Help

MDM | Block corporate resources unless enrolled?!

bvandepol
New Contributor III

Posted on ‎09-12-2014 05:05 AM

A lot of units in our environment are not (yet) enrolled in our MDM environment. I know I can sent enrollment invitations etc to our users, but this doesn't mean they will actually enroll their device(s). Chasing the devices/users is an impossible task since we're talking about a 4-digit number of devices.

I would like to block certain (corporate) facilities until the device is enrolled. Examples of these are:

  • Block Exchange mail access
  • Block access to Corporate WiFi

The goal would be to add value and functionality to the user's device when the device is enrolled. This will encourage them to enroll it.

I'm convinced i'm not the only person struggling with this and i'm very curious how you have tackled this. Any input is more than welcome.

0 Kudos
6 REPLIES 6

defiler
New Contributor III

Posted on ‎09-12-2014 05:44 AM

hello,

we are using script that get enrolled users via JSS API and use it on firewall to add "allow" rules to some corporate resources. can't share the scripts but i hope you got the idea

0 Kudos

defiler
New Contributor III

Posted on ‎09-12-2014 05:53 AM

as wi-fi, you can just change wi-fi password, make a wi-fi profile in mdm and don't tell that password to users, so mdm will be the only option to get wifi working

0 Kudos

BVikse
New Contributor III

Posted on ‎09-12-2014 07:14 AM

I would recommend caution with using a profile to activate wireless. iPads need to be connected to wifi to talk to apple and to talk to your MDM. How can they pick up the policy to activate wifi if they don't have wifi? how can they enroll without wifi?

0 Kudos

defiler
New Contributor III

Posted on ‎09-12-2014 07:19 AM

we have a special restricted SSID for initial device configuration.

0 Kudos

bvandepol
New Contributor III

Posted on ‎09-12-2014 07:28 AM

We have a separate (guest) SSID that everybody can connect to. This is an isolated network blocking all corporate resources. So units still have connectivity to the Apple/MDM servers.

I think that blocking corporate email access for not-enrolled devices is what we want most. Our exchange is setup with an autodiscover and it accepts ActiveSync connections from any device.

There must be a way to achieve this. I somehow have to be able add value and (block) features unless the device is enrolled.

0 Kudos

iJake
Valued Contributor

Posted on ‎09-12-2014 07:56 AM

Our MDM provider achieves this by using PowerShell commands to turn off EAS for any accounts it does not manage. This should be easy enough to do with a check between Exchange and the JSS for something written in house. The PowerShell commands for 2013 and O365 are here: http://technet.microsoft.com/en-us/library/bb124809(v=exchg.150).aspx.aspx)

0 Kudos