Sometimes device users might try to unenroll their device from mobile device management by removing the device management profile or the Miradore Online Client from their device.
There is no consistent way to prevent the unenrollment on all device platforms, but below it is explained what measures can be taken on different device platforms to prevent users from removing their devices from mobile device management.
Android devices enrolled in Fully managed mode
Factory reset is the only way how user can remove management from Fully managed Android devices, but administrators can prevent users from performing a factory reset on a Fully managed Android device. See Preventing Factory Reset on Fully Managed Android Devices for more.
Android Enterprise Work Profile
It is not possible to prevent users from removing the Android Enterprise Work Profile from their devices. If they do so, they will lose the company apps and configurations. One thing administrators could do is to inform the users about the possibility that users can temporarily turn off the Work Profile, instead of removing it completely.
Samsung Knox Android devices
The Miradore Online Client can only be removed from an Android device after disabling it’s Device administrator rights. Therefore, the removal of the Miradore Online Client can be effectively prevented by denying the users from removing the device administrator rights from the Miradore Online Client.
You can do this for Samsung SAFE/KNOX enabled Android devices by using a configuration profile (Android > Restrictions > Administration > Device administration removal = Denied).
For more information, see Restrictions for Android.
Unfortunately, standard Android devices don’t support this particular configuration profile.
iOS
The only way to prevent device users from unenrolling Apple iOS devices is to enroll the devices the devices to Miradore Online through Apple DEP (Device Enrollment Program). On the DEP enrollment profile settings, there is a setting Allow MDM profile removal, which determines whether the device users are allowed to unenroll their devices or not. Make sure that this option is unchecked if you want to prevent the unenrollment of devices.
Windows Phone
You can prevent the unenrollment of Windows Phone devices with a configuration profile that denies the manual unenrollment. Create a configuration profile like this and deploy it to the Windows Phone devices. After that, device users cannot remove the management profile from their devices. If needed, administrators can perform the unenrollment by sending the unenrollment command to the device with Miradore Online, or by running a factory reset for the device.
Get notified when user unenrolls a device
You can configure Miradore Online to notify you if a device user removes his or her device from the mobile device management. You can enable the notifications from Notification settings under My settings in Miradore Online. For more information, see About notifications and alerts.
Previous Article:
« Enabling a Screen Lock Passcode Policy for a Number of Devices
Next Article:
Deployment Event, Security Action and Send Message Statuses »