIN- device user will be required to enter a registration PIN.

      • Password and Registration PIN - device user will be required to enter a username, password, and registration PIN.

      • User and Registration PIN - prompts device user to enter username and PIN. Device user is allowed five login attempts before Ivanti EPMM blocks the device. When this occurs, an error message "Authentication Failed: Invalid Credentials" displays.

    3. In the Ownership Settings section, in the "Default Ownership of Android devices using Google ZT or Samsung KME or non-GMS (AOSP) mode" field, select Company owned or Employee owned.
    4. If you want the Terms of Service to be displayed, select the Show Terms of Service check box. Otherwise, the Terms of Service will not display (default.) (To create a Terms of Service, see Configuring an end user Terms of Service agreement.)
    5. Select Save.

    For more information, see Provisioning Android Enterprise devices using Zero Touch and Registering Samsung devices using Samsung Knox Mobile Enrollment

  4. For all other managed Android device types, in the Managed Devices/Device Owner (afw#, QR code, NFC) field, select one of the following:

    • Password - device user will be required to enter username and password.

    • Registration PIN - device user will be required to enter a registration PIN.

    • Password and Registration PIN - device user will be required to enter a username, password, and registration PIN.

    • User and Registration PIN - prompts device user to enter username and PIN. Device user is allowed five login attempts before Ivanti EPMM blocks the device. When this occurs, an error message "Authentication Failed: Invalid Credentials" displays.

    For more information on registering using afw# token, QR code or NFC bump, see Provisioning an Android Enterprise device.

  5. Select Save.

  6. In Devices & Users > Add Single Device, make sure:

    • the "Include Registration PIN only for Android Company-Owned Device Enrollment" field is selected. 

    • the Device Ownership is set to Company or Employee.

  7. Select Register.

    The Registration Instructions dialog box opens.

  8. Copy the Registration PIN for sending to the device user. If you are intending to send an email invitation to device users, you can skip this step.

  9. Set up the email invitation template. See Customizing registration messages

  10. Send the email invitation to device users. Ivanti EPMM will automatically add the Registration PIN within the invitation.

  11. Once the device user has registered, monitor devices for status in Devices & Users > Devices. The Android Automated Enrollment field lists the values as appropriate for the type of Android setup:

    • Google Zero Touch

    • Knox Mobile Enrollment

    • Non Zero Touch AE Enrollment

    The Android Automated Enrollment field is valid for Ivanti EPMM 10.6.0.0 or supported newer versions. If an "Unknown" value displays, it indicates a previous version of Ivanti EPMM was used and the "In-App Registration Requirement" field in Settings > System Settings > Users & Devices > Device Registration was used. It can also mean that an old client was used with Ivanti EPMM version 10.6.0.0 or later.

Registration restrictions for Android devices

From the Device Registration page, you can specify conditions that Android devices must meet to qualify for registration. You can limit Android devices by operating system (OS) version, security patch level, or by manufacturer and model.

Before you begin 

Procedure 

  1. From the Settings > System Settings > Users & Devices > Device Registration page, scroll down to the Restrictions for Android section.

    Figure 1. Registration restrictions for Android devices

  2. Minimum OS version: Select a minimum OS version from the drop-down menu from Android 6.0 or supported newer versions. The default is None.

  3. Minimum Security Patch Level: Enter an integer specifying within how many days a device can be non-compliant for the minimum security patch level before rejecting the device. The default is None.

  4. Allowed/Blocked devices list: The options are:

    • None: The default. Do not create an Allowed or Blocked devices list.

    • Create a list of Allowed devices: Only allow devices of these makes and models to be registered.

    • Create a list of Blocked devices: Prevent devices of these makes and models to be registered.

    To enter specific manufacturers and models, select Add+ to open text fields in the Manufacturer Name and Model columns. Enter allowed or restricted device information.

  5. Select Save.

Users register additional devices

Once a device has been registered, an authorized user can use the user portal to register additional devices without administrative help. This is often used with adding devices for users who do not require assistance.

  • Users must have the User Portal role assigned, with the Device Registration option enabled.

  • The user needs to know the following information for the device:
    • phone number (if any)

    • country

    • platform

Self-service User Portal

Administrator registers ActiveSync devices

If you have a Sentry configured, then you can see the devices that are connecting to your ActiveSync server. To incorporate these devices into your Ivanti EPMM inventory, you can use the Register button in the ActiveSync Associations screen. This is often used with devices accessing email via ActiveSync.

  • Sentry must be installed and configured.

  • The user (local or LDAP) associated with the device must be available for selection at the time of registration.

  • For iOS, Android, and Windows devices, the User Portal role must be assigned to the user.

  • You need to know the following information for the device:
    • phone number (if any)

    • country code

    • platform

ActiveSync device registration

Registration via user portal

The user portal can be used to streamline the registration process. See Self-service User Portal for more information.

Registering Android devices via web portal (MIRP)

Administrators who use web portals to initiate registrations can provide a URL in the web portal to help device users register Android devices with little or no typing. Users just download Ivanti Mobile@Work from Google Play and then tap the URL in the web portal from the device. Tapping the URL launches the Ivanti Mobile@Work app and populates the registration screen with the available information, such as the username. The information that is available depends on the web portal being used.

The URL is based on the Registration Protocol (MIRP). The link you provide on the web portal must have the following format:

mirp://<Ivanti EPMM URL><parameters>

The following parameters are available:

  • user: The username for the device user.

  • pin: The PIN generated for this user for PIN-based registration.

Examples:

  • mirp://myepmm.mycompany.com&user=android&pin=1234

    If you have configured Ivanti EPMM for PIN-only registration, device users will be automatically registered without having to enter any credentials.

  • mirp://myepmm.mycompany.com&user=android

    Device users will be prompted to enter credentials to complete registration. The credentials include either a PIN or password, depending on how you configured Ivanti EPMM.

The ampersand character is reserved. If you require an ampersand in a field value, it must be URL-escaped to a character code (i.e.,%26).

Unsupported parameters will be ignored.

Registering Samsung devices using Samsung Knox Mobile Enrollment

Ivanti EPMM supports using the Samsung Knox Mobile Enrollment process to register qualified Samsung devices with Ivanti EPMM.

Using Samsung’s Knox Mobile Enrollment process, once the process is set up, qualified devices are automatically enrolled and registered to Ivanti EPMM when the end user activates the device for the first time.

Requirements

  • A CSV file that provides a list of device IMEI numbers or serial numbers, and optionally:
    • A username

    • A registration PIN and/or password

    If you configured registration to use a PIN, include a PIN in the registration file. If you configured registration to use a password, include a password. If you configured registration to use both a password and a PIN, include only one of them in the CSV file. You configure the registration requirements on the Admin Portal at:

    Settings > System Settings > User & Devices > Device Registration > Zero Touch and Samsung Knox Mobile Enrollment.

    If username or PIN or password is not in the CSV file, the user must provide them.

  • Optionally, you can set the device ownership as Company-owned or Employee-owned at registration at: Settings > System Settings > Registration > Deafult ownership of Android devices using Google ZT or Samsung KME or non-GMS (AOSP) mode.

  • A Samsung Knox account and use of the Samsung Knox Mobile Enrollment portal
  • Samsung Knox devices (see Samsung portal for a list of qualified devices)

Ivanti Mobile@Work for Android is automatically installed during the enrollment process.

Benefits

  • Bulk enrollment of devices: No user interaction is required to download the Ivanti Mobile@Work app. The app is installed automatically as part of the enrollment process. No access to Google Play is required.

  • No need for users to enter credentials (unless desired); credentials are populated in the background.

  • Auto-Enrollment: Once a device is enrolled into an UEM/MDM via Samsung’s mobile enrollment process, the MDM software is always be imposed even if the device is erased, inadvertently or maliciously, until you remove the device from the Samsung Knox Mobile Enrollment portal or retire

  • Choice of enrollment options: you can choose to enroll the device using NFC bump, a URL, or automatic activation when a device is first powered on.

  • Multiple Ivanti EPMM (or Ivanti Neurons for MDM) servers can participate in the program.

Instructions

Complete instructions for setting up and using the Samsung Knox Mobile Enrollment portal with Ivanti EPMM are available in the Ivanti, Inc knowledge base article, here:

Samsung KNOX Mobile Enrollment for Android Enterprise KB article

You can also register Android devices using the Provisioning app. See Provisioning an Android Enterprise device