Category filter

How to choose the right enrollment method for specific enterprise features?

While analyzing an MDM solution, an organization may be looking out for specific features that can meet its growing needs. Hexnode UEM offers the comprehensive MDM toolkit that helps enterprises cover every possible aspect of device management. However, some MDM features are specific to certain enrollment methods. For instance, silent installation of iOS apps works only on supervised devices. So, businesses can make use of specific enrollment methods to unlock several features and controls.

This article will run down the various features available for different enrollment methods available in Hexnode. In this way, organizations can choose the most suitable method depending on their essential features.

Jump To

Choose the right method for enrolling Apple devices
Select the suitable enrollment method for Android devices
Choose the right enrollment method for Windows devices

Choose the right method for enrolling Apple devices

Supervision is a special management mode mainly designed for institutionally-owned iOS, iPadOS and tvOS devices. Supervising a device unlocks advanced management controls that are not available for non-supervised devices. So, in order to supervise a device, you must either use Apple Business/School Manager or the Apple Configurator method.

Here are some of the features that can be unlocked by supervising iOS devices by either ABM/ASM or Apple Configurator:

Version	Features
iOS 6+	Lock down devices to a single application (Single App kiosk mode) Set up Global HTTP Proxy Allow or restrict: iBook store iMessage Game Center Use profanity filter Install configuration profile
iOS 7+	Set up autonomous single app mode Enforce web content filtering Silent installation of store and enterprise apps Activation Lock bypass Restrictions on: AirDrop Prevent pairing with non-Configurator hosts Apps can modify cellular data usage Modify Find My Friends Modify an account Siri can access user-generated content
iOS 8+	Always-on VPN Set Wallpaper Restrictions on: Show web results using Spotlight Search Add or remove Touch ID (iOS 8.3+) Erase content and settings Modify Restrictions/Screen Time Predictive keyboard Definition lookup Auto-correct words Suggest words on misspellings Podcasts
iOS 9+	Blacklist/Whitelist apps (iOS 9.3+) Enable Lost Mode App Notifications (iOS 9.3+) Add Google accounts (iOS 9.3+) Lock Screen Message (iOS 9.3+) Home Screen Layout (iOS 9.3+) Lock down devices to multiple apps (Multi App kiosk mode) Website kiosks (iOS 9.3+) Restrictions on: News Keyboard shortcuts Modify passcode Modify device name Modify wallpaper Download all purchased apps automatically Apple Music (iOS 9.3+) Pair with Apple Watch iTunes Radio Users can turn notifications on/off Modify diagnostic data submission settings
iOS 10+	Power Off (iOS 10.3+) Restart Device (iOS 10.3+) Remotely Ring Device (iOS 10.3+) Restrictions on: Modify Bluetooth settings Use voice to type Connect to MDM-configured Wi-Fi networks only
iOS 11+	Delay software updates (iOS 11.3+) Restrictions on: Remove system apps Add or remove Face ID Create VPN configuration Modify cellular plan settings AirPrint
iOS 12+	Restrictions on: Force Automatic Date and Time Autofill Passwords Request passwords from nearby devices Share passwords via Airdrop Passwords feature Users can modify Personal Hotspot settings eSIM Modification
iOS 13+	Restrictions on: Camera FaceTime Show App Store on the device iTunes Store Force user to enter iTunes store password for each purchase Safari Autofill (Safari) Add friends in Game Center Backup Sync documents Explicit music, podcasts and iTunes U services

Supervising and enrolling Apple TV devices via ABM/ASM or Apple Configurator will unlock the following benefits:

Set up Apple TV as a conference room display to wirelessly share content from iOS or macOS devices via AirPlay.
Lock down Apple TVs to a single application (single app kiosk). In addition, you can enforce additional restrictions for Apple TV kiosks (tvOS 10.2+).
Deploy Apple TV software updates.
Restart tvOS devices.

In the case of Mac devices, almost all features work for all types of enrollments. However, the following features require macOS to be enrolled via ABM/ASM:

Enable ‘Activation Lock’ restriction
‘Clear Activation Lock’ remote action
Bypass Activation Lock with bypass code
Enforce OS Updates

In addition to the above features, enrolling Apple devices via ABM/ASM has added benefits over other enrollment methods.

Select the suitable enrollment method for Android devices

Hexnode offers a plethora of techniques for onboarding Android devices with deployment methods varying from simple QR codes to zero-touch enrollment.

However, certain MDM features are available only with devices that are enrolled in the Android Enterprise program. Android Enterprise is a robust platform that enables organizations to use Android devices and apps in the workplace by providing numerous enterprise-specific device functionalities. The Android Enterprise program empowers enterprises to run their businesses in the way they want while managing the endpoints with end-to-end security. You can enroll in Android Enterprise either as Device Owner or Profile Owner.

Here are some general features available for all devices enrolled as either Device Owner and Profile Owner-enabled devices:

Clear Password action (Android 7.0+)
Request application feedback
App Configurations
App Permissions
Android Enterprise – Compliance
OEMConfig restrictions
Restrictions on:
- Users can adjust volume
- Beam from the device
- Configure cellular network
- Configure Wi-Fi
- Configure user credentials
- Users can enable location sharing
- Read any connected physical external media
- Trust Agents for Smart Lock
- Unredacted Notifications
- Fingerprint Unlock
- Iris Scanner
- Face Unlock
- Control apps
- Verify apps before install
- App Runtime Permissions
- Parent profile app linking

The features specific to the different management modes in Android Enterprise are listed below:

Version	Features
Device Owner	Bypass Factory Reset Protection (Google Account Verification)
	Schedule OS Updates
	Lock Task Mode
	Restrictions on: Backup Service Make a call Display dialogs/windows Keep Screen On while charging (Android 6.0+) Bluetooth configurations Cell broadcast configurations Users can reset network settings Update date and time automatically Set time zone automatically Lock Screen Camera Lock Screen Notifications
Profile Owner	Work Profile Password to set up a password for the work container.
Profile Owner	Prevent copying contents between normal and work profiles

Some organizations prefer enrollments that deliver a zero-touch deployment experience for the users. In that case, make use of Android zero-touch enrollment or Samsung Knox enrollment.

If an organization prefers remote deployment of large-scale OS updates on Android devices, go for ROM/OEM enrollment.

Some MDM configurations and restrictions available for Android devices are device-specific. For instance, some restrictions such as disabling NFC, configuring VPN, customizing boot/shutdown animation, etc., works only on Samsung Knox devices.

Choose the right enrollment method for Windows devices

Hexnode houses several methods to enroll Windows devices. Almost all features work on all types of enrollment methods. However, go for enrollment via the Hexnode Installer method if your organization has the following requirements:

Executing custom scripts on Windows devices to automate specific routine or time-consuming operations.
To perform real-time diagnosis of devices using the remote viewing functionality.
Deploy enterprise (MSI) apps without any manual intervention.
Dynamically fetch the hardware information of a device from the Hexnode portal, which will be displayed on its Device Summary page.

Need more help?

Raise a Ticket

Ask Community

Chat With us