Mobile Device Management (MDM)
What is MDM?
MDM stands for mobile device management and is a tool that is used to manage mobile devices including smartphones, tablets and even computers. It is similar to existing desktop management tools that we are using like JAMF’s Casper Suite (for Macs) and SCCM (for Windows).
Each software vendor (such as Apple, Google, Microsoft, etc.) provides MDM capabilities within their mobile operating systems. An MDM platform manages these devices using those provided methods. The specific capabilities can vary widely between operating systems, and even between different versions of the same operating system, but they all focus around the same primary topics of security and application management.
What can I do with MDM?
MDM varies by platform, but generally MDM is used for:
- Deploying internal and public (both free and purchased) apps
- Deploying system settings and policies
- Reporting on device information including compliance state, OS version, and even location)
- Push messaging (through an installed MDM app)
It’s important to understand that MDM capabilities for any given operating system are determined by the software and hardware manufacturers. This is less of an issue for iOS, but Android devices have widely varied MDM capabilities between hardware vendors and versions of Android.
What’s the project’s status?
Notre Dame has chosen VMware’s AirWatch product as the campus MDM solution. AirWatch provides MDM management capabilities for a multitude of platforms including iOS, Android, Windows Mobile, and many others. They are very well respected in education and are one of the most popular MDM vendors in the market.
AirWatch is currently available as a campus MDM solution that departments can opt into. There is currently no centralized funding model for AirWatch, but the low cost can allow departments to manage their devices without a significant investment.
What does AirWatch cost?
Please contact Bart Loeb at email@example.com for information on current pricing for AirWatch. Pricing is per-device and renewed on an annual basis.
How do I get involved or learn more?
Contact Bart Loeb in the OIT at firstname.lastname@example.org for more information on using AirWatch in your department.
AirWatch General Information & Administration
AirWatch is a SaaS (software as a service) cloud-hosted product owned by VMware. Day-to-day administration is managed via their web console, located at https://cn157.awmdm.com/AirWatch/Login?GID=univ4202. We will likely make this an easier address (something like mdm.nd.edu/manage) if the service goes into production.
Administrators can authenticate to the admin console using an associated NetID; this will be in the form of netid.awadmin and their ND password. This is a special user account that’s connected to your normal NetID, and the password will always be the same as your ND account password.
When AirWatch was originally configured, the plan was to use organizational groups (OGs) to separate each participating department. This worked well with the exception of one critical issue: a user that is a member of two or more groups cannot have a device that exists in both OGs simultaneously. While this is not an issue today, it’s very likely in the future you will have more groups that manage devices with MDM and thus more opportunity for a user to exist in multiple groups. Some examples of this could be a football player that is also in a class using iPads, or an administrator who has roles in two academic departments that both use AirWatch.
The workarounds using our multiple-OG environment exist but none are programmatic – all require manual exemption creation that do not follow changes in the user’s membership and must be created for each individual exception; this is not a sustainable model.
It’s because of this issue, and based on AirWatch’s recommendations, that we moved to a single organizational groups and utilized AirWatch’s user groups feature to group accounts by user group instead of organizational group.
User groups solve the multiple-membership problem as AirWatch allows a single device to be a member of as many user groups as we like. If Joe User is in three different campus areas that are hypothetically using AirWatch (football players, new media journalism and Student Activities Office, for example) he can receive policies, applications, and content from all three user groups on the same device.
User groups are populated automatically by AirWatch based on their corresponding EDS group. Each AirWatch user group is tied to a specific EDS group, and membership in the EDS group is reflected in AirWatch. This means that adding users to AirWatch does not involved using the AirWatch admin console at all, but just managing the EDS group. Each AirWatch group is updated twice daily (noon and midnight). There is not an option to manually force a sync between EDS and AirWatch. Note: although the syncs begin at noon and midnight, it may take 2-3 hours for the accounts to appear in AirWatch depending on how long the process takes.
You should contact Ken Marciniak in Identity and Access Management for more information on which EDS and AirWatch groups you need to enroll devices, as well as to create new EDS groups.
So you’ve got your EDS groups syncing to AirWatch and your policies and apps configured; what’s next? Now users can enroll in the service. There are multiple ways for users to enroll:
- Use the native AirWatch app. This is the recommended method, and is available for all major mobile platforms. The app has fields to supply the group ID (univ4202), username (NetID) and password (ND password). The app also has a QR code reader; you can send users the QR codes and they can scan it to skip the group ID and go straight to the username and password. The native app is also the only way to send users push messages and discover device location.
- Use Configurator. This is the recommended method if you need to enable supervision for iOS devices. AirWatch can generate an MDM enrollment profile that is installed on the iOS device while a device is being prepared. Note: when using this method, set the iOS devices to use ND-Guest as ND-Secure and eduroam will require authentication and the MDM enrollment will fail. More on using Configurator for MDM enrollment is available here.
- Enroll via the web. This is not recommended because of the advantages gained by using the app, but is still a viable method. Users can enroll by visiting https://ds157.awmdm.com/enroll?AC=univ4202