User Enrollment Options
You can have users enroll their devices in XenMobile in a number of ways. Before considering the specifics, you must decide if the devices in your environment will enroll in Enterprise mode (MDM+MAM), MDM mode, or MAM mode (also referred to as MAM-only mode). For more information about the management modes, see Management Modes.
At the highest level, there are four enrollment options:
- Enrollment Invitation: Send an enrollment invitation or invitation link to users.
- Self Help Portal: Set up a portal that users can visit to download Secure Hub and enroll their devices or send themselves an enrollment invitation.
- Manual Enrollment: Send out an email, handbook, or some other communication letting users know that the system is up and that they can enroll. Users then download Secure Hub and enroll their devices manually.
- Enterprise: Another option for device enrollment is through the Apple Device Enrollment Program (DEP) and Google Android for Work. Through each of these programs, you can purchase devices that are pre-configured and ready for employees to use. For more information, see Apple Device Enrollment Program (DEP) and Google Android for Work.
You can email an enrollment invitation to users with iOS, macOS, or Android devices. You can also send an installation link through SMTP or SMS to users with iOS, macOS, Android, or Windows devices. For more information, see Enroll devices.
If you choose to use the enrollment invitation method: You can choose from up to seven enrollment modes (depending on platform), and you can use any combination of the modes. You can enable or disable the modes from the XenMobile Settings page, and you can select a default from Username + Password, Two Factor, and Username + PIN. For information on each enrollment mode, see To configure enrollment modes.
If you choose certificate-based, consider excluding Username + Password traditional authentication from the allowed options, because this mode may expose a weak onboarding vector into your environment and potentially void the mandated security quality.
Invitations serve many purposes. The most common use of invitations is to notify users that the system is available, and that they can enroll. Invitation URLs are unique; once a user uses an invitation URL, the URL cannot be used again. You can use this property to limit the users or devices enrolling to your system.
You can set up XenMobile so that iOS users provide credentials during enrollment in one of the following ways:
Users type their credentials during enrollment.
Users insert a smart card from a derived credentials provider into a reader attached to their desktop. For information about derived credentials, see Derived credentials for iOS.
In the XenMobile console, you can also choose the option for Enrollment Profiles, through which you can control the number of devices specific users can enroll, based on Active Directory groups. For instance, if you want to allow your Finance division only one device per user, you can configure that scenario through enrollment profiles.
Be aware of the extra costs and pitfalls of certain enrollment options. If you want to send invitations using SMS, you need to set up an additional infrastructure. For more information on this option, see Notifications.
In addition, if you plan to send invitations by email, ensure that users have a way of accessing email outside of Secure Hub. You may use one-time password (OTP) enrollment modes as an alternative to Active Directory passwords for MDM enrollment. Note that OTP is available on iOS and Android devices only and is not currently available on Windows devices.
Self Help Portal
Users can request an enrollment invitation through the Self Help Portal. The default mode is Username + Password, but you can also change that requirement to Two Factor or Username + PIN. For information about setting up the Self Help Portal, see To configure enrollment modes.
With manual enrollment, users connect to XenMobile either through autodiscovery or by entering the server information. With autodiscovery, users log on to the server with only their email address or Active Directory credentials in User Principal Name format. Without autodiscovery, they must enter the server address and their Active Directory credentials. For more information about setting up autodiscovery, see XenMobile Autodiscovery Service.
You can facilitate manual enrollment in a number of ways. You can create a guide, distribute it to users, and have them enroll themselves. You can have your IT department manually enroll groups of users in certain time slots. You can use any similar method where users must enter their credentials and/or server information.
After you have your environment set up, you need to decide how to get users into your environment. An earlier section in this article discusses the specifics of user enrollment modes. This section discusses the way you reach out to users.
Open Enrollment vs. Selective Invitation
When onboarding users, you can allow enrollment through two basic methods: You can allow open enrollment in which, by default, any user with LDAP credentials and the XenMobile environment information can enroll. Or, you can limit the number of users by only allowing users with invitations to enroll. You can also limit open enrollment by Active Directory group.
With the invitation method, you can also limit the number of devices a user can enroll. In most situations, open enrollment is acceptable, but there are a few things to consider:
- If you are rolling out a MAM environment, you can easily limit enrollment through Active Directory group membership.
- With an MDM environment, the only way to limit enrollment is to limit the number of devices that can enroll based on Active Directory group membership. If you only allow corporate devices in your environment, this shouldn’t be an issue. You may want to consider this method, however, in a BYOD workplace where you want to limit the number of devices in your environment.
- You also want to keep in mind whether you have user or device licenses. With user licenses, each user can have multiple devices and only one license is consumed. With device licenses, each device enrolled consumes one license.
Selective invitation is typically performed less often because it requires a bit more work than open enrollment. In order for users to enroll their devices in your environment, you must send an invitation unique to each user. For information on how to send an enrollment invite, see Sending an enrollment invitation.
You’ll need to send an invite for each user or group whom you want enrolled in your environment, which can take a long time depending on the size of your organization. It is possible to use Active Directory groups to create invitations in batches, but you must carry out this approach in waves.
First Contact with Users
When you have decided whether you want to use open enrollment or selective invitation and have set up those environments, you’ll need to make users aware of their enrollment options.
If you use the selective invitation method, email and SMS messages are a part of the process. You can send emails through the XenMobile console for open enrollment as well. For details, see Sending an enrollment invitation.
In either case, keep in mind that for email, you need an SMTP server. For text messages, you need an SMS server. These may be extra costs to consider when making your decision. In addition, before you select a method, consider how you expect new users to access information, like email. If you want all users to access their email through XenMobile, sending them an invitation email would be problematic.
You may also send communication by another means outside of XenMobile for an open enrollment environment, as long as you include all the relevant information, such as where users can get the Secure Hub app and what method they should use to enroll. If you have autodiscovery turned off, you need to tell them the XenMobile server address as well. To learn more about autodiscovery, see XenMobile Autodiscovery Service.