Best practices depend very much on many factors, including but not limited to the following:

- use case (personal enabled? shared device? single-use? company-owned or BYOD? etc.)

- whether there is kisok mode and/or password protected

- hardware, firmware and MDM features supported on the devices of interest

- whether devices have been restricted to closed corporate network or open network.

- whether Soti Surf/Soti Hub app and Enterprise Resource Gateway (ERG) have been used

- whether you have critical corporate data or apps that must be wiped after a certain period (and also whether the data has back-up copy in app server)

- whether your priority is to protect company data or to protect against device theft

etc.

You can use multi-tier out-of-contact policy to use different scripts to perform predefined sequences of task (e.g. remove some or all data/apps, lock the device or restrict its use, turn on location service turn off some hardware/connection, etc.) based on different OOC timeout thresholds.

Whole-device wiping becomes more useful if your devices are using Samsung Knox Mobile Enrollment (KME) or Android Enterprise Zero-Touch-Enrollment (ZTE) for device theft protection.   If KME or ZTE are not possible, it is recommended that the OEM independent Factory-Reset-Protection (FRP) be used to deter device theft. 

Hi Raymond,

Thank you for your details reply.

To answer some of your questions. Each of the Samsung Galaxy Tab 2 tablets have one owner and have been enrolled into SOTI as such. They are not shared and besides the language settings of the tablet and apps, they are virtually identical. They are company owned which is why we have locked down the devices to ensure the end users do not have the possibility of changing anything they want for example within the "Settings" menu. The tablets are not using Kiosk mode as we wanted to ensure the tablets look and feel like a tablet the end user would have at home for example.  

The tablets are not part of KME or ZTE. I have installed SOTI settings manager app to allow our end users to change the necessities such as connecting to WiFi, bluetooth and change the brightness and sound levels. I have pushed out SOTI Surf, however the end users can only visit a handful of white-listed websites; everything else they try to visit will redirect them to our company website.

We have no critical corporate data or apps on the device and my priority would be to protect against the use of the device once it has been lost or stolen. I am however hesitant to just push a wipe command to stolen/lost devices as this would remove SOTI and all of it's current "safe guards" for example the authentication rule, the security app which prevents users from accessing the settings menu, the device PIN, etc, which would give the thief the possibility to just set up the device as if it was taken out of the box. Hence my question about the wipe command. Does it actually do a factory reset or does SOTI MobiControl stay installed and retain these safe guards we currently have on the devices?

Hopefully the above answers will help people provide advise on my enquiry. Perhaps my enquiry would inspire people to share some of the ideas they are putting into practice for their lost or stolen corporate owned devices.

Many thanks. 

Wipe is actually a factory reset that will have MobiControl device agent permanently removed too.  If you don't add the free KME for your Samsung devices, the next thing to protect after a reset is to use Google's Factory Reset Protection (FRP) that requires a correct Google account and password be input before the device can be reconfigured for useful work again.  Your device must have at least lockscreen password enabled and a corporate controlled Google account added.  The latter can be easily enforced as your end-users are not allowed to go to Settings to remove the corporate controlled Google account created. Please note that your device might be bricked if you lost track of the Google account info associated with the FRP mechanism of a reset device.  According to Samsung global policy, you have to show official proof of ownership of the device at Samsung Service Centre before they will unbrick the device for you.

Assuming your devices should be connected back to your MobiControl server at least once every 1-2 weeks, you can consider using multi-tier device-side Out-Of-Contact policy similar to the following:

(1) OOC timeout for 3 weeks : script will show warning message on the screen to prompt user to sync the device with your corporate network a.s.a.p, and initiate software reset  every 10 minutes

(2) OOC timeout for 4 weeks : initiate software reset every 5 minutes and lock the device screen every 2 minutes

(3) OOC timeout for 6 weeks : initiate software reset every 2 minutes and lock the device screen every 1 minute

(4) OOC timeout for 3 months : wipe the device (this is optional, and can be used if you have  FRP in place).

Though more complicated stuff can be done with OOC scripts, the above are possibly sufficient and easy enough for your use case.

For each of (2)-(4) above, you can set a corresponding server-side out-of-contact alert rule to remind administrator(s) that the OOC policy will  soon be in effect for a particular device.  The administrator can then contact the device end-user to get the device re-synced to the server a.s.a.p.  This pairing of OOC alert rule with a corresponding OOC policy that wipes a device (item (4) above) is especially important because there is a last chance (less than 2-minute window after power-up) to bypass the device wipe. This bypass/cancellation may be needed to save valuable user data on under-utilized device  (e.g. those that has been put in a drawer for many months beyond the deadly OOC timeout by the end-user).

Hi Raymond,

Once again thank you for your detailed reply. You have given me a few things to think about with your latest response. Unfortunately we don't have a corporate Google account that we add to the devices and as a matter of fact we have disabled the Google Play Store and other Google services to prevent users from downloading unwanted apps. Our end users are very opportunist if given the chance. We currently push all of the required apps through profiles to the tablets. In other words, we have locked down the device so that it stays the same way we provide them and this was by design due to the nature of their use.

In the meantime however, I will do further research on some of the points you've written about to come up with a concept that will work for us. I welcome any further response from either you or anyone else that wants to chime in this topic. Thank you.

A Google account can be added during device enrollment in order to get FRP going, and various Google services & Google Play can subsequently be blacklisted (or not whitelisted) before deployment to end-user.

If your company is so worried about unauthorized apps installed or running on the company devices, you should add an application run control policy to whitelist all the apps that can run on the system, just in case the Kiosk get hacked/disabled temporarily due to unknown reasons. 

Hello BVal - Please let us know if you would need any further information on this thread.

Thank you.

Hi GPMOD,

Thank you for your post. I think the initial replies were a good starting point for me, so I thank those that wrote and read this thread. You may close it off, if that was your wish :)

BV

Hi BVal,

As the initiator of the discussion and possibly owner of the problem,  you should be the one to mark any particular post to be a good enough solution.   In the past, there were some cases the some Soti moderator marked some post as solution even though they hadn't contact the initiator/owner whether he/she considered a particular post a solution that actually solved his/her problem.  This is actually not ideal. 

BTW, one update that you might be interested.  The latest Mobicontrol v14.3+ include a new Android Enterprise profile payload called "Enterprise Factory Reset Protection (EFRP)".  In principle, a single corporate owned Google account can be pushed to multiple AE devices as the Google account for FRP mechanism.  This saves lot of time and effort to handle one Google account for each corporate device.  I'm in the process of testing this feature now.