Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 8 subscribers
  • Views 13077 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Devices Turn to UNMANAGED

Vicente Corrochano

Hi, I have 63 Tablets Samsung configured On Sophos Mobile Control Advanced as a service.

Now I have 15 units on Not managed status.

I do not know if the user is cappable to turn this option on and off or is the system itself changing it

If the user can modify this parameter then the entire platform makes no sense, we use Sophos to manage and control 63 tablets for students and we  want to block absolutely everithing but a few educational apps

If the sistema set´s the devide to unmanaged I need to know 2 things:

1 How to prevent this from happening

2 If it happens how to solve the prolem

I allready tried to enroll the device again but this did not work and there is no option to turn on or off the management of a device.

On the other hand, All of the devices are set to Owned by the school not by the student, and strict restrictions policies are applied to all of them

Thanks in advance

Server version: 7.0.11-SNAPSHOT (rev 10231)



This thread was automatically locked due to age.
  • 0

    Hi,

    this could only happen, if the "Unenrollment" button was pressed by the user or if the device administrator for the SMC app was deactivated.

    Are your users able to open the settings or the SMC app? Was there any change on those devices (e.g. SMC app update, OS update)?

    Best regards
    Stefan

  • 0 in reply to SDU

    Are you telling me that the only thing that the user has to do to go arround all the regulatios and restrictions is to press the "unenrollement button"?

    Is it me or it makes NO SENSE at all that I purchase this solution , configure all the devices, stablish some rules and policies and if the user, in this case a tenager, wants to visit porno, install Instagram or share contents with anyone, all he has to do is to "press unenrollment button"?

    Sorry I probably did not understend your answer completly, but if the final result is that the platform work as long as the user wants then this platform is useless, on the other hand it sounds logical that I can prevent users from Unenrolling devices but There is NO rule or Policy that mentions this specifically, I assumed that by seting the device propietary to Company instead of user, the sistema will block the user more that if it set to owned by the user or both.

    Correct me if I am wrong but I did not see any remark about unenrollment on the platform

    This is the list of restrictions:

    1 Restrictions 

    1.1 Security

    Force encryption

    Force SD card encryption

    Allow fast encryption

    Allow factory reset

    Allow "Developer options"

    Allow safe mode

    Allow USB debugging

    Allow firmware recovery

    Allow backup

    Allow settings changes

    Allow clipboard

    Enable shared clipboard

    Allow screen capture

    Allow mock GPS locations

    Allow over-the-air firmware updates

    Allow audio recording

    Allow video recording

    Allow Activation Lock

    Allow S Beam

    Allow S Voice

    Allow "Share via"

    1.2 Accounts 

    Allow multiple user accounts

    Allow addition of new email accounts

    Allow removal of the Google account

    Allow auto-sync for Google accounts

    1.3 Network and communication

    Allow airplane mode

    Allow sync while roaming

    Allow emergency calls only

    Force manual sync during roaming

    Force mobile data connection

    Allow SMS

    Allow mobile data connection while roaming

    Allow voice calls while roaming

    Allow user mobile data limit

    Allow VPN

    Allow Wi-Fi Direct

    Allow Android Beam

    Allow Miracast policy

    Allow Bluetooth

    Allow NFC

    Allow Wi-Fi

    1.4 Tethering

    Allow tethering

    Allow Wi-Fi tethering

    Allow USB tethering

    Allow Bluetooth tethering

    Allow configuring Wi-Fi tethering

    1.5 Hardware

    Allow camera

    Force GPS for location queries

    Allow SD card

    Allow moving apps to the SD card

    Allow writing to the SD card

    Allow microphone

    Allow USB

    Allow USB media player

    1.6 Applications

    Allow app install

    Allow app uninstall

    Allow unsigned app install

    Allow Play Store

    Allow apps from unknown sources

    Allow native browser

    Allow app crash reports

    Allow wallpaper change

    Allow camera on lock screen

    Allow widgets on lock screen

    Allow Knox contact info for personal calls

    Allow autofill in browser

    Allow cookies in browser

    Allow JavaScript in browser

    Allow pop-ups in browser

    Allow changing date and time settings

    As you can see on the list there is NO specific mention to theis issue, there is a posibility to allow / Block for "Allow settings changes", but if I set this option to Block, the user caan not connect to a WiFi network aout side the school for example at home.

    Again I am sure that I am doing something wrong becauso it realy makes NO SENSE that the user can unenroll without a problem

    Could you please point me how to prevent user from unenrolling but allow the users to stablis a wifi connection enywere?

    Thaks in advanced

    Vicente

  • 0 in reply to Vicente Corrochano

    HI yes, from the app user can press the unroll button (if enabled) to remove the device from SMC management. to stop this can you configure the customer via "Setup - General - SMC App" and disabled the unroll via the app.

    Android device you can unenrol via the app and disable the device administrators, also factory reset the device via the UI or using recovery tools.

    i have not done enough testing to say that you can disable settings and still alow people to modity wifi connections but the limited experiance i have with droid config, you are correct, you cant modify wifi confiig with "allow settings changes" disabled.

    on apple device - the device can also be unrolled via removing the configuration profile via Settings - General - Management and Profiles or Device Management and remove the profile which will also unenrol the device.

    also using apple devices - the only way to stop user from being able to unroll by removing the profile is to on-board the devices via DEP, using this enrollment option you can set the value "User can remove MDM profile" to disabled, then along with the "Disable unenrollment through app" value disabled the only way users can unenrol the device is via factory reset by the device or enter firemware recovery mode and re-install the device OS.

Unfiltered HTML