09 Nov Set and Maintain a Desired Security State for MDM Managed Devices
LANDESK Management and Security Suite 2016.3 has MDM management built into its core functionality. Once a device is enrolled, you’ll have access to apply a number of different “Agent Settings” commonly known as Configuration Profiles in the Apple world.
LDMS 2016.3 has 4 out-of-the-box editable agent settings that can be built and assigned to a Mac or iOS device; Mobile Compliance, Mobile Connectivity, Mobile Exchange/Office 365 and Mobile Security. You’ll find all of these profile in the Agent Settings tool within the Configuration toolbar of the Management Suite console.
Mobile Compliance can be used to ensure the device’s integrity. For example, you can enable a compliance rule to detect if the device has been jailbroken and if it has, choose to selectively wipe it removing access to everything you’ve deployed to the device.
Mobile Connectivity is where you would upload certificates to be used to bind to WiFi as well as the appropriate settings for the device to access your corporate WiFi.
Mobile Exchange/Office 365 should be self-explanatory. Within this setting you’ll configure how your MDM devices will be configured to access your corporate email.
Mobile Security has the real meat and potatoes for the agent settings. You can set a password policy, restrict the device functionality such as access to FaceTime, block access to the iTunes store, set the accessible ranges for content and ratings, control the behavior of iCloud and even block TouchID from unlocking the device.
Mix and match the agent settings as desired, when deploying them out you do not need to employ a “one-size-fits-all approach.” When you create your Agent Settings task, you can select one of each to deploy at, giving you a ton of available combinations of configurations.
Once you have all of your Agent Settings created as desired, just create a Change Agent Settings task and target your MDM devices.
- While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.
- Give your task an appropriate name, I named mine “Passcode”
- Find the “Mobile …” from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings window area.
- Find your newly created Mobile Agent Setting and select it.
- Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended, optional). I used a policy-supported push and required.
- Add in your Targets
- Schedule your Change Settings task
Once a device is added to a task and the task is started, every time the device “syncs” with the LANDESK Management Suite server, it will compare itself against the current scheduled tasks on the core with what it currently has applied and will add/remove profiles accordingly. So don’t delete your task once you’ve successfully applied an agent setting, so doing would in effect tell LANDESK to remove the agent setting from the device the next time it syncs.