User Enrollment Options
You can have users enroll their devices in XenMobile in several ways. Before considering the specifics, decide which devices you want to enroll in MDM+MAM, MDM, or MAM. For more information about those management modes, see Management Modes.
At the highest level, there are four enrollment options:
- Enrollment Invitation: Send an enrollment invitation or invitation URL to users. Enrollment invitations and URLs aren’t available for Android Enterprise or Windows devices.
- Self Help Portal: Set up a portal that users can visit to download Secure Hub and enroll their devices or send themselves an enrollment invitation.
- Manual Enrollment: Send out an email, handbook, or some other communication to let users know that the system is available for enrollment. Users then download Secure Hub and enroll their devices manually.
- Enterprise: Another option for device enrollment is through an Apple Deployment Program and Google Android Enterprise. Through each of these programs, you can purchase devices that are pre-configured and ready for employees to use. For more information, see the Apple Deployment Program articles in Apple Support and Google Android Enterprise documentation on the Android Enterprise website.
You can email an enrollment invitation to users with iOS, macOS, or legacy Android devices. Enrollment invitations and URLs aren’t available for Android Enterprise or Windows devices.
You can also send an installation link through SMTP or SMS to users with iOS, macOS, Android, or Windows devices. For more information, see Enroll devices.
If you choose to use the enrollment invitation method, you can:
- Choose from up to seven enrollment security modes, depending on platform.
- Use any combination of the modes.
- Enable or disable the modes from the Settings page.
- Select a default from User name + Password, Two Factor, and User name + PIN. For information on each enrollment security mode, see To configure enrollment security modes.
If you choose certificate-based, consider excluding User name + Password traditional authentication from the allowed options. User name + Password authentication might expose a weak onboarding vector into your environment and potentially void the mandated security quality.
Invitations serve many purposes. The most common use of invitations is to notify users that the system is available, and that they can enroll. Invitation URLs are unique. After a user uses an invitation URL, the URL is no longer available. You can use this property to limit the users or devices enrolling to your system.
When configuring an enrollment profile, you can control the number of devices specific users can enroll, based on Active Directory groups. For example, you might allow your Finance division only one device per user.
Be aware of the extra costs and pitfalls of certain enrollment options. For example, sending invitations by using SMS requires extra infrastructure. For more information on this option, see Notifications.
In addition, to send invitations by email, ensure that users have a way to access email outside of Secure Hub. You can use a one-time password (OTP) enrollment security mode as an alternative to Active Directory passwords for MDM enrollment.
Users can request an enrollment invitation through the Self-Help Portal. The default mode is User name + Password, but you can also change that requirement to Two Factor or User name + PIN. For information about setting up the Self-Help Portal, see To configure enrollment security modes.
With manual enrollment, users connect to XenMobile either through AutoDiscovery or by entering the server information. With AutoDiscovery, users log on with only their email address or Active Directory credentials in User Principal Name format. Without AutoDiscovery, they must enter the server address and their Active Directory credentials. For more information about setting up AutoDiscovery, see XenMobile AutoDiscovery Service.
You can facilitate manual enrollment in several ways. You can create a guide, distribute it to users, and have them enroll themselves. You can have your IT department manually enroll groups of users in certain time slots. You can use any similar method where users must enter their credentials, server information, or both.
After you have your environment set up, you need to decide how to get users into your environment. An earlier section in this article discusses the specifics of user enrollment security modes. This section discusses the way you reach out to users.
Open Enrollment vs. Selective Invitation
When onboarding users, you can allow enrollment through two basic methods:
- Open enrollment. By default, any user with LDAP credentials and the XenMobile environment information can enroll.
- Limited enrollment. You can limit the number of users by only allowing users with invitations to enroll. You can also limit open enrollment by Active Directory group.
With the invitation method, you can also limit the number of devices a user can enroll. In most situations, open enrollment is acceptable, but there are a few things to consider:
- For MAM enrollment, you can easily limit open enrollment through Active Directory group membership.
- For MDM enrollment, you can limit the number of devices that can enroll based on Active Directory group membership. If you only allow corporate devices in your environment, that limitation typically isn’t an issue. You might want to consider this method, however, in a BYOD workplace if you want to limit the number of devices in your environment.
Selective invitation is typically performed less often because it requires a bit more work than open enrollment. For users to enroll their devices in your environment, you must send an invitation unique to each user. For information on how to send an enrollment invitation, see Sending an enrollment invitation.
While you can use Active Directory groups to create invitations in batches, you must carry out this approach in waves.
First Contact with Users
After you decide between open enrollment or selective invitation and then set up those environments, you must make users aware of their enrollment options.
If you use the selective invitation method, email and SMS messages are a part of the process. You can send emails through the XenMobile console for open enrollment as well. For details, see Sending an enrollment invitation.
In either case, keep in mind that for email, you need an SMTP server. For text messages, you need an SMS server. Those servers might be extra costs to consider when making your decision. Before you select a method, consider how you expect new users to access information, like email. If you want all users to access their email through XenMobile, sending them an invitation email would be problematic.
You can also send communications by another means outside of XenMobile for an open enrollment environment. For that option, be sure to include all the relevant information. Let users know where they can get the Secure Hub app and what method to use to enroll. If you have discovery turned off, also provide users the XenMobile Server address. To learn more about AutoDiscovery, see XenMobile AutoDiscovery Service.