Key Concepts
The Key Concepts section aims to take you through the main concepts used within and applied to in Mobile Device Management. Brief introductions to the concepts and terminology used will enable easier understanding of the applicable use cases.
Let’s take a look at some concepts and terminology that you need to know in order to follow the use cases.
Devices
A device is a physical computing unit capable of achieving one or multiple tasks. Entgra UEM Server enables organizations to enroll, secure, manage, and monitor devices, irrespective of the mobile operator, service provider, or the organization.
Device Ownership
In some corporate environments, mobile devices are used to carry out organizational tasks such as email access. These devices are categorized into two main groups based on the ownership:
-
Bring Your Own Device (BYOD): These devices are owned by the employee and managed by the employer. They are subject to policies and conventions enforced by the employer.
-
Corporate Owned, Personally Enabled (COPE): These devices are owned and managed by the employer. Device Types Devices are subdivided into two main groups based on the usage:
Mobile Devices
These are handheld devices that are usually used for day-to-day ordinary activities such as making phone calls, sending emails, and setting up alarms. Entgra UEM Server supports managing Android, iOS and Windows mobile devices.
- For a quick hands-on experience see Mobile Device Management and App Management .
- You can also try enrolling Android , iOS, and Windows.
- You can try adding operations to Android, iOS, and Windows.
- For more information on creating and applying policies, see Android and iOS.
- To view the list of operations supported for the Android, iOS, and Windows devices, see Supported Operations for Mobile Devices for Anroid, iOS and Windows.
UEM Devices:
These devices are specifically created to function in a connected environment via the internet. They can collect data via embedded sensors and exchange them with other devices. Entgra UEM Server supports managing Android Sense, Arduino, Raspberry Pi and custom IoT device types.
- For a quick hands-on experience, see Enterprise IoT solution.
- You can also try the available samples for Android Sense, Arduino, and Raspberry Pi.
- If the available IoT device types do not meet your requirement, see Creating a - New Device Type, and Device Manufacturer Guide.
Device Groups
Entgra UEM Server allows you to group multiple enrolled devices in order to monitor multiple devices in one go.
Enrollment
Process of onboarding a new device to the server is called Enrollment. This process often involves the enduser typing in the Username and the password in an agent application or scanning a QR code through the agent application to authenticate the user and enroll with the server. There are multiple ways on performing the enrollment and depending on the method used to enroll, the operations that can be executed on a device varies.
Android
There are a number of different ways an Android device can be enrolled onto the UEM server. This mainly depends on if the device is a BYOD device or a COPE device. Since the BYOD devices are owned by the user who brings it in, the level of control and information retrieval from the device has to be a minimum. But the COPE devices are owned by the organization and it is possible to execute any type of commons on top of these devices. This distinction of access level is provided by Android to EMM vendors via the mechanism used to enroll the agent. For example, to enroll a COPE device, the device has to be either a new device which has not been booted before or a factory reset device. Hence, the user owned devices cannot be made as COPE as this requires a factory reset. The diagram below explains this distinction in more granular level.
Work Profile
A work profile create a containerized space in the device where the user data and apps are seperated from the work apps and data, providing a clear separation in data and management. This is the recommended enrollment type for BYOD scenarios as user’s data cannot be accessed by the enterprise administration which protects the privacy of user. At the same time, the corporate data resides in a secured container, preventing it from leaking out.
Legacy
This is a deprecated form of enrollment where the user’s personal space is enrolled with the server and the admin can manage the whole device instead of a container.
Fully Managed
These are corporate owned devices that are given to employees. Since the device ownership is with the organization, the level of restrictions and control is managed by the admin. The admin will have unrestricted access over these devices and the device can only be put to this mode after a factory reset or on a newly bought device.
Dedicated Devices (Kiosk)
A device dedicated to do a dedicated task (app) or a set of tasks (apps) is known as a dedicated device. Most common example of a dedicated device is a Kiosk terminal such as an ATM or a vending machine that only runs one app and the user is not allowed to perform any other task. Similar to fully managed the devices, dedicated devices are owned by the admin and the enrollment is identical to a fully managed device.
iOS
Apple devices have a built-in agent that controls the device and the EMM servers has to implement the protocol defined by Apple to managed devices. A special profile is installed on the device as part of the enrollment which defines what the endpoint the device needs to communicate to, enroll, check-in, fetch commands and respond. These endpoints are standard endpoints common to all EMMs and, the EMM vendor implements these end points based on the protocol Apple has provided. UEM server has such an implementation to enroll COPE and BYOD devices and manage the devices and their data.
User Enrollment
User enrollment is similar to work profiles in Android where a containerized space is provided for the work apps to exist and the EMM admin only has access to the data and apps that reside in this container. Device level operations and policies such as lock, wipe, network proxy configuration are not allowed. User enrollment is purely for enterprises that want to enable BYOD and have data security while protecting privacy of the user.
Device Enrollment
This is the standard enrollment of the whole device where the user installs few profiles and enroll with the server.
DEP
DEP or the device enrollment program is a mechanism Apple provides to enroll COPE devices with more privilages granted to the EMM administrator to better manage organizations devices. DEP enrolled device can belong to one of the bellow 2 types based on the polices added to it.
Fully Managed
These are DEP devices used as employee’s devices where the organization has full control. The user will have access to all the standard iOS features and apps depending on the policies that the EMM administration enforces.
Dedicated
Device can be restricted to a single app to make the device a Kiosk. This enrollment is same as fully managed enrollment. The admin can add a policy to make a Kiosk out of the device, which makes this a dedicated device.
Mobile Applications
A mobile application is a software application specifically created to run on mobile devices. Entgra UEM Server enables managing Android, iOS, and Windows mobile applications.
Entgra UEM Server supports the following two UIs to help Mobile App Creators/Publishers manage mobile applications:
-
App Publisher: This UI enables you to create and manage mobile applications.
-
App Store: This UI enables you to install and update mobile applications on mobile devices. It also comes with social features such as rating and liking that help Mobile App Creators to understand the popularity and usability of their mobile applications.
For more information on mobile application management:
For a quick hands-on experience see Publishing Applications.
You can also try the tutorials to create applications, and to install them.
Operations
Each device supports a set of operations depending on its platform (i.e., Android, iOS, Windows), such as screen lock, device unlock, and device reboot. Entgra UEM Server facilitates these operations to be performed remotely via the Device Management Console.
Operations can be performed by the following roles:
-
Device Admin: Users with this role can perform operations on multiple devices that are under their control.
-
Owner: Users with this role can perform operations on their own devices. To view the list of operations supported for the Android, iOS, and Windows devices, see Supported Operations for Mobile Devices for Anroid, iOS and Windows.
Policies
A policy is a set of configurations enforced on a device, that influences the device functionality. Policies are able to control the settings on devices, inform the user when the device is not responding as expected and much more. For example, you can disable the camera on a mobile device via a policy.
Policies can be created and applied to devices by the following user roles:
-
Device Admin: Users with this role can create and enforce policies on multiple devices, under their control, and monitor policy compliance. This behavior is more relevant to mobile device admins in a corporate environment.
-
Device Owner Users with this role can create and enforce policies on their own devices. This behavior is more relevant to IoT device owners, but depending on your organizational policies and procedures it can apply to mobile device owners as well.
In Entgra UEM Server, a collection of policies is called a profile. Policy profiles allow you to apply multiple policies to a device collectively. Entgra UEM Server has predefined policies for Anroid, iOS and Windows in place to manage mobile devices and supports creating custom policies for IoT devices.
Let’s take a look at how a policy is enforced on a device:
- Step 1: Filtering based on the Platform (device type) Policies are filtered based on the mobile platform to match each policy with the platform of the registered device.
- Step 2: Filtering based on the device ownership type Next, the policies are filtered based on the device ownership type (i.e.,
BYOD
orCOPE
) to match with the device ownership type of the registered device. - Step 3: Filtering based on the user role or nameThe policies are filtered again to match the device owners username or role.
- Step 4: Enforcing the policy Finally, the policy having the highest priority out of the pool of filtered policies is enforced on the registered device.
For more information on creating and applying policies, see Android and iOS.
User Management
You can create user accounts, create roles, assign permissions, and manage the devices of the users in your organization using Entgra UEM Server.
User Roles
There are several user categories that are serviced by Entgra UEM Server:
-
Device Owner: These users own devices that need to be managed via Entgra UEM Server.
-
Device Creator: These users register devices that need to be managed via Entgra UEM Server. Depending on the organizational structure, this role might be played by a Device Admin.
-
Device Admin: These users perform administrative tasks related to Entgra UEM Server, such as user management, configuring security, and installing features.
-
Device Manufacturer: These users create innovative device types that need to be managed by Entgra UEM Server.
-
Mobile App Creator: These users create mobile applications using Entgra UEM Server’s App Publisher. Depending on the organizational structure, this role might be played by a Mobile App Publisher. For more information on mobile app creation see the following sections:
-
Mobile App Publisher: These users publish the mobile applications created by Mobile App Creators to the App Store.
For more information user role management, see Managing Roles.
Users
Entgra UEM Server enables creating and managing users in your organization and assigning User Roles to them. You can create users manually or by integrating Entgra UEM Server with an existing user store. For more information on user management, see Managing Users.
User Interfaces
Entgra UEM Server comes with the following user interfaces (UIs):
- Device Management Console: This UI facilitates all the administrative tasks pertaining to Entgra UEM Server.
- API Store: This UI displays all the APIs associated with Entgra UEM Server.
- App Publisher: This UI enables you to create and manage mobile applications.
- App Store: This UI enables you to install and update mobile applications on mobile devices. It also comes with social features such as rating and liking that help Mobile App Creators to understand the popularity and usability of their mobile applications.
APIs
An Application Programming Interfaces (API) is a way of exposing software functionality without revealing its implementation. APIs enable software applications to interact with each other and exchange data. Following are the list of APIs Entgra UEM Server supports:
-
Device Management APIs: These APIs expose the device management functionality associated with Entgra UEM Server Device Management Console. You can also use them to facilitate device management functionality through a third-party UI as well.
-
Device APIs: These APIs ensure communication between devices and the Entgra UEM Server.
-
App Management APIs: These APIs expose app publishing and app portal functionality associated with Entgra UEM Server App Publisher and App Store respectively. You can also use them to facilitate app publishing and app portal functionality through third-party UIs as well.
-
API Management APIs: These APIs expose API publishing and API portal functionality associated with Entgra UEM Server.
-
Certificate Management APIs: These APIs implement Simple Certificate Enrollment Protocol (SCEP) so that Entgra UEM Server can authenticate and authorize devices with SSL certificates.
Extensions
Device Agents
Device agent is a software program installed on the hardware device that enables communication between the hardware device and Entgra UEM Server.
Transport Extensions
Transport extensions enable you to establish a new communication channel between a device and Entgra UEM Server.
Authentication Extensions
By default WOS2 IoT Server supports OAuth, basic auth, mutual SSL and certificate-based authentication mechanisms. If the new device types require some other authentication mechanism, authentication extensions can be used for this purpose.
UI Extensions
This helps you to customize UIs of the new device type.
Security
Security refers to the means through which computer systems are protected from damage and disruption without being compromised to risks and vulnerabilities. Entgra UEM Server implements security at the application level and transport level.
Application-level Security
Application-level security refers to the security requirements at the application level. Following is a list of concepts related to application-level security:
Encryption
Encryption is the process of translating/encoding data/messages (plaintext) using an algorithm (cipher) into a secret code (cipher text) that can only be accessed by authorized entities with a secret key or a password.
Authentication
Authentication is the process used to distinctly identify a certain entity using the following factors:
- Knowledge factor: This is something the user knows, e.g., password, PIN, and security question.
- Ownership factor: This is something the user has, e.g., identity card, mobile phone, and security token.
- Inherence factor: This is something the user is/does, i.e., biometrics.
Authentication is implemented in either of the following forms:
- Single-factor authentication: This mechanism utilizes a single factor to authenticate an entity.
- Two-factor authentication: This mechanism utilizes two factors to authenticate an entity, e.g., password and security token.
- Multi-factor authentication: This mechanism utilizes more than two factors to authenticate an entity.
Entgra UEM Server uses OAuth, Basic Auth, JWT, and mutual SSL for authentication.
Authorization
Authorization is the process via which an entity is granted permission to access to another entity, e.g., data, resources, system. In general, authorization takes places subsequent to authentication. Entgra UEM Server uses Role-based access control (RBAC) and scopes to implement authorization.
Certificates
A certificate (also known as SSL certificate) is an encryption tool issued by a trusted certification authority (CA) that encrypts data transmitted between a client and a server. Entgra UEM Server uses Simple Certificate Enrollment Protocol (SCEP) to securely enroll and authenticate iOS devices by creating a certificate for each device.
Tokens
A token is a credential created by an authentication server that grants an entity to access protected resources. Entgra UEM Server users tokens to identify devices and their ability to access protected resources.
Scopes
Scopes define the permission model that enables invoking an API.
Single Sign-On
Single sign-on (SSO) enables users to provide their credentials once and obtain access to multiple applications. A user who has already signed in to an application is not prompted for credentials to access other applications until that session terminates.
Once signed in to an application, users are not prompted for their credentials to access other applications until the session terminates. Entgra UEM Server enables SSO for its web applications, i.e., Device Management Console, API Store, App Publisher, and App Store.
Role-based Access Control
Role-based access control (RBAC) is a type of access control that restricts access to authorized users based on their role.
Transport-level Security
Transport-level security (TLS) is a mechanism that secures internet and intranet communications. Entgra UEM Server uses mutual SSL, certificates, and keystores to implement transport-level security.