Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png






Different operating modes in Securepoint Mobile Device Management
Last adaption: 03.2022
New:
  • Registration for Zero Touch devices
notempty
This article refers to a Resellerpreview
-

Operating modes in MDM


Is my device compatible?






























The compatibility between iOS and Securepoint Mobile Security is always tested on current devices.

Securepoint Mobile Security is compatible with iOS / iPadOS 8 and higher.


iOS / iPadOS Version Mobile Security Remark
≤7 Technologically not compatible
8 - 11 This operating system is no longer provided with security updates. We strongly advise against its use.
12 Technologically compatible, but not all functions are supported by the operating system.
13 Technologically compatible, but not all functions are supported by the operating system.
14 Technologically compatible
15 Technologically compatible
16 Technologically compatible
  • The latest version is required to use all functions.



  • Compatibilities Android

    Compatibilities Android

    Compatibility of Android versions with Securepoint Mobile Security:

    Android Version Mobile Security Remark
    ≤6 Technologically not compatible
    ≥7 All devices from Android 7.0 with access to the Google Play Api are supported
    This excludes, for example, newer devices from Huawei that do not have access to Google Play!
      

  • Due to the large number of different manufacturers and operating system versions we can not guarantee 100% compatibility. Devices that are not explicitly recommended by Google can work. We cannot guarantee a solution for problems with unlisted devices.
  • recommended devices Mobile Security and MDM is compatible with the devices recommended by Google. The current list of compatible devices can be found at https://androidenterprisepartners.withgoogle.com/devices/#





    The Securepoint Mobile Security Portal has been tested with the following browsers.

    Browser Mobile Security Remark
    Google Chrome Version 95.0.4638.54
    Firefox (93.0) Version 93.0
    Opera without any warranty Version 80.0.4170.16
    Edge Version 42.17134.10
    Internet Explorer Version 11.285.17134.0






    Decision path for the right operating mode

    BYOD: Bring your own Device

    Personal device with business use:

    • Every employee uses his or her private device
    • Apps and data for work purposes are stored in a work container






























    Flow chart

    The steps required to connect Android devices are described here:

    Prerequisite:

    1. Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
    2. In Securepoint Unified Security Portal configured Android Enterprise Profile

    Enrollment:

    1. Creating a Registration Token for a Profile
    2. Register device

    Preparation

    There must be a connection from the Securepoint Mobile Security Portal to an Android Enterprise account.






























    Link Google Enterprise with Securepoint Mobile Security

    Settings for Apple and Android

    In order to be able to use Android Enterprise for companies and administer it via Securepoint Mobile Security, a link must be established between the Mobile Security account and a Google account for EMM.
    It is important to note that there is only one Google Enterprise account for all devices of a tenant (customer with own mobile security account). Without EMM, every device has its own Google account.


    A Google Account may only be associated with one tenant at a time !
    Otherwise, all devices assigned to a tenant – and thus to a Google Account – will appear in all other tenants linked to the same Google Account!
      

    Associating in the menu

    Products Mobile Security  SettingsAdd/Link

    A Google account is enabled as an enterprise account by linking Securepoint Mobile Security as EMM provider
    The communication of the Securepoint Mobile Security Portal runs completely via this Google account.

  • To avoid unwanted side effects, a new account should definitely be created.

    It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com

  • Google accounts are free of charge - even as an enterprise account!

  • If the account is suspended by Google or deleted by the owner, all devices will be reset.
    It is essential to ensure that this Google account is not deleted under any circumstances, or that the GMail address is blocked.

    Google gives indications of various reasons why an account may have been suspended:
    https://support.google.com/accounts/answer/40695?hl=en

    We strongly recommend activating the 2 factor authentication 2FA!


    There must be an Android profile that can be assigned to the device.

    BYOD: Android Profile

    Under  Mobile Security Android  Profiles you can  Add profile or  Import profile or edit an existing profile (click on profile tile or  Edit )

    • Install and configure Apps
    • Password policies
    • Security settings
  • Best Practice: Description the most important configuration options

  • In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Applications
    Applications

    Installation type Kiosk must be added in the Applications tab for a single app

    Caption Value Description MSP v1.6.6 Android Profile Anwendungen Kiosk-en.png
    Application with the installation type Kiosk
     Add application
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Kiosk
    • The app is automatically installed in Kiosk mode: it is set as the preferred output type and set to the allowlist for lock task mode.
    • Device setup is not completed until the app is installed
    • Users cannot remove the app after it is installed
    • You can only set this installation type for one app per profile
    • If this is present in the profile, the status bar will be disabled automatically.
    Restrictions
    Restrictions

    Settings in the Restrictions tab for the kiosk mode

    Activate the custom kiosk launcher Hides all system apps on the homescreen and shows only the apps installed via the profile.

    It is recommended to additionally disable the status bar to block access to device settings.

    Power Button Actions Not specified Sets the behavior of a device in kiosk mode when a user presses and holds the on / off button.
    Available by default
    Available The on / off menu (e.g. power off, restart) is displayed when a user long presses the on / off button of a device in kiosk mode
    Blocked The On / Off menu (e.g. power off, restart) is not displayed when a user long presses the On / Off button of a device in kiosk mode
  • This may prevent users from turning off the device
  • System error warnings Not specified Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode.
    Muted by default.
    Activated All system error dialogs such as crash and app not responding (ANR) are displayed.
    Mute All system error dialogs like crash and unresponsive app (ANR) are blocked. When blocked, the system forcibly stops the app as if the user closes the app from the user interface.
    Systemnavigation Not specified Indicates which navigation functions are enabled in Kiosk mode (e.g. Home, overview keys).
    Activated Home and overview buttons are activated.
    Deactivated The Home and Overview buttons cannot be accessed.
    Home button only Only the home button is enabled.
    Status bar Not specified Specifies whether system information and notifications are disabled in kiosk mode.
    By default, notifications and system information are disabled.
    Notifications and system information enabled System informations and notifications are displayed in the status bar in kiosk mode
    Notifications and system informations disabled System informations and notifications are disabled in kiosk mode
    System informations only Only system information is displayed in the status bar
    Device settings Not specified Specifies whether a user can access the app settings of the device in kiosk mode
    Allowed by default
    Allowed Access to the Settings app is allowed in Kiosk mode
    Blocked Access to the Settings app is not allowed in Kiosk mode


    In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Personal use
    Personal use

    In the tab Personal use this must be explicitly allowed and if necessary further settings must be made.

    Caption Value Description MSP v1.6.6 Android Profile Persönlicher-Gebrauch-en.png
    Personal use tab
    Activate   
    default: off
    Enables the control of private use
    If this switch is not enabled, the user can install private apps without any restrictions!
    Disable camera Disables the camera in the personal profile
    In order to use the camera for business applications, it must be stored as an app in the Applications tab.
    Deactivate the screen recording Screen recordings (screenshots) are not possible when activated
    Account types with disabled management     Account types that cannot be managed by the user.
    com.google prevents adding Google accounts in apps, for example.
    • com.google prevents adding Google accounts in all Google Apps (incl. Gmail, Google Calendar, Google Drive, etc.)
      Must not be entered for COPE devices. If this option is subsequently removed, a new enrollment must be performed.
        
  • com.google prevents Google accounts from being added. Private use would thus no longer be possible and must therefore not be used with COPE devices
  • Max. days without work 0Link= Controls how long the work profile can stay off.
    (In the app overview, the apps and notifications of the work profile can be deactivated.)
    Personal Play Store mode Not specified Specifies whether to allow or block the apps in the Personal apps section of the personal profile.
    Standard block list.
    It is also necessary to specify the Installation type.
    Approval list Only apps that are explicitly specified in Personal apps and whose Installation type is set to Available may be installed in the personal profile.
    Blocklist All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".
    Personal applications  Add application Guidelines for apps in the personal profile of a company-owned device with a work profile
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Not specified The way the installation is performed.
    (Not specified=Default: Available)
  • Unspecified is counted as Available and overrides the Play Store mode Blocklist or Unspecified setting.
  • Block The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled
    Available The app is ready for installation
  • Private apps must be added with their own Google account

  • Cross-profile guidelines
    Activate Policies that, when activated, define restrictions on communication between private and business profile
    Show work contacts in personal profile Allowed
    default value
    Allows work profile contacts to appear when searching for personal profile contacts and incoming calls
    Not allowed Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls
    Not specified Corresponds to Allowed
    Cross-profile copy & paste    
    Allowed Text copied in one of the profiles can be pasted in the other profile
    Not specified Corresponds to Not allowed
    Cross-profile data sharing Refuse from work to personal profile
    default value
    Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with work apps.
        Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
    Allowed Data from one of the profiles can be shared with the other profile.
    Not specified Corresponds to Not allowed
     Save All data must be stored in order to be transferred to the devices.

    Device enrollment

    BYOD: Registration Token for a Profile

    Under  Mobile SecurityAndroid-white-grey.png Android Devices you can   Register new device



    Caption Option Description MSP v1.6.6 Android Geräte Anmeldung COPE-en.png
    Register new device with Android Enterprise
    Would you like to use an existing registration token? Create a new registration token If a registration token has already been created that has not yet expired, it can be selected and displayed here. (Fig. see below)
    Profile Android Enterprise Profil This profile is to be applied to the device to be registered.
    License TTT-Point AG | MDM [0/10] (aaaa) Select the license to be used for new enrolled devices.
    MDM licenses include the complete administration of devices.
    Mobile security licenses include additional protection in open networks through security features of the Securepoint Cyber Defense Cloud.

    It is possible to assign devices to a new License after a runtime license expires.
    Use code Determines whether or not a code is required during enrollment at the end of device registration Should be enabled to prevent devices that have fallen into unauthorized hands from being registered with configured credentials or other company secrets
    More options
    Duration
    30 days Specifies how long this token can be used
    After this, device registration with this token is no longer possible.
    Possible values:

    30 minutes
    One hour
    One day
    One week
    15 days
    30 days

    60 days
    New

    90 days
    New

    Infinite
    Technically, it is a limit of 10,000 years
      
    Additional data     Any data associated with the registration token. Displayed under  Devices in the device overview
    Only once Specifies whether the registration token may only be used once.
    Allow private use Private use is permitted

    Determines whether private use is allowed on a device logged in with this registration token.

    For private devices:

    A work profile is set up on the device.
    The MDM has exclusive access to apps and data within this profile.
    The MDM can control whether an exchange of data between the work profile and the normal environment on the device is allowed to take place.
    Disabling private use prevents the device from being provisioned. Private use cannot be disabled on a private device.

     Create registration token Creates a registration token with QR code and a value that can be entered using the keyboard.
    The name of the associated profile is displayed, as well as the date on which it expires and can no longer be used.
    MSP v1.6.4 Android Geräte Anmeldung Token-en.png




    BYOD: Register device

    Private devices with additional work profile (BYOD)

    In order to be able to distinguish private from business apps, the app Android Device Policy is required.
    On private devices in which only the work profile is managed by an organisation - and thus by the Securepoint Mobile Security Profile - this app must be installed manually from the Android App Store.
    With this app the registration token is scanned or entered via the keyboard and the devices can be registered and configured in the portal.

    • Installing the app Android Device Policy from the Google App Store
    • Scanning the QR code or entering the registration token via the keyboard
      • A work profile is created on the device for the Enterprise profile.
      • All configured applications, restrictions etc. are created and applied within the work profile.

    Company property with private use
    • Switching on for the first time or device reset (factory settings)
    • Country settings selection
    • Tapping the display 7 times quickly opens a QR code scanner
    • Scanning of the profile QR code (see above)
    • A work profile is created on the device
      • All configured apps, restrictions, etc. are created and applied within the work profile.
      • Apps are displayed in the "Business area and marked with a suitcase icon
    • A private Google account can be stored additionally
      This step can also be done later
      • A private profile is created
      • There is a separate area Private with its own playstore



    Fully managed devices (COBO, COSU)

    Fully managed devices (COPE, Company Owned personal enabled) are connected directly to the Android Enterprise profile during initial setup or after a device reset. The link to a Google account and thus to an app store is defined by the assigned profile.

    • Initial power-up or device reset (factory settings)
    • Selection of regional settings
    • Tap the display 7 times quickly to open a QR code scanner
    • Scanning the profile QR code (see above)
    • The device is configured as a fully managed device.
      • All policies, apss and restrictions stored in the profile will be applied directly to the device
        This process may take a few minutes during the initial installation!

    Zero touch devices





























    Registration in the menu  Mobile SecurityAndroid-white-grey.png AndroidAndroid-red-grey.png Zero-Touch

    Either

    • Add device to an existing configuration:
      • Edit configuration: Click on the device tile (or via the hamburger menu in the device tile at the top right) /  Edit)
      • if necessary, select a new valid enrollment token
        Enrollment tokens are valid for a maximum of 30 days
          
      • Select device(s) by IMEI or serial number
      • Save information

    or

    • with the button  Add configuration
      • select enrollment token
      • select customer
      • Fill in other details (company name, contact details...)
      • Select device(s) by IMEI or serial number
      • Save details
  • As soon as the device is connected to the Internet for the first time or after a factory reset, the profile is pushed to the device and the connection to the MDM is established.
    The enrollment on the device itself is, depending on the configuration, exactly as described in the sections COPE, COBU or COSU.
    Only the scanning of the enrollment token is omitted!
  • Name: Demo TTT-Point Configuration name MSP v1.7 Zero-Touch Konfiguration hinzufügen-en.png
    Menu for adding zero touch devices
    Enrollment token Profile: Selected profile | Token abCD12 The selected enrollment token (as created in the Devices / Enroll new device menu) will be applied to all devices enrolled with this configuration.
  • Since sensitive data and access can be pushed with the settings, it is strongly recommended to use an enrollment token with code.
    This ensures that only authorized users can access the configured device.
  • Customer: SecurepointCustomer The description for the customer as it was transmitted to the device retailer.
    If several Gmail addresses were linked to the zero touch portal, different descriptions can be selected here.
    Standard Defines whether this configuration is the default or not.
    When    is enabled, new zero touch devices are automatically added to this configuration unless another is specified
    Note: At least one configuration should be defined as default.
    Company TTT-Point AG Freely selectable designation for the company to which this device is to be assigned.
    E-mail admin@anyideas.de Contact Email Address
    Displays on mobile during the setup process when IT Administrator is tapped on the "This device belongs to your organization" screen.
    Phone number 01234-56789 Contact phone number display see above
    Custom message Welcome to TTT-Point Shown on the display during device setup
    Devices ×123456789012345 This configuration can be assigned to devices based on their IMEI or serial number
  • The box is only active if a customer has been selected as well
  •  Save Saves the configuration
    Zero touch configuration with assigned device MSP v1.7 Zero-Touch Konfiguration-en.png

    Closing by user

  • The end user must now switch on the device for the first time and establish an Internet connection.
    The configuration from the profile is then automatically applied to the device.

  • Remove devices from Mobile Security management

    Devices with working profile (BYOD)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Company devices with private use (COPE)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!

    Under  Mobile SecurityAndroid-white-grey.png Android Devices Tab Operations button  Submit property the device can be removed from the administration:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Fully managed devices

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!




    COPE: Company owned, personal enabled

    Company owned with private use:

    • The company buys the device for the user
    • Private use is permitted
    • Separation of private and professional apps and data through containers
    • Simple control of the private area by the MDM.
      • e.g.: Allow / forbid access to pictures
      • Allow / forbid address exchange
    • It is possible to transfer the device to purely private use
    • Settings under:  Mobile SecurityAndroid-white-grey.png Android  Profiles  Register new device
      More options Allow private use: Private use is allowed
      Additionally in the profile: Tab Personal use Activate   






























    Flow chart

    The steps required to connect Android devices are described here:

    Prerequisite:

    1. Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
    2. In Securepoint Unified Security Portal configured Android Enterprise Profile

    Enrollment:

    1. Creating a Registration Token for a Profile
    2. Register device

    Preparation

    There must be a connection from the Securepoint Mobile Security Portal to an Android Enterprise account.






























    Link Google Enterprise with Securepoint Mobile Security

    Settings for Apple and Android

    In order to be able to use Android Enterprise for companies and administer it via Securepoint Mobile Security, a link must be established between the Mobile Security account and a Google account for EMM.
    It is important to note that there is only one Google Enterprise account for all devices of a tenant (customer with own mobile security account). Without EMM, every device has its own Google account.


    A Google Account may only be associated with one tenant at a time !
    Otherwise, all devices assigned to a tenant – and thus to a Google Account – will appear in all other tenants linked to the same Google Account!
      

    Associating in the menu

    Products Mobile Security  SettingsAdd/Link

    A Google account is enabled as an enterprise account by linking Securepoint Mobile Security as EMM provider
    The communication of the Securepoint Mobile Security Portal runs completely via this Google account.

  • To avoid unwanted side effects, a new account should definitely be created.

    It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com

  • Google accounts are free of charge - even as an enterprise account!

  • If the account is suspended by Google or deleted by the owner, all devices will be reset.
    It is essential to ensure that this Google account is not deleted under any circumstances, or that the GMail address is blocked.

    Google gives indications of various reasons why an account may have been suspended:
    https://support.google.com/accounts/answer/40695?hl=en

    We strongly recommend activating the 2 factor authentication 2FA!


    There must be an Android profile that can be assigned to the device.

    COPE: Android Profile

    Under  Mobile Security Android  Profiles you can  Add profile or  Import profile or edit an existing profile (click on profile tile or  Edit )

    • Control of the app store for private applications
    • Release of professional address books for private use (e.g. for incoming calls).
    • WiFi configurations
    • Restrictions
    • Password policies
    • Security settings
  • Best Practice: Description the most important configuration options

  • In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Applications
    Applications

    Installation type Kiosk must be added in the Applications tab for a single app

    Caption Value Description MSP v1.6.6 Android Profile Anwendungen Kiosk-en.png
    Application with the installation type Kiosk
     Add application
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Kiosk
    • The app is automatically installed in Kiosk mode: it is set as the preferred output type and set to the allowlist for lock task mode.
    • Device setup is not completed until the app is installed
    • Users cannot remove the app after it is installed
    • You can only set this installation type for one app per profile
    • If this is present in the profile, the status bar will be disabled automatically.
    Restrictions
    Restrictions

    Settings in the Restrictions tab for the kiosk mode

    Activate the custom kiosk launcher Hides all system apps on the homescreen and shows only the apps installed via the profile.

    It is recommended to additionally disable the status bar to block access to device settings.

    Power Button Actions Not specified Sets the behavior of a device in kiosk mode when a user presses and holds the on / off button.
    Available by default
    Available The on / off menu (e.g. power off, restart) is displayed when a user long presses the on / off button of a device in kiosk mode
    Blocked The On / Off menu (e.g. power off, restart) is not displayed when a user long presses the On / Off button of a device in kiosk mode
  • This may prevent users from turning off the device
  • System error warnings Not specified Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode.
    Muted by default.
    Activated All system error dialogs such as crash and app not responding (ANR) are displayed.
    Mute All system error dialogs like crash and unresponsive app (ANR) are blocked. When blocked, the system forcibly stops the app as if the user closes the app from the user interface.
    Systemnavigation Not specified Indicates which navigation functions are enabled in Kiosk mode (e.g. Home, overview keys).
    Activated Home and overview buttons are activated.
    Deactivated The Home and Overview buttons cannot be accessed.
    Home button only Only the home button is enabled.
    Status bar Not specified Specifies whether system information and notifications are disabled in kiosk mode.
    By default, notifications and system information are disabled.
    Notifications and system information enabled System informations and notifications are displayed in the status bar in kiosk mode
    Notifications and system informations disabled System informations and notifications are disabled in kiosk mode
    System informations only Only system information is displayed in the status bar
    Device settings Not specified Specifies whether a user can access the app settings of the device in kiosk mode
    Allowed by default
    Allowed Access to the Settings app is allowed in Kiosk mode
    Blocked Access to the Settings app is not allowed in Kiosk mode


    In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Personal use
    Personal use

    In the tab Personal use this must be explicitly allowed and if necessary further settings must be made.

    Caption Value Description MSP v1.6.6 Android Profile Persönlicher-Gebrauch-en.png
    Personal use tab
    Activate   
    default: off
    Enables the control of private use
    If this switch is not enabled, the user can install private apps without any restrictions!
    Disable camera Disables the camera in the personal profile
    In order to use the camera for business applications, it must be stored as an app in the Applications tab.
    Deactivate the screen recording Screen recordings (screenshots) are not possible when activated
    Account types with disabled management     Account types that cannot be managed by the user.
    com.google prevents adding Google accounts in apps, for example.
    • com.google prevents adding Google accounts in all Google Apps (incl. Gmail, Google Calendar, Google Drive, etc.)
      Must not be entered for COPE devices. If this option is subsequently removed, a new enrollment must be performed.
        
  • com.google prevents Google accounts from being added. Private use would thus no longer be possible and must therefore not be used with COPE devices
  • Max. days without work 0Link= Controls how long the work profile can stay off.
    (In the app overview, the apps and notifications of the work profile can be deactivated.)
    Personal Play Store mode Not specified Specifies whether to allow or block the apps in the Personal apps section of the personal profile.
    Standard block list.
    It is also necessary to specify the Installation type.
    Approval list Only apps that are explicitly specified in Personal apps and whose Installation type is set to Available may be installed in the personal profile.
    Blocklist All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".
    Personal applications  Add application Guidelines for apps in the personal profile of a company-owned device with a work profile
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Not specified The way the installation is performed.
    (Not specified=Default: Available)
  • Unspecified is counted as Available and overrides the Play Store mode Blocklist or Unspecified setting.
  • Block The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled
    Available The app is ready for installation
  • Private apps must be added with their own Google account

  • Cross-profile guidelines
    Activate Policies that, when activated, define restrictions on communication between private and business profile
    Show work contacts in personal profile Allowed
    default value
    Allows work profile contacts to appear when searching for personal profile contacts and incoming calls
    Not allowed Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls
    Not specified Corresponds to Allowed
    Cross-profile copy & paste    
    Allowed Text copied in one of the profiles can be pasted in the other profile
    Not specified Corresponds to Not allowed
    Cross-profile data sharing Refuse from work to personal profile
    default value
    Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with work apps.
        Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
    Allowed Data from one of the profiles can be shared with the other profile.
    Not specified Corresponds to Not allowed
     Save All data must be stored in order to be transferred to the devices.

    Device enrollment

    COPE: Registration Token for a Profile

    Under  Mobile SecurityAndroid-white-grey.png Android Devices you can   Register new device



    Caption Option Description MSP v1.6.6 Android Geräte Anmeldung COPE-en.png
    Register new device with Android Enterprise
    Would you like to use an existing registration token? Create a new registration token If a registration token has already been created that has not yet expired, it can be selected and displayed here. (Fig. see below)
    Profile Android Enterprise Profil This profile is to be applied to the device to be registered.
    License TTT-Point AG | MDM [0/10] (aaaa) Select the license to be used for new enrolled devices.
    MDM licenses include the complete administration of devices.
    Mobile security licenses include additional protection in open networks through security features of the Securepoint Cyber Defense Cloud.

    It is possible to assign devices to a new License after a runtime license expires.
    Use code Determines whether or not a code is required during enrollment at the end of device registration Should be enabled to prevent devices that have fallen into unauthorized hands from being registered with configured credentials or other company secrets
    More options
    Duration
    30 days Specifies how long this token can be used
    After this, device registration with this token is no longer possible.
    Possible values:

    30 minutes
    One hour
    One day
    One week
    15 days
    30 days

    60 days
    New

    90 days
    New

    Infinite
    Technically, it is a limit of 10,000 years
      
    Additional data     Any data associated with the registration token. Displayed under  Devices in the device overview
    Only once Specifies whether the registration token may only be used once.
    Allow private use Private use is permitted

    Determines whether private use is allowed on a device logged in with this registration token.

    For corporate devices:

    A working profile is set up on the device.
    The MDM has full access to applications and data in the work profile and in the normal environment.

     Create registration token Creates a registration token with QR code and a value that can be entered using the keyboard.
    The name of the associated profile is displayed, as well as the date on which it expires and can no longer be used.
    MSP v1.6.4 Android Geräte Anmeldung Token-en.png




    COPE: Register device

    Private devices with additional work profile (BYOD)

    In order to be able to distinguish private from business apps, the app Android Device Policy is required.
    On private devices in which only the work profile is managed by an organisation - and thus by the Securepoint Mobile Security Profile - this app must be installed manually from the Android App Store.
    With this app the registration token is scanned or entered via the keyboard and the devices can be registered and configured in the portal.

    • Installing the app Android Device Policy from the Google App Store
    • Scanning the QR code or entering the registration token via the keyboard
      • A work profile is created on the device for the Enterprise profile.
      • All configured applications, restrictions etc. are created and applied within the work profile.

    Company property with private use
    • Switching on for the first time or device reset (factory settings)
    • Country settings selection
    • Tapping the display 7 times quickly opens a QR code scanner
    • Scanning of the profile QR code (see above)
    • A work profile is created on the device
      • All configured apps, restrictions, etc. are created and applied within the work profile.
      • Apps are displayed in the "Business area and marked with a suitcase icon
    • A private Google account can be stored additionally
      This step can also be done later
      • A private profile is created
      • There is a separate area Private with its own playstore



    Fully managed devices (COBO, COSU)

    Fully managed devices (COPE, Company Owned personal enabled) are connected directly to the Android Enterprise profile during initial setup or after a device reset. The link to a Google account and thus to an app store is defined by the assigned profile.

    • Initial power-up or device reset (factory settings)
    • Selection of regional settings
    • Tap the display 7 times quickly to open a QR code scanner
    • Scanning the profile QR code (see above)
    • The device is configured as a fully managed device.
      • All policies, apss and restrictions stored in the profile will be applied directly to the device
        This process may take a few minutes during the initial installation!

    Zero touch devices





























    Registration in the menu  Mobile SecurityAndroid-white-grey.png AndroidAndroid-red-grey.png Zero-Touch

    Either

    • Add device to an existing configuration:
      • Edit configuration: Click on the device tile (or via the hamburger menu in the device tile at the top right) /  Edit)
      • if necessary, select a new valid enrollment token
        Enrollment tokens are valid for a maximum of 30 days
          
      • Select device(s) by IMEI or serial number
      • Save information

    or

    • with the button  Add configuration
      • select enrollment token
      • select customer
      • Fill in other details (company name, contact details...)
      • Select device(s) by IMEI or serial number
      • Save details
  • As soon as the device is connected to the Internet for the first time or after a factory reset, the profile is pushed to the device and the connection to the MDM is established.
    The enrollment on the device itself is, depending on the configuration, exactly as described in the sections COPE, COBU or COSU.
    Only the scanning of the enrollment token is omitted!
  • Name: Demo TTT-Point Configuration name MSP v1.7 Zero-Touch Konfiguration hinzufügen-en.png
    Menu for adding zero touch devices
    Enrollment token Profile: Selected profile | Token abCD12 The selected enrollment token (as created in the Devices / Enroll new device menu) will be applied to all devices enrolled with this configuration.
  • Since sensitive data and access can be pushed with the settings, it is strongly recommended to use an enrollment token with code.
    This ensures that only authorized users can access the configured device.
  • Customer: SecurepointCustomer The description for the customer as it was transmitted to the device retailer.
    If several Gmail addresses were linked to the zero touch portal, different descriptions can be selected here.
    Standard Defines whether this configuration is the default or not.
    When    is enabled, new zero touch devices are automatically added to this configuration unless another is specified
    Note: At least one configuration should be defined as default.
    Company TTT-Point AG Freely selectable designation for the company to which this device is to be assigned.
    E-mail admin@anyideas.de Contact Email Address
    Displays on mobile during the setup process when IT Administrator is tapped on the "This device belongs to your organization" screen.
    Phone number 01234-56789 Contact phone number display see above
    Custom message Welcome to TTT-Point Shown on the display during device setup
    Devices ×123456789012345 This configuration can be assigned to devices based on their IMEI or serial number
  • The box is only active if a customer has been selected as well
  •  Save Saves the configuration
    Zero touch configuration with assigned device MSP v1.7 Zero-Touch Konfiguration-en.png

    Closing by user

  • The end user must now switch on the device for the first time and establish an Internet connection.
    The configuration from the profile is then automatically applied to the device.

  • Remove devices from Mobile Security management

    Devices with working profile (BYOD)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Company devices with private use (COPE)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!

    Under  Mobile SecurityAndroid-white-grey.png Android Devices Tab Operations button  Submit property the device can be removed from the administration:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Fully managed devices

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!



    COBO: Company owned, business only

    Company owned without private use:

    • The devices are intended for use in the enterprise environment only.
    • The IT administrator has full control over the smartphone
    • Private data is strictly prohibited on the device
    • Settings under:  Mobile SecurityAndroid-white-grey.png Android  Profiles  Register new device
      More options Allow private use: Private use is not allowed






























    Flow chart

    The steps required to connect Android devices are described here:

    Prerequisite:

    1. Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
    2. In Securepoint Unified Security Portal configured Android Enterprise Profile

    Enrollment:

    1. Creating a Registration Token for a Profile
    2. Register device

    Preparation

    There must be a connection from the Securepoint Mobile Security Portal to an Android Enterprise account.






























    Link Google Enterprise with Securepoint Mobile Security

    Settings for Apple and Android

    In order to be able to use Android Enterprise for companies and administer it via Securepoint Mobile Security, a link must be established between the Mobile Security account and a Google account for EMM.
    It is important to note that there is only one Google Enterprise account for all devices of a tenant (customer with own mobile security account). Without EMM, every device has its own Google account.


    A Google Account may only be associated with one tenant at a time !
    Otherwise, all devices assigned to a tenant – and thus to a Google Account – will appear in all other tenants linked to the same Google Account!
      

    Associating in the menu

    Products Mobile Security  SettingsAdd/Link

    A Google account is enabled as an enterprise account by linking Securepoint Mobile Security as EMM provider
    The communication of the Securepoint Mobile Security Portal runs completely via this Google account.

  • To avoid unwanted side effects, a new account should definitely be created.

    It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com

  • Google accounts are free of charge - even as an enterprise account!

  • If the account is suspended by Google or deleted by the owner, all devices will be reset.
    It is essential to ensure that this Google account is not deleted under any circumstances, or that the GMail address is blocked.

    Google gives indications of various reasons why an account may have been suspended:
    https://support.google.com/accounts/answer/40695?hl=en

    We strongly recommend activating the 2 factor authentication 2FA!


    There must be an Android profile that can be assigned to the device.

    COBO: Android Profile

    Under  Mobile Security Android  Profiles you can  Add profile or  Import profile or edit an existing profile (click on profile tile or  Edit )

  • Best Practice: Description the most important configuration options

  • In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Applications
    Applications

    Installation type Kiosk must be added in the Applications tab for a single app

    Caption Value Description MSP v1.6.6 Android Profile Anwendungen Kiosk-en.png
    Application with the installation type Kiosk
     Add application
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Kiosk
    • The app is automatically installed in Kiosk mode: it is set as the preferred output type and set to the allowlist for lock task mode.
    • Device setup is not completed until the app is installed
    • Users cannot remove the app after it is installed
    • You can only set this installation type for one app per profile
    • If this is present in the profile, the status bar will be disabled automatically.
    Restrictions
    Restrictions

    Settings in the Restrictions tab for the kiosk mode

    Activate the custom kiosk launcher Hides all system apps on the homescreen and shows only the apps installed via the profile.

    It is recommended to additionally disable the status bar to block access to device settings.

    Power Button Actions Not specified Sets the behavior of a device in kiosk mode when a user presses and holds the on / off button.
    Available by default
    Available The on / off menu (e.g. power off, restart) is displayed when a user long presses the on / off button of a device in kiosk mode
    Blocked The On / Off menu (e.g. power off, restart) is not displayed when a user long presses the On / Off button of a device in kiosk mode
  • This may prevent users from turning off the device
  • System error warnings Not specified Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode.
    Muted by default.
    Activated All system error dialogs such as crash and app not responding (ANR) are displayed.
    Mute All system error dialogs like crash and unresponsive app (ANR) are blocked. When blocked, the system forcibly stops the app as if the user closes the app from the user interface.
    Systemnavigation Not specified Indicates which navigation functions are enabled in Kiosk mode (e.g. Home, overview keys).
    Activated Home and overview buttons are activated.
    Deactivated The Home and Overview buttons cannot be accessed.
    Home button only Only the home button is enabled.
    Status bar Not specified Specifies whether system information and notifications are disabled in kiosk mode.
    By default, notifications and system information are disabled.
    Notifications and system information enabled System informations and notifications are displayed in the status bar in kiosk mode
    Notifications and system informations disabled System informations and notifications are disabled in kiosk mode
    System informations only Only system information is displayed in the status bar
    Device settings Not specified Specifies whether a user can access the app settings of the device in kiosk mode
    Allowed by default
    Allowed Access to the Settings app is allowed in Kiosk mode
    Blocked Access to the Settings app is not allowed in Kiosk mode


    In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Personal use
    Personal use

    In the tab Personal use this must be explicitly allowed and if necessary further settings must be made.

    Caption Value Description MSP v1.6.6 Android Profile Persönlicher-Gebrauch-en.png
    Personal use tab
    Activate   
    default: off
    Enables the control of private use
    If this switch is not enabled, the user can install private apps without any restrictions!
    Disable camera Disables the camera in the personal profile
    In order to use the camera for business applications, it must be stored as an app in the Applications tab.
    Deactivate the screen recording Screen recordings (screenshots) are not possible when activated
    Account types with disabled management     Account types that cannot be managed by the user.
    com.google prevents adding Google accounts in apps, for example.
    • com.google prevents adding Google accounts in all Google Apps (incl. Gmail, Google Calendar, Google Drive, etc.)
      Must not be entered for COPE devices. If this option is subsequently removed, a new enrollment must be performed.
        
  • com.google prevents Google accounts from being added. Private use would thus no longer be possible and must therefore not be used with COPE devices
  • Max. days without work 0Link= Controls how long the work profile can stay off.
    (In the app overview, the apps and notifications of the work profile can be deactivated.)
    Personal Play Store mode Not specified Specifies whether to allow or block the apps in the Personal apps section of the personal profile.
    Standard block list.
    It is also necessary to specify the Installation type.
    Approval list Only apps that are explicitly specified in Personal apps and whose Installation type is set to Available may be installed in the personal profile.
    Blocklist All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".
    Personal applications  Add application Guidelines for apps in the personal profile of a company-owned device with a work profile
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Not specified The way the installation is performed.
    (Not specified=Default: Available)
  • Unspecified is counted as Available and overrides the Play Store mode Blocklist or Unspecified setting.
  • Block The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled
    Available The app is ready for installation
  • Private apps must be added with their own Google account

  • Cross-profile guidelines
    Activate Policies that, when activated, define restrictions on communication between private and business profile
    Show work contacts in personal profile Allowed
    default value
    Allows work profile contacts to appear when searching for personal profile contacts and incoming calls
    Not allowed Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls
    Not specified Corresponds to Allowed
    Cross-profile copy & paste    
    Allowed Text copied in one of the profiles can be pasted in the other profile
    Not specified Corresponds to Not allowed
    Cross-profile data sharing Refuse from work to personal profile
    default value
    Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with work apps.
        Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
    Allowed Data from one of the profiles can be shared with the other profile.
    Not specified Corresponds to Not allowed
     Save All data must be stored in order to be transferred to the devices.

    Device enrollment

    COBO: Registration Token for a Profile

    Under  Mobile SecurityAndroid-white-grey.png Android Devices you can   Register new device



    Caption Option Description MSP v1.6.6 Android Geräte Anmeldung COBO-en.png
    Register new device with Android Enterprise
    Would you like to use an existing registration token? Create a new registration token If a registration token has already been created that has not yet expired, it can be selected and displayed here. (Fig. see below)
    Profile Android Enterprise Profil This profile is to be applied to the device to be registered.
    License TTT-Point AG | MDM [0/10] (aaaa) Select the license to be used for new enrolled devices.
    MDM licenses include the complete administration of devices.
    Mobile security licenses include additional protection in open networks through security features of the Securepoint Cyber Defense Cloud.

    It is possible to assign devices to a new License after a runtime license expires.
    Use code Determines whether or not a code is required during enrollment at the end of device registration Should be enabled to prevent devices that have fallen into unauthorized hands from being registered with configured credentials or other company secrets
    More options
    Duration
    30 days Specifies how long this token can be used
    After this, device registration with this token is no longer possible.
    Possible values:

    30 minutes
    One hour
    One day
    One week
    15 days
    30 days

    60 days
    New

    90 days
    New

    Infinite
    Technically, it is a limit of 10,000 years
      
    Additional data     Any data associated with the registration token. Displayed under  Devices in the device overview
    Only once Specifies whether the registration token may only be used once.
    Allow private use Private use is not permitted

    Determines whether private use is allowed on a device logged in with this registration token.

    Disabling private use prevents the creation of a work container.
     Create registration token Creates a registration token with QR code and a value that can be entered using the keyboard.
    The name of the associated profile is displayed, as well as the date on which it expires and can no longer be used.
    MSP v1.6.4 Android Geräte Anmeldung Token-en.png




    COBO: Register device

    Private devices with additional work profile (BYOD)

    In order to be able to distinguish private from business apps, the app Android Device Policy is required.
    On private devices in which only the work profile is managed by an organisation - and thus by the Securepoint Mobile Security Profile - this app must be installed manually from the Android App Store.
    With this app the registration token is scanned or entered via the keyboard and the devices can be registered and configured in the portal.

    • Installing the app Android Device Policy from the Google App Store
    • Scanning the QR code or entering the registration token via the keyboard
      • A work profile is created on the device for the Enterprise profile.
      • All configured applications, restrictions etc. are created and applied within the work profile.

    Company property with private use
    • Switching on for the first time or device reset (factory settings)
    • Country settings selection
    • Tapping the display 7 times quickly opens a QR code scanner
    • Scanning of the profile QR code (see above)
    • A work profile is created on the device
      • All configured apps, restrictions, etc. are created and applied within the work profile.
      • Apps are displayed in the "Business area and marked with a suitcase icon
    • A private Google account can be stored additionally
      This step can also be done later
      • A private profile is created
      • There is a separate area Private with its own playstore



    Fully managed devices (COBO, COSU)

    Fully managed devices (COPE, Company Owned personal enabled) are connected directly to the Android Enterprise profile during initial setup or after a device reset. The link to a Google account and thus to an app store is defined by the assigned profile.

    • Initial power-up or device reset (factory settings)
    • Selection of regional settings
    • Tap the display 7 times quickly to open a QR code scanner
    • Scanning the profile QR code (see above)
    • The device is configured as a fully managed device.
      • All policies, apss and restrictions stored in the profile will be applied directly to the device
        This process may take a few minutes during the initial installation!

    Zero touch devices





























    Registration in the menu  Mobile SecurityAndroid-white-grey.png AndroidAndroid-red-grey.png Zero-Touch

    Either

    • Add device to an existing configuration:
      • Edit configuration: Click on the device tile (or via the hamburger menu in the device tile at the top right) /  Edit)
      • if necessary, select a new valid enrollment token
        Enrollment tokens are valid for a maximum of 30 days
          
      • Select device(s) by IMEI or serial number
      • Save information

    or

    • with the button  Add configuration
      • select enrollment token
      • select customer
      • Fill in other details (company name, contact details...)
      • Select device(s) by IMEI or serial number
      • Save details
  • As soon as the device is connected to the Internet for the first time or after a factory reset, the profile is pushed to the device and the connection to the MDM is established.
    The enrollment on the device itself is, depending on the configuration, exactly as described in the sections COPE, COBU or COSU.
    Only the scanning of the enrollment token is omitted!
  • Name: Demo TTT-Point Configuration name MSP v1.7 Zero-Touch Konfiguration hinzufügen-en.png
    Menu for adding zero touch devices
    Enrollment token Profile: Selected profile | Token abCD12 The selected enrollment token (as created in the Devices / Enroll new device menu) will be applied to all devices enrolled with this configuration.
  • Since sensitive data and access can be pushed with the settings, it is strongly recommended to use an enrollment token with code.
    This ensures that only authorized users can access the configured device.
  • Customer: SecurepointCustomer The description for the customer as it was transmitted to the device retailer.
    If several Gmail addresses were linked to the zero touch portal, different descriptions can be selected here.
    Standard Defines whether this configuration is the default or not.
    When    is enabled, new zero touch devices are automatically added to this configuration unless another is specified
    Note: At least one configuration should be defined as default.
    Company TTT-Point AG Freely selectable designation for the company to which this device is to be assigned.
    E-mail admin@anyideas.de Contact Email Address
    Displays on mobile during the setup process when IT Administrator is tapped on the "This device belongs to your organization" screen.
    Phone number 01234-56789 Contact phone number display see above
    Custom message Welcome to TTT-Point Shown on the display during device setup
    Devices ×123456789012345 This configuration can be assigned to devices based on their IMEI or serial number
  • The box is only active if a customer has been selected as well
  •  Save Saves the configuration
    Zero touch configuration with assigned device MSP v1.7 Zero-Touch Konfiguration-en.png

    Closing by user

  • The end user must now switch on the device for the first time and establish an Internet connection.
    The configuration from the profile is then automatically applied to the device.

  • Remove devices from Mobile Security management

    Devices with working profile (BYOD)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Company devices with private use (COPE)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!

    Under  Mobile SecurityAndroid-white-grey.png Android Devices Tab Operations button  Submit property the device can be removed from the administration:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Fully managed devices

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!



    COSU: Company owned, single use

    Company owned with a single application:

    • COSU devices are configured for a specific task.
    • This is mostly realized via a kiosk mode
    • Settings under:  Mobile SecurityAndroid-white-grey.png Android  Profiles → Tab Applications entry Installation type Kiosk






























    Flow chart

    The steps required to connect Android devices are described here:

    Prerequisite:

    1. Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
    2. In Securepoint Unified Security Portal configured Android Enterprise Profile

    Enrollment:

    1. Creating a Registration Token for a Profile
    2. Register device

    Preparation

    There must be a connection from the Securepoint Mobile Security Portal to an Android Enterprise account.






























    Link Google Enterprise with Securepoint Mobile Security

    Settings for Apple and Android

    In order to be able to use Android Enterprise for companies and administer it via Securepoint Mobile Security, a link must be established between the Mobile Security account and a Google account for EMM.
    It is important to note that there is only one Google Enterprise account for all devices of a tenant (customer with own mobile security account). Without EMM, every device has its own Google account.


    A Google Account may only be associated with one tenant at a time !
    Otherwise, all devices assigned to a tenant – and thus to a Google Account – will appear in all other tenants linked to the same Google Account!
      

    Associating in the menu

    Products Mobile Security  SettingsAdd/Link

    A Google account is enabled as an enterprise account by linking Securepoint Mobile Security as EMM provider
    The communication of the Securepoint Mobile Security Portal runs completely via this Google account.

  • To avoid unwanted side effects, a new account should definitely be created.

    It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com

  • Google accounts are free of charge - even as an enterprise account!

  • If the account is suspended by Google or deleted by the owner, all devices will be reset.
    It is essential to ensure that this Google account is not deleted under any circumstances, or that the GMail address is blocked.

    Google gives indications of various reasons why an account may have been suspended:
    https://support.google.com/accounts/answer/40695?hl=en

    We strongly recommend activating the 2 factor authentication 2FA!


    There must be an Android profile that can be assigned to the device.

    COSU: Android Profile

    Under  Mobile Security Android  Profiles you can  Add profile or  Import profile or edit an existing profile (click on profile tile or  Edit )

  • Best Practice: Description the most important configuration options

  • In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Applications
    Applications

    Installation type Kiosk must be added in the Applications tab for a single app

    Caption Value Description MSP v1.6.6 Android Profile Anwendungen Kiosk-en.png
    Application with the installation type Kiosk
     Add application
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Kiosk
    • The app is automatically installed in Kiosk mode: it is set as the preferred output type and set to the allowlist for lock task mode.
    • Device setup is not completed until the app is installed
    • Users cannot remove the app after it is installed
    • You can only set this installation type for one app per profile
    • If this is present in the profile, the status bar will be disabled automatically.
    Restrictions
    Restrictions

    Settings in the Restrictions tab for the kiosk mode

    Activate the custom kiosk launcher Hides all system apps on the homescreen and shows only the apps installed via the profile.

    It is recommended to additionally disable the status bar to block access to device settings.

    Power Button Actions Not specified Sets the behavior of a device in kiosk mode when a user presses and holds the on / off button.
    Available by default
    Available The on / off menu (e.g. power off, restart) is displayed when a user long presses the on / off button of a device in kiosk mode
    Blocked The On / Off menu (e.g. power off, restart) is not displayed when a user long presses the On / Off button of a device in kiosk mode
  • This may prevent users from turning off the device
  • System error warnings Not specified Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode.
    Muted by default.
    Activated All system error dialogs such as crash and app not responding (ANR) are displayed.
    Mute All system error dialogs like crash and unresponsive app (ANR) are blocked. When blocked, the system forcibly stops the app as if the user closes the app from the user interface.
    Systemnavigation Not specified Indicates which navigation functions are enabled in Kiosk mode (e.g. Home, overview keys).
    Activated Home and overview buttons are activated.
    Deactivated The Home and Overview buttons cannot be accessed.
    Home button only Only the home button is enabled.
    Status bar Not specified Specifies whether system information and notifications are disabled in kiosk mode.
    By default, notifications and system information are disabled.
    Notifications and system information enabled System informations and notifications are displayed in the status bar in kiosk mode
    Notifications and system informations disabled System informations and notifications are disabled in kiosk mode
    System informations only Only system information is displayed in the status bar
    Device settings Not specified Specifies whether a user can access the app settings of the device in kiosk mode
    Allowed by default
    Allowed Access to the Settings app is allowed in Kiosk mode
    Blocked Access to the Settings app is not allowed in Kiosk mode


    In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

    Personal use
    Personal use

    In the tab Personal use this must be explicitly allowed and if necessary further settings must be made.

    Caption Value Description MSP v1.6.6 Android Profile Persönlicher-Gebrauch-en.png
    Personal use tab
    Activate   
    default: off
    Enables the control of private use
    If this switch is not enabled, the user can install private apps without any restrictions!
    Disable camera Disables the camera in the personal profile
    In order to use the camera for business applications, it must be stored as an app in the Applications tab.
    Deactivate the screen recording Screen recordings (screenshots) are not possible when activated
    Account types with disabled management     Account types that cannot be managed by the user.
    com.google prevents adding Google accounts in apps, for example.
    • com.google prevents adding Google accounts in all Google Apps (incl. Gmail, Google Calendar, Google Drive, etc.)
      Must not be entered for COPE devices. If this option is subsequently removed, a new enrollment must be performed.
        
  • com.google prevents Google accounts from being added. Private use would thus no longer be possible and must therefore not be used with COPE devices
  • Max. days without work 0Link= Controls how long the work profile can stay off.
    (In the app overview, the apps and notifications of the work profile can be deactivated.)
    Personal Play Store mode Not specified Specifies whether to allow or block the apps in the Personal apps section of the personal profile.
    Standard block list.
    It is also necessary to specify the Installation type.
    Approval list Only apps that are explicitly specified in Personal apps and whose Installation type is set to Available may be installed in the personal profile.
    Blocklist All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".
    Personal applications  Add application Guidelines for apps in the personal profile of a company-owned device with a work profile
    Packetname en.selected.app Select package from dropdown menu or add with  select application
    Installation type Not specified The way the installation is performed.
    (Not specified=Default: Available)
  • Unspecified is counted as Available and overrides the Play Store mode Blocklist or Unspecified setting.
  • Block The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled
    Available The app is ready for installation
  • Private apps must be added with their own Google account

  • Cross-profile guidelines
    Activate Policies that, when activated, define restrictions on communication between private and business profile
    Show work contacts in personal profile Allowed
    default value
    Allows work profile contacts to appear when searching for personal profile contacts and incoming calls
    Not allowed Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls
    Not specified Corresponds to Allowed
    Cross-profile copy & paste    
    Allowed Text copied in one of the profiles can be pasted in the other profile
    Not specified Corresponds to Not allowed
    Cross-profile data sharing Refuse from work to personal profile
    default value
    Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with work apps.
        Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
    Allowed Data from one of the profiles can be shared with the other profile.
    Not specified Corresponds to Not allowed
     Save All data must be stored in order to be transferred to the devices.

    Device enrollment

    COSU: Registration Token for a Profile

    Under  Mobile SecurityAndroid-white-grey.png Android Devices you can   Register new device



    Caption Option Description MSP v1.6.6 Android Geräte Anmeldung COBO-en.png
    Register new device with Android Enterprise
    Would you like to use an existing registration token? Create a new registration token If a registration token has already been created that has not yet expired, it can be selected and displayed here. (Fig. see below)
    Profile Android Enterprise Profil This profile is to be applied to the device to be registered.
    License TTT-Point AG | MDM [0/10] (aaaa) Select the license to be used for new enrolled devices.
    MDM licenses include the complete administration of devices.
    Mobile security licenses include additional protection in open networks through security features of the Securepoint Cyber Defense Cloud.

    It is possible to assign devices to a new License after a runtime license expires.
    Use code Determines whether or not a code is required during enrollment at the end of device registration Should be enabled to prevent devices that have fallen into unauthorized hands from being registered with configured credentials or other company secrets
    More options
    Duration
    30 days Specifies how long this token can be used
    After this, device registration with this token is no longer possible.
    Possible values:

    30 minutes
    One hour
    One day
    One week
    15 days
    30 days

    60 days
    New

    90 days
    New

    Infinite
    Technically, it is a limit of 10,000 years
      
    Additional data     Any data associated with the registration token. Displayed under  Devices in the device overview
    Only once Specifies whether the registration token may only be used once.
    Allow private use Private use is not permitted

    Determines whether private use is allowed on a device logged in with this registration token.

    Disabling private use prevents the creation of a work container.
     Create registration token Creates a registration token with QR code and a value that can be entered using the keyboard.
    The name of the associated profile is displayed, as well as the date on which it expires and can no longer be used.
    MSP v1.6.4 Android Geräte Anmeldung Token-en.png




    COSU: Register device

    Private devices with additional work profile (BYOD)

    In order to be able to distinguish private from business apps, the app Android Device Policy is required.
    On private devices in which only the work profile is managed by an organisation - and thus by the Securepoint Mobile Security Profile - this app must be installed manually from the Android App Store.
    With this app the registration token is scanned or entered via the keyboard and the devices can be registered and configured in the portal.

    • Installing the app Android Device Policy from the Google App Store
    • Scanning the QR code or entering the registration token via the keyboard
      • A work profile is created on the device for the Enterprise profile.
      • All configured applications, restrictions etc. are created and applied within the work profile.

    Company property with private use
    • Switching on for the first time or device reset (factory settings)
    • Country settings selection
    • Tapping the display 7 times quickly opens a QR code scanner
    • Scanning of the profile QR code (see above)
    • A work profile is created on the device
      • All configured apps, restrictions, etc. are created and applied within the work profile.
      • Apps are displayed in the "Business area and marked with a suitcase icon
    • A private Google account can be stored additionally
      This step can also be done later
      • A private profile is created
      • There is a separate area Private with its own playstore



    Fully managed devices (COBO, COSU)

    Fully managed devices (COPE, Company Owned personal enabled) are connected directly to the Android Enterprise profile during initial setup or after a device reset. The link to a Google account and thus to an app store is defined by the assigned profile.

    • Initial power-up or device reset (factory settings)
    • Selection of regional settings
    • Tap the display 7 times quickly to open a QR code scanner
    • Scanning the profile QR code (see above)
    • The device is configured as a fully managed device.
      • All policies, apss and restrictions stored in the profile will be applied directly to the device
        This process may take a few minutes during the initial installation!

    Zero touch devices





























    Registration in the menu  Mobile SecurityAndroid-white-grey.png AndroidAndroid-red-grey.png Zero-Touch

    Either

    • Add device to an existing configuration:
      • Edit configuration: Click on the device tile (or via the hamburger menu in the device tile at the top right) /  Edit)
      • if necessary, select a new valid enrollment token
        Enrollment tokens are valid for a maximum of 30 days
          
      • Select device(s) by IMEI or serial number
      • Save information

    or

    • with the button  Add configuration
      • select enrollment token
      • select customer
      • Fill in other details (company name, contact details...)
      • Select device(s) by IMEI or serial number
      • Save details
  • As soon as the device is connected to the Internet for the first time or after a factory reset, the profile is pushed to the device and the connection to the MDM is established.
    The enrollment on the device itself is, depending on the configuration, exactly as described in the sections COPE, COBU or COSU.
    Only the scanning of the enrollment token is omitted!
  • Name: Demo TTT-Point Configuration name MSP v1.7 Zero-Touch Konfiguration hinzufügen-en.png
    Menu for adding zero touch devices
    Enrollment token Profile: Selected profile | Token abCD12 The selected enrollment token (as created in the Devices / Enroll new device menu) will be applied to all devices enrolled with this configuration.
  • Since sensitive data and access can be pushed with the settings, it is strongly recommended to use an enrollment token with code.
    This ensures that only authorized users can access the configured device.
  • Customer: SecurepointCustomer The description for the customer as it was transmitted to the device retailer.
    If several Gmail addresses were linked to the zero touch portal, different descriptions can be selected here.
    Standard Defines whether this configuration is the default or not.
    When    is enabled, new zero touch devices are automatically added to this configuration unless another is specified
    Note: At least one configuration should be defined as default.
    Company TTT-Point AG Freely selectable designation for the company to which this device is to be assigned.
    E-mail admin@anyideas.de Contact Email Address
    Displays on mobile during the setup process when IT Administrator is tapped on the "This device belongs to your organization" screen.
    Phone number 01234-56789 Contact phone number display see above
    Custom message Welcome to TTT-Point Shown on the display during device setup
    Devices ×123456789012345 This configuration can be assigned to devices based on their IMEI or serial number
  • The box is only active if a customer has been selected as well
  •  Save Saves the configuration
    Zero touch configuration with assigned device MSP v1.7 Zero-Touch Konfiguration-en.png

    Closing by user

  • The end user must now switch on the device for the first time and establish an Internet connection.
    The configuration from the profile is then automatically applied to the device.

  • Remove devices from Mobile Security management

    Devices with working profile (BYOD)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Company devices with private use (COPE)

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!

    Under  Mobile SecurityAndroid-white-grey.png Android Devices Tab Operations button  Submit property the device can be removed from the administration:

    • All apps and data within the work profile are wiped.
    • The work profile on these devices is removed.

    Fully managed devices

    Under  Devices /   Delete in the respective device tile the administration can be removed from the devices:

    • All data will be deleted.
    • The devices are reset automatically and immediately to their factory status!