Andrei
Geralt

Device management made easy with automation

Andrei Geralt

Feb 23, 2021

12 min read

We are living in a world where everything around us is getting automated at a rapid pace. Some may even refer to this era as the Dawn of Automation. The concept of automated device management has also moved up to a level that allows IT administrators and end-users to let out a huge sigh of relief. Device management is by no means an easy piece of work considering the substantial number of devices managed by an IT admin. Like seriously, imagine looking after hundreds, maybe thousands of devices. Sounds like the opposite of easy, right? This is why Mobile Device Management (MDM) solutions like Hexnode turned to automation; To Simplify Device Management.

Different Steps in Automated Device Management

An IT admin manually enrolling and configuring the devices one by one certainly does sound like a lot of work. But with Hexnode, the admin can remotely enroll all these devices, whether Apple or Android, in bulk as long as the device supports bulk enrollment. Bulk enrollment is the most efficient solution when enrolling multiple devices with the same configuration like in company-owned devices. Apple’s DEP (Device Enrollment Program), Samsung’s KME (Knox Mobile Enrollment), Google’s ZTE (Zero-Touch Enrollment); Hexnode supports them all.

Steps in Automating Device Management
Steps in Automating Device Management
In automated device management, the device is enrolled and configured via any of the previously mentioned enrollment methods. After deployment, Hexnode MDM utilizes Dynamic groups to push policies and hence configuring devices based on expressions you create. Then there are Geofences, Scheduling reports, Periodic device location scans and many more automated device management features about which we’ll talk about later. When the device attribute changes, it might be moved out of the dynamic group, hence losing the previous configuration and acquiring a new one. If the device gets wiped, it’ll get re-enrolled and can be set to regain its prior configurations. Hexnode aims to employ all these attributes to simplify device management.

Automated Enrollment Programs

If you’ve acquired Company-owned devices at some point, then you’d probably know that those are almost always under some device management. The moment they get connected to a network, they’d get enrolled on the device management portal. Corporates like Apple, Google and Samsung offer their own services to enroll and deploy configurations to a substantial number of devices in one go.

Device Enrollment Program (DEP)

Device Enrollment Program (DEP) is a free Apple service that simplifies the enrollment and deployment of Apple devices. To utilize DEP, you need to have an Apple Business Manager (ABM) account and DEP-eligible devices.

Apple Business Manager

Apple Business Manager is a free service that allows you to access Apple services, enroll devices and distribute apps and books from this platform. So, how do you add devices to ABM? Well, either through the reseller or you could do it yourself if you can get hold of the requisite details. If said information is not known, then you can add the devices via Apple Configurator. ABM is considered to be an amalgamation of DEP and Volume Purchase Program (VPP). While DEP is primarily used for the deployment and configuration of devices, VPP focuses on buying app licenses in bulk and allocating it to multiple users or devices. After establishing a unified platform, rather than being referred to as DEP or VPP, they are collectively known as ABM.

Integrating ABM with an MDM solution like Hexnode allows them to live out their full potential. When a device is added to the ABM portal, it gets enrolled to Hexnode, provided Hexnode is set as the default server. When connected to a network, the device gets enrolled, and the policies that you assigned to the device will be pushed automatically. The cool bit is that even if you wipe your device, on reboot, the device gets re-enrolled to the server along with its initial configurations. Those configurations will keep following you until the device is removed from under that server.

Android Zero-Touch Enrollment (ZTE)

Now you know how to deploy Apple devices, but what do you do if you want to deploy Android devices in bulk? Android Zero-Touch Enrollment (ZTE) is Google’s answer to that question. All you need is a Zero Touch Portal, an MDM that supports ZTE and, of course, a ZTE eligible device. ZTE offers features similar to that of DEP, such as out-of-the-box enrollment, remote management and re-enrollment with retaining configuration profiles after a device wipe. ZTE, however, can only work if it’s in tandem with a supported MDM solution like Hexnode. After downloading the MDM agent during its initial setup, the devices added on ZTE can be managed through Hexnode MDM, opening an arsenal of features ready for use. Any device set up via ZTE would be enrolled as an Android Enterprise Device owner since ZTE is integrated with Android Enterprise.

Device management made easy with Automation

Knox Mobile Enrollment (KME)

Knox Mobile Enrollment (KME) presents itself as another option to deploy Android devices, specifically Samsung Knox devices. Knox devices, optimized for business purposes, have become pretty popular, and a good number of them are managed. The prerequisites for using KME include having a Knox portal and a Knox device. Knox shares the same features as DEP and ZTE, offering bulk enrollment and pre-configurations while boasting other features like supporting multiple configurations and an option to choose whether you want the device to be set up in a device admin or device owner configuration. If a Knox device isn’t purchased from a Samsung device reseller, users can still add it to the Knox portal using the Knox application from the Google Play Store. Knox requires you to create an MDM profile before adding the devices, during which you can add Hexnode as the MDM Agent. All Knox devices added to the portal will also be enrolled in the Hexnode portal and can be managed from the Hexnode portal itself.

Grouping and Configuring Devices with Dynamic Groups

Wouldn’t it be much better if we could configure all the devices in one go? Add the devices in groups and then configure them. Pretty Easy. What if this configuration only needs to be applied if some criteria are met, say battery charge above 30%? Or when the devices we enroll need to be quickly sorted into groups based on some factor? Or when we want a group consisting of Android devices which should not include the ones owned by a particular department? That’s where dynamic groups come in. We create a dynamic group based on certain conditions which, if the device fulfills, results in the device being assigned to that group. When a situation arises where the device no longer satisfies the condition, it gets kicked out of the group. Since the number of devices is not fixed in this group, they are known as dynamic groups.

The dynamic groups in Hexnode MDM allow you to stack multiple conditions over each other and create exceptions (which can also be stacked), enabling you to create a highly selective group. Hexnode acknowledges the use of various attributes based on compliance information, device ownership and operating system to craft these conditions and exceptions.

Creating a Dynamic Group

Dynamic groups are used to sort devices belonging to very specific categories. This is achieved through the utilization of geofences, conditions and exceptions. These conditions can be stacked over each other using either the OR operator or the AND operator. You can also use a combination of both operators to create a group that suits your needs.

Creating a Dynamic Group
Creating a Dynamic Group

This group is configured such that it only adds devices whose operating system is either Android or iOS with a battery level greater than 30% and is compliant. The exception states that the user of the device cannot be from the Marketing department. Using these conditions, you could get really specific and creative. Pretty cool, right?

These groups also have an auto-syncing feature, so new devices that align with the conditions set would get added. The ones that no longer satisfy the said conditions would move out of the group without the user having to do anything.

So, you’ve created a dynamic group. But why exactly do you need it? It is used so that you can target specific devices with specific policies. Hexnode MDM offers a vast set of configurations that we can push onto the enrolled devices, and with Dynamic groups, you’ll have no difficulty in targeting those specific devices. Since the devices in the group are not fixed, the policy targets are not fixed either. So, with this combination, configurations would be pushed onto the devices only when they satisfy the conditions, and when they no longer do, the policies will be removed.

Policies involving company resources like Wi-Fi, VPN and email configurations, if associated with dynamic groups, can act as an extra layer of security as these configurations would get disengaged once any of the conditions suggest the device has been compromised. We can also use dynamic groups in combination with Geofences, which means we can revoke or grant-specific provisions to the devices based on whether they are in or out of the fence. So, policies can also be configured to get disengaged if the users move out of the office premises.

Geofences

Hexnode can utilize the location as a factor to judge whether the device should be placed in a dynamic group, whether a policy should target the device or if the device is compliant.

Creating a Geofence
Creating a Geofence
Either existing Geofences can be used, or the admin can create new geofences. Geofences are used from the policy tab, or you can include or exclude a fence as a condition while creating a dynamic group.

Additional Automation

While enrollment and grouping is a common step in automated device management for almost all devices, Hexnode MDM also offers other automated features that could help perform specific tasks.

Scheduling Reports

It can be quite a pain to navigate to each report in the portal, but it’s also vital to peruse them for anomalies. Hexnode suggests scheduling them so that they can periodically reach your mail. Using this feature would reduce the time taken to access these reports, and it would also act as a reminder if you forget about them.

Periodic location scan

When a company device is lost or misplaced, it’d be great if you knew where it is or at least where it was last seen. Sometimes when employees are doing some tasks outside the office with a company device, you might want to know what they are up to. You definitely don’t want them out on some amusement park joyrides. Hexnode offers to keep an eye on your devices by doing periodic scans and submit detailed reports with time charts.

Data tracking and Reports

Hexnode can track total or app-wise data used by an enrolled device so that when a device is using too much data on something which is not a work app, you’d know. A total or app-wise report can also be scheduled to be sent onto the configured email.

Mandatory applications

You can have mandatory apps installed on your employees’ devices so that these apps would get automatically installed and updated. Deleting these apps would result in the device losing compliance, and we can re-push it again on the device.

Work profile- Container removal

Hexnode provides another feature to remove the work container from the device if it loses its compliance. This feature could be useful if the device is lost or is in someone else’s possession. Losing the container would mean losing all work-related apps and information, hence eliminating chances of data leaks.

Upcoming features – Time based policies

Let’s say you want your employees’ devices to be optimized for different tasks during different times of the day. Maybe you want your device to power off after work hours, or you might want a policy to be pushed at 10 am. Then you’d need to push the configuration every day by yourself, keeping an eye on the time; all this is a lot of stress. What if we could schedule policies and actions just like how we schedule reports?

Hexnode is trying to bring in a new factor while configuring policies and actions – time. By bringing in time, many possibilities can be brought to life, like scheduling pushing, and removing policies and actions. By coupling it with other automated device management features like dynamic groups and geofencing, we could take automation to a whole new level.

The entire concept of Device Management is to provide solutions to manage devices easily. And if you try to look forward in time, one can say with utmost certainty that the number of devices needing management is bound to increase. Integrating automation with this seemingly ever-growing task of managing devices is now becoming less of an add-on and more of a necessity. Automated device management can provide a simpler and more convenient experience to its users while displaying significant improvements in efficiency, possibly making your life a little less busy.

Share
Andrei Geralt

Frolicking on the keys while appreciating the serenity behind the screen.

Share your thoughts