SOTI Pulse Logo

Prevent enrolling as Android Enterprise Work Profile (BYOD) device

SB
Simon Breuer Gold Contributor
REWE digital GmbH

Hello,

does anybody have an idea how to prevent enrolling of private devices as Work Profile devices into our environment?

We have set the Device Type option in our Enrollment Policy to "Work Managed" as we only want fully managed devices in our MDM.

Unfortunately with the same Enrollmend ID a user is able to enroll his private device by downloading the SOTI Agent from Google Play and entering this Enrollment ID.

Shouldn't the option "Work Managed" prevent the users from doing so?

If this is not possible, why are both options available in the GUI?

Edited 16 days ago
SOTI MobiControl
ANSWERS
RS
Robert Schäfer
16 days ago

I would suggest raising that with SOTI's support team, as that would have been my expectation. Not a scenario i have dealt with however.

Your best bet, though adds a little additional work to the enrolment process, is to enable authentication in the enrolment policy and specify a password. That way they won't be able to enrol, unless of course they know the password.

I would also question why people in the organisation have access to the Enrollment ID. Methods such as google zero touch or KME should really be used to handle device enrolment in a more streamlined and controlled way. I would never recommend handing out the enrolment ID.

SB
Simon Breuer Gold Contributor
16 days ago

Thanks for your reply.

We already use Samsung KME for our devices. God knows, how some users (5 of >10,000) got their hands on the enrollment id.

Maybe we will raise a support call with SOTI.

RS
Robert Schäfer
16 days ago

Hi Simon,

If they are enroling devices themselves, perhaps they saw and wrote down the enrolment id as it is visible for a short amount of time and if you intervene and cancel enrolment.

The password option is probably your quickest temporary solution while you wait on SOTI.

RS
Rafael Schäfer Platinum Contributor
16 days ago

If you "just" delete the device in the console but not wipe the device, it will revert all changes back, then start mobicontorl app in a fullscreen which displays the enrollment ID.

Maybe something like that happened at some point so they were able to grab the enrollment ID in that way.

RS
Rafael Schäfer Platinum Contributor
16 days ago

And one thing: If you have limited set of devices (which maybe are not popular for normal consumers) you could also allow enrolling only for specific manufacturer or even model.

Or if all devices are enrolled from company network from a specific IP-Address (even range).

RC
Raymond Chan Diamond Contributor
16 days ago (edited 15 days ago)

Please check wbetber the 5 problematic devices are correctly configured in KME portal.  Is it possible that the device model(s) or firmware version(s) are not supported for some reasons.

 

Also, from their enrollment timestamps, it may be found that they are amount the first few enrolled among your thousands of devices, and had been configured improperly before some fixes are done to facilitate the proper enrollment of the others.

 

Finally,  it might be worth trying to perform another factory reset of any of these 5 problematic devices, and see if any loophole(s) or useful error messages giving clue on the cause of the problem can be found during the enrollment process.

 

A
ASMOD@SOTI
15 days ago (edited 15 days ago)

Hi Simon,

Thank you for posting your query on SOTI Pulse.

And thank you Robert, Raymond, and Rafael for sharing your insights — your expertise is always appreciated!

In this specific scenario — preventing users from enrolling personal devices as Work Profile using the same Enrollment ID —one option is to delete the current Enrollment ID and create a new one. This ensures that anyone attempting to use the previous ID will no longer be able to enroll a device. 

Additionally, I'd recommend contacting SOTI Support  (support@soti.net) and opening a new case. One of our support engineers will review your setup in detail and help identify the most suitable solution or workaround.

Kind regards,

Technical Support | SOTI Inc. | Call Us | SOTI.net | Discussion Forum | Log a Case Online

Similar Discussions