Registration considerations

Registration considerations: Android

Following is a list of registration considerations for Android devices.

  • Administrators should decide whether they are supporting password, registration PIN or both for device registration.
  • Registration currently depends on acquiring the Ivanti EPMM client app (Ivanti Mobile@Work) from the Google Play store.
  • For devices that cannot access Google Play, provide another way for the device users to get the Ivanti Mobile@Work for Android app. For example, email the app to the device users. You can also place the app on a website and provide the URL to the device users.
  • Enabling the Server Name Lookup (in the Admin Portal under Settings > System Settings, in the Users & Devices > Device Registration page) makes registration easier by automatically filling in the server address for the device user. Administrators will need to follow important, specific instructions for this feature. Please see "Enabling Server Name Lookup" in the Ivanti EPMM Device Management Guide of your OS.
  • If you have configured a Sentry to support Android devices connecting via ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
  • By default, the user is required to enter a password to register the device. If you prefer, you can change this behavior to require an Ivanti EPMM-generated Registration PIN instead, or to require both a password and a Registration PIN. See the section, “Configuring user authentication requirements for registration” in the Device Management Guide for information on specifying behavior for this feature.
  • Enroll with Android enterprise. Android enterprise enables devices to have separate private and work profile deployments, and enables administrators to have more control over enterprise owned and provisioned devices. For details on enrolling in Android Enterprise see, Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
  • When an app is hidden it can be used by other apps, but not available to launch in the kiosk. For example, a browser can be added to the kiosk but hidden so that it can be used to open URLs from an email app

Registration restrictions for Android

When performing bulk registration of Android devices, you can restrict the OS version as well as the minimum security patch level. Also, you can set a manufacturer's Whitelist or Blacklist and set a minimum SafetyNet certification to enforce SafetyNet attestation. For more information about SafetyNet Attestation, see "Enabling SafetyNet Attestation on Android Devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

When placing registration restrictions on Android devices, use Ivanti Mobile@Work for Android 10.3.0.0 and higher supported versions for the optimum user experience.

To access the registration restriction fields for Android, go to Settings > System Settings > Users & Devices > Device Registration and scroll down to the "Restrictions for Android" heading. The following fields restrict device registration on Android devices.

Table 21.   Registration Restrictions for Android devices
Item Description Default Policy Setting

Minimum OS Version

Use the pull-down menu to set the minimum Android OS version that can run on a registered Android device.

No Setting

Minimum Security Patch Level

Specify the minimum number of days a security patch level is active by using the pull-down menu.

No Setting

Manufacturer Whitelist/Blacklist

Restrict the Android manufacturers that can be configured as Android devices. Select from the following:

None: This is the default value. It sets neither whitelist nor blacklist registration restrictions.

For both the Create a Whitelist and Create a Blacklist fields, the Manufacturer names are case sensitive.

Create a Whitelist: Allows only devices from specific manufacturers to register as Android devices. Select the check box and then the Manufacturer Name menu is displayed. Use the Add+ button to add the names of one or more manufacturer. Also, Manufacturers who are not specified by this field are block from registering as Android devices.

Create a Blacklist: Prevents devices from specific manufacturers from registering as Android devices. Select the check box and then the Manufacturer Name menu is displayed. Use the Add+ button to add the names of one or more manufacturers.

None

Minimum SafetyNet 
Certification

Set a required minimum SafetyNet certification level for registering Android devices. If you enable this field, you must also enable SafetyNet Attestation in the default security policy for the devices.

None: It sets no minimum SafetyNet certifications for registration. This is the default value.

basic: Select to allow only devices with a basic SafetyNet certification from registering as Android devices.

certified: Select to allow only devices with a certified SafetyNet certification from registering as Android devices.

None

Registration considerations: iOS and macOS

Some features for macOS are documented but may not be available in your installation.

Following is a list of registration considerations for iOS or macOS devices.

  • Administrators will need to decide on whether they are supporting password, registration PIN or both for device registration.
  • If you are registering a device with the Ivanti EPMM client app, Ivanti Mobile@Work, you must use an iTunes account to download the app from the iTunes App Store. A credit card is not needed to establish an iTunes account. Simply download Ivanti Mobile@Work, select Create New Account, and select None as your payment method.
  • If you have configured a Sentry to support iOS devices connecting via ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
  • Enabling the Server Name Lookup (in the Admin Portal under Settings > System Settings, in the Users & Devices > Device Registration page) makes registration easier by automatically filling in the server address for the device user. Administrators will need to follow important, specific instructions for this feature. Please see "Enabling Server Name Lookup" in the Ivanti EPMM Device Management Guide of your OS.
  • By default, the user is required to enter a password to register the device. If you prefer, you can change this behavior to require an Ivanti EPMM-generated registration PIN instead, or both a password and a registration PIN. See the section, “Configuring user authentication requirements for registration” in the Ivanti EPMM Device Management Guidefor iOS, to specify the behavior for this feature. Registration PINs are not supported for iOS managed apps.
  • For MDM-enabled iOS devices, MDM features are not dependent on Ivanti Mobile@Work after registration. Therefore, if a user uninstalls the Ivanti Mobile@Work, features like app inventory will continue to function.
  • If you need to register many macOS or iOS devices on behalf of users, such as when Macs or iPhones are purchased by the corporation and rolled out in bulk, depot-style registration may be preferable. See “Web-based registration for iOS and macOS devices” in the Ivanti EPMM Device Management Guidefor iOS.
  • Consider an extra security option if you are including Ivanti Mobile@Work for iOS and macOS in the Ivanti EPMM App Catalog and sending an installation request to devices after device users complete registration, such as with web-based registration. In this case, users do not have to reenter their credentials when they launch Ivanti Mobile@Work. However, you can limit this silent registration with Ivanti Mobile@Work to one time only. In the Admin Portal, go to Settings > System Settings > Users & Devices > Device Registration and select Allow silent in-app registration only once. (iOS and macOS).

    In the same location, administrators can also set "Silent in-app registration time limit (minutes) (iOS and macOS)." This option enables a time limit to complete silent in-app registration. If macOS devices fail to register within this time frame, device users will be forced to register manually using their credentials.

    For more information, see "Registering iOS and macOS devices through the web" in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

  • In iOS 13, the option to "Allow Always" was removed from the iOS Settings app. Instead, a dialog box displays requesting device users to enable tracking when the Ivanti Mobile@Work app is running. Ivanti Mobile@Work opens iOS Settings where device users can choose "Ask Next Time" or "Never". We recommend that device users enable tracking. This change applies to all versions of iOS 13 and later supported versions. Ivanti Mobile@Work for iOS does not track device users' location without consent.
  • You can register an Apple TV to Ivanti EPMM only through the Apple Configurator. See “Registering an AppleTV” in the Ivanti EPMM Device Management Guide for iOS and macOS devices.
  • For registering users and devices for Apple Education Manager and Apple Business Manager, see the Ivanti EPMM Device Management Guide for iOS and macOS devices
  • Device users who are synced to LDAP are to be assigned to a device management role and associated with a Managed Apple ID. Use single invite or bulk registration to verify that the managed Apple ID was generated correctly. After registration, check the logs for any managed Apple ID failures. See "Requirements for enabling User Enrollment" in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Registration considerations: Windows

Some features for Windows are documented but may not be available in your installation.

Following is a list of registration considerations for Windows devices.

  • The Apps@Work app is installed for Windows Phone 8.1 as part of the registration process.
  • To register Windows 10 devices, open Settings > Accounts > Your Workplace > Connect to Workplace.
  • Sentry is required for the available device management features.

    These devices do not have device management features. However, these devices can sync using Exchange ActiveSync and be managed using ActiveSync policies.

  • Single device registration, bulk registration, and invitations to register are supported for all available Windows devices.
  • Registration of the all available Windows device is done through the Windows native client.
  • Device registration fails if the device user enters a password that contains UTF-8 characters. Only ASCII characters are supported in the password field.
  • Enabling the Server Name Lookup (in the Admin Portal under Settings > System Settings, in the Users & Devices > Device Registration page) makes registration easier by automatically filling in the server address for the device user. Administrators will need to follow important, specific instructions for this feature. Please see "Enabling Server Name Lookup" in the Ivanti EPMM Device Management Guide of your OS.
  • If auto discovery is not set up, the registration process requires the device user to enter the Ivanti EPMM server address (FQDN). The device user will also have to enter the Ivanti EPMM server address when logging into Apps@Work for the first time.
  • A root or intermediate certificate from a trusted certificate authority (CA) is required.
  • The User Portal role is required for the user to register with Ivanti EPMM.
  • Single device registration, bulk registration, invitations to register are supported.
  • Registering your Windows Phone device 8.1 in the User Portal is supported.
  • Select Windows as the device platform.
  • Reprovisioning the device is not supported. To re-provision the device, first retire the device, then re-register.
  • Device registration fails if the device user enters a password that contains special characters. Only ASCII characters are supported in the password field.
  • Force Device Check-In may not be available for a few minutes after the Windows Phone 8.1 device registers. If you try to retire the device during this time, it may take up to 24 hours to retire the device.
  • Ivanti EPMM certificates pushed to Windows 8.1 Phone devices are now always stored on the device TPM chip. This provides additional security to the certificate key.
  • Autodiscovery is not required. We recommend autodiscovery for a seamless registration experience.
  • A Subject Alternative Name (SAN) SSL certificate from a trusted Certificate Authority (CA), such as Verisign or GoDaddy, is required.
  • Device registration from the Admin Portal or User Portal is not supported. Users can register only from their device.
  • Pin-based registration is supported in Windows Phone 8.1 devices.
  • The following registration statuses are supported:
    • Verified: After the device registers and before the first check in.
    • Active: The device has successfully synced with Ivanti EPMM.
    • Retired: The Retire action was successfully applied.
    • Pending: The user’s device has been registered on the Ivanti EPMM Server, but downloading Apps@Work has not yet been completed.

Registration considerations: mutual authentication

Do not revert to earlier versions of Ivanti EPMM using a snapshot after enabling mutual authentication. Doing so may necessitate re-enrolling devices.