Auto Enrollments

Auto Enrollments are special types of enrollments which allow many similar devices to be enrolled to Relution much more quickly than their traditional counterparts. Additionally devices can connect to Relution automatically without involvement of an administrator before the devices are handed out. Not all device manufacturers offer auto enrollment methods; those that do and are available in Relution are Apple (iOS) and Samsung (Android KNOX).

In this section, you will find information about various possibilities for auto enrolling your devices, and instructions how to perform them.

Click on one of the subtopics to navigate to the appropriate section.

Device Enrollment Program (DEP)

The Apple Device Enrollment Program (DEP) allows for a streamlined device enrollment process, including a customized setup procedure, which eases the deployment of many (similar or identical) devices. DEP enables you to use iOS devices in supervised mode, make enrollments mandatory, protect enrollments from being removed by the user and skip setup steps when setting up the device.

To use DEP within Relution, your organization needs a DEP account and DEP enabled devices. Please refer to the respective Apple documentation to learn more.

Configuration

To setup DEP within Relution, open the “Device Enrollment Program” tab in the “Auto Enrollments” in the “Settings” menu. The necessary steps are:

  1. Create an empty Relution-side DEP account first. This is not to be mixed up with your actual DEP account at Apple which is independent from anything configured within Relution.

  2. Download the certificate of your Relution instance.

  3. Login to the Apple DEP portal and create a server definition pointing to your Relution instance.

  4. Upload the certificate for this server.

  5. Download the token the Apple DEP portal creates for you.

  6. Upload this token in Relution.

Your account data then should sucessfully synchronize (possibly a page reload is needed). To check this, navigate to Devices and then Auto-Enrollments.

Fetching device data

Device assignment and removal to/from your Relution server is always done inside the Apple DEP portal. It is not possible to perform these operations through Relution itself. After having one or more devices, open “Auto enrollments” in the “Devices” menu and synchronize the device data. Assigned devices should show up. A new device initially has neither a profile nor a user assigned. You can synchronize devices at any time without having to worry about local data being overwritten; the Relution-specific parts of a device’s configuration (policies and rule sets) are not touched by the process.

Creating and assigning profiles

Before you can actually enroll devices via DEP, you first have to create and assign a device profile to them. You can define as many profiles as you like, but Apple does not allow their deletion. Each device only can have one profile assigned. To create a profile, go to “DEP Profiles” in the “Devices” menu. The most relevant properties of a DEP profile are:

  1. Mandatory configuration - allows to set whether a user can skip automatic configuration through DEP. Most likely you never want to allow this.

  2. MDM removal - whether the user can remove MDM management from the device

  3. Skipping of setup steps - defines which setup steps will be skipped and thus defaulted for a new device. You should skip any steps where the user should not be allowed to configure it to her preferences.

To assign a profile, go to the “Auto enrollments” and edit a device. From the edit screen you can select a profile to be assigned. Note that the actual enrollment of the device only happens when you have assigned both a user and a profile to the device. If the assignment succeeds, you should see a profile status “ASSIGNED” next to the device in the Auto Enrollments view.

You can assign another profile to any device at any time. However, the profile will only be applied upon device activation or reset. It does not affect the current profile of an enrolled device in any way.

Enrolling the device

If the device has a profile and user assigned, you can power it on to start the actual enrollment. If your internal processes allow it you may also hand it to the actual user for activation. Depending on the type of device at some point during the setup procedure (an internet connection has to be provided by the user, either GSM or WiFi) the device will contact the Apple DEP servers in the background to find out whether it has a profile assigned. When the DEP enrollment is optional the user can decide whether the device should be automatically configured. Otherwise, the device will just inform the user that automatic configuration will take place. Depending on which setup steps are defined to be skipped in the DEP profile, the rest of the setup steps have to be performed by the user. Meanwhile the device performs an automatic enrollment procedure with Relution. After setup completes, the Relution app will be automatically pushed to the device. The device’s status in the DEP list should change to “PUSHED” after syncing. The device will now also show up in the Relution device “inventory”.

Removing an enrolled DEP device from Relution

Removing an enrolled device from Relution does not change its state in terms of DEP. Resetting the device afterwards will re-enroll the device with its configured profile. If you want to avoid this, you also have to remove the DEP profile from the device. If you want to take out the device from the DEP process in general you should remove the assignment to your Relution server inside the Apple DEP portal such that it won’t show up in the DEP inventory afterwards. You can re-assign a DEP device to your Relution server again at any time. If it ever had a profile pushed, it will now show up with the profile status “REMOVED”. You can assign a new profile and user to enroll it again.

Never use the “dismiss device” functionality in the Apple DEP portal unless you have good reasons to do so! Dismissing a device means taking it out of the DEP process forever, so this is a one time operation (or at least a very uncomfortable and time consuming process)!

Knox Mobile Enrollment (KME)

With Samsung Knox Mobile Enrollment (KME), Samsung devices can be enrolled in Relution with minimal user interaction. Depending on how the device was purchased, different enrollment options are available.

Enrolling a reseller device

This option is only available for Samsung devices that were bought through an authorized reseller. The reseller can automatically upload these devices to your Samsung Knox account after purchase. Devices can be enrolled as soon as they are turned on for the first time or after a factory reset.

Assigning a profile

Before a device can be enrolled, it needs to be associated with a profile. This profile defines on which Relution server the device is enrolled and which Relution app will be installed. Follow these steps to create a profile and assign it to one or more devices. To complete these steps you need to be device manager or administrator.

  • Sign in to the Relution portal

  • Navigate to Settings > Auto Enrollment

  • Switch to the Knox Mobile Enrollment tab

  • Copy the MDM Server URI to your clipboard

  • Download the x.509 certificate

image

You are now ready to create a profile on the Samsung Knox portal

image

You should now see the Samsung Knox Dashboard

  • Navigate to MDM PROFILES

  • Click on Add

  • Enter the MDM Server URI you copied above

  • Click on Next

  • Enter a name for your profile

  • Upload the x.509 certificate

  • Set other options as desired

  • Click on Save

You should now be able to see the profile you created

  • Navigate to DEVICES > All Devices

  • Select the devices you want to configure

  • Click on Configure

  • Select the MDM profile from the drop down

  • Click on Save

The profile is now assigned to these devices. The profile will be applied when the devices are powered on for the first time or after a factory reset. To ensure devices can be enrolled, continue with the steps below before turning the devices on.

Exporting devices for auto-enrollment

Follow these steps to export your existing devices from the Samsung Knox portal. Importing these devices into Relution allows you to assign users and policies before they are enrolled.

You should now see the Samsung Knox Dashboard

image

  • Navigate to DEVICES > All Devices

  • Click on Download all as CSV file

  • Save the file on your computer’s hard drive

Optional If you assign a user ID to a device that matches a Relution user’s username, thus user will be automatically assigned to the device during import. Otherwise you can manually assign users in the Relution portal. To assign a user ID, select the device before clicking on Configure. Enter a User ID then click on Save.

Importing devices for auto-enrollment

Follow these steps to import your previously exported devices into Relution so you can assign users and policies.

  • Sign in to the Relution portal

  • Navigate to Devices > Auto Enrollments

  • Click on Samsung Knox configuration

  • Click on Select file

  • Find the exported CSV file and click on Open

You should now see the imported devices in the auto enrollments list. You must assign a user to each device. If you do not assign a user, the device will not be able to enroll. If you set user ID’s in the previous step, users will be assigned automatically.

  • Click on a device in the auto enrollments list

  • Click on Select user

  • Select a user that has at least the role Device User

  • Optional: Assign a policy

  • Optional: Assign a ruleset

  • Click on Save

You can now power on the devices for the first time or do a factory reset. Once initial setup of a device completes it will contact Samsung’s servers, receive the assigned profile and start the enrollment process. Follow the on screen instructions to complete the enrollment.

Useing Bluetooth or NFC to enroll devices

This option is available for all Samsung devices that are not yet imported into your Samsung Knox account. Attempting to import a device that has already been imported will cause enrollment to fail. If you wish to repeat this process for an existing device, delete the device from your account before continuing with the steps below.

This process requires at least two Samsung devices, one administrative device and the device to be enrolled. Both devices need to support either Bluetooth and/or NFC (both devices need to support the same technology, obviously). Devices can be enrolled at any time.

Creating a profile

Before a device can be enrolled, it needs to be associated with a profile. This profile defines which Relution server the device needs to be enrolled with and which Relution app is to be installed. Follow these steps to create a profile. To complete these steps you need to be device manager or administrator.

  • Sign in to the Relution portal

  • Navigate to Settings > Auto Enrollment

  • Switch to the Knox Mobile Enrollment tab

  • Copy the MDM Server URI to your clipboard

  • Download the x.509 certificate

You are now ready to create a profile on the Samsung Knox portal

You should now see the Samsung Knox Dashboard

  • Navigate to MDM PROFILES

  • Click on Add

  • Enter the MDM Server URI you copied above

  • Click on Next

  • Enter a name for your profile

  • Upload the x.509 certificate

  • Set other options as desired

  • Click on Save

You should now be able to see the profile you created. The profile is assigned to the device during enrollment.

Assigning the profile and enrolling

Perform the following steps on the administrator’s device.

  • Install the Samsung Knox Deployment app on the administrator’s device

  • Open the Knox Deployment app

  • Sign in with your Samsung Knox account

  • Click on Profile

  • Select the previously created profile

  • Click on Deployment mode

  • Select Bluetooth or NFC

  • Click on Start deployment

The administrator’s device is now set up to enroll one or more devices. Complete the following steps on the devices to be enrolled.

  • Open a browser on the device to be enrolled

  • Go to https://me.samsungknox.com

  • Click on Next to start enrollment

  • Follow the on screen instructions

During enrollment the device is registered on the Samsung Knox portal and a new user and device are created on the Relution server.