SOTI Pulse Logo

TC72 Android 11 : Work managed rather than work profile

MH
MMIS Help
Mary Hitchcock Memorial Hospital

I'm trying to install SOTI MobiControl as a fully managed device to my new Zebra TC72 Android 11. We have to be connected to the company's network/wifi in order to enroll SOTI in the past and we used StageNow to install. However, this time I'm doing this remotely from home. So, I had to install Cisco AnyConnect first to connect to VPN out of the box then install SOTI using an external SD card. It was installed successfully, but I was prompted to create a work profile.

Is there a way to install it as a work managed while connected to VPN? Or was it me installing AnyConnect that was causing the work profile? 

Note: Our SOTI MobiControl version is: 14.3.4.1087

android zebra tc72 sotimobicontrol android11
a year ago
Android
ANSWERS
MD
Matt Dermody Diamond Contributor
a year ago

Fundamentally a device needs to start from a factory default state in order to be able to enroll in any EMM in Fully Managed / Device Owner mode. This is a design principal of Android Enterprise designed as a consumer protection feature as it prevents malicious actors from requesting elevated device management permissions disguised within another app. This was identified as a vulnerability of Device Administrator based management as any app could request that permission at any point. To combat this vulnerability Android Enterprise dictates that a device should start from an out of box state in order to grant Device Owner permissions to a DPC. By manually installing the VPN app and performing manual configuration steps you're breaking this seal and most likley won't be able to get the device to enroll as a fully managed device. The other issue is how you're installing the SOTI agent. By installing it manually your also taking more of a BYOD approach to the install and enrollment, also resulting in Work Profile mode. You may still be able to get the VPN client app installed first to work around network restrictions but you'd then have to use StageNow to install the agent and set it as DO as you otherwise would not be able to do so with a manual install.

MB
Marcus Breitenthaler
a year ago

Hi,

todally agree with Matt.

When your MC is only available internaly in our Network, you can only preparire the Enrollment QR and test it in the Office.

Except you have aVPN with Company wifi at Home.

Might a recommandation to Upgrade you instance, that made your life easier with Manageing Devices.

With Version 2024.1.0 you can create the Enrollment QR Code directly in MobiControl and add the Wifi or other Settings. Then you do not need any longer Stagenow to Create a Enrollment QR ;)

MK
Martin K.
a year ago

With using StageNow it should be possible to enroll this device into Work Managed also some time after it was factory erased, I have never tested how long it is working, but couple of hours was ok in the past.

You can tell the StageNow enrollment wizard that the agent apk is already on the device.

MH
MMIS Help
a year ago

Hi everyone, thank you for your responses. We were able to install SOTI MobiControl and Cisco AnyConnect app through StageNow. We created one profile so both apps were installed simultaneously at the same time. We connected the device to VPN from the AnyConnect app, then entered the enrollment ID into SOTI. It is still prompting me to create a work profile. I'm assuming it's either because another app was installed to the device or because we connected to VPN prior to enrollment?

A
AGMOD@soti
a year ago

Hi MMIS Help

Thank you for posting on SOTI Pulse.

Thank you Matt DermodyMarcus Breitenthaler and Martin K. for responding to the post. Your expertise and willingness to help are greatly appreciated!

Have you had an opportunity to test the suggestions from Matt to factory reset your Zebra device to default state before proceeding ahead with the enrollment ? A device needs to start from a factory default state in order to be able to enroll in SOTI MobiControl in a Work Managed device mode.

I would like to suggest you to try using the QR code enrollment via your Stage Now application to enroll your device as Work Managed.

You may still be able to get the VPN client app installed first on your device, but either way you'd have to use Stage Now to install the MobiControl agent and set it as Device Owner.

Kindly refer to the document links provided below:

Enrolling Zebra Devices in Android Enterprise Device Owner (AEDO) Mode Using Stage Now:

https://cwsisecurity.com/cwsi-customer-success-webinar-series/


Using Stage Now to Enroll Your Device into SOTI as a Device Owner:

https://supportcommunity.zebra.com/s/article/000013814?language=en_US


Also, if this post has helped you in solving your inquiry, I would request you to mark the particular comment as "is solution", so others can also also benefit from this information.

Similar Discussions