Administrators can set up user directories, configure user authentication types, device
enrollment settings, and enrollment programs using the Directory and Enrollment
settings.
About this task
MaaS360 supports multiple user authentication types for enrollment. Based on the user-level
authentication type, users can authenticate against these directories: AD (or Corporate On-premise),
Azure AD (or Corporate Azure), Cloud Hosted Directory (or Corporate SAML based), and MaaS360
Directory (or Local). For example, administrators can have employees authenticate against Azure AD
and contractors use MaaS360 credentials.
Follow these steps to configure Directory and Enrollment settings.
Procedure
-
From the MaaS360®
Portal
Home page, select , and then click Directory and Enrollment.
You can also access the Directory and Enrollment page from .
- Configure the following Directory and Authentication
settings:
Option |
Description |
User Directory Setup |
Administrators can view and add user directories to sync users and groups from those directories
to MaaS360. After syncing, administrators can perform actions such as assign policies, distribute
documents, and deploy apps to those users and groups.
Note: When configuring user directories, administrators must enable the User
Visibility module to import users and groups from those directories to MaaS360.
|
User Authentication Setup |
Administrators can view and configure multiple user authentication types. Users are assigned with
these authentication types to authenticate during device enrollment, device sign-in, and end-user
portal login.
Note: When configuring user authentication types, administrators must enable the User
Authentication module to provide access to authenticate users to the user
directory.
- Click Add Authentication Type to add multiple user authentication
types.
MaaS360 supports authentication for the following user directory types:
- Corporate (On-premise): Adds authentication type for users from AD using
Cloud Extender. For more information on configuring the Corporate (On-premise) directory, see Configuring settings for the Cloud Extender modules.
- Corporate (Azure): Adds authentication type for users from Azure AD. For
more information on configuring the Corporate (Azure) directory, see Integrating Azure AD with MaaS360.
-
Corporate (SAML based): Adds authentication type for users from the Cloud
Hosted Directory. For more information on configuring the Corporate (SAML based) directory, see
Configuring a SAML-based cloud directory in MaaS360. For more information on mapping SAML attributes, see
Mapping SAML attributes in a SAML response.
Note:
- The SAML payload is standardized with mandatory user fields such as email and domain fields. If
the user account does not exist in the MaaS360
Portal, use the data in
the SAML response to automatically create users. The subject data in the SAML response is always the
username of the user. For email address and domain attributes, use the details in the SAML response
for the email address and domain fields.
- The Corporate (SAML based) authentication type is supported for the following devices in the
Device Enrollment Program (DEP):
- iOS 13
- macOS 10.15
- all Android devices
- Windows 10
- The Corporate (SAML based) authentication type is not supported for Device Enrollment Program
(DEP) devices versions earlier than iOS 13 and macOS 10.15. Administrators must use other user
authentication types such as AD, Azure AD, or MaaS360 Directory. In the
field, select the username and domain option where users
can enter the username, domain, or email address of the user and to enroll or activate DEP
devices.
-
MaaS360: The MaaS360 user authentication type is added by default.
Note: You can disable the MaaS360 authentication type to restrict authentication for users belonging
to this type. However, you cannot disable the same if it has been set as the default authentication
type.
Note: MaaS360 requires users to authenticate against the authentication type that is defined at
the user level. The user-level authentication type is automatically defined by the user source
(creation or import of users) however, administrators can change the authentication type from the
Users workflow.
- Click the menu icon for the configured authentication type and click Select as
default to set the authentication type as the default.
Note:
- During auto-provisioning, MaaS360 uses the default authentication type for authentication.
- If the Corporate (Azure) and Corporate (On-premise) authentication types are configured, you can
enable one or both as the default.
- Select the Prevent user lockout on corporate directory checkbox to limit
consecutive failed authentication attempts from MaaS360 to the corporate directory to prevent user
lockout. Select the required Number of failed authentication attempts and
Duration for account lockout (hours) on MaaS360 before attempting further
authentication.
Note: This option is supported for LDAP-based configuration only.
|
-
Configure the following Basic Enrollment Settings:
Option |
Description |
Set Corporate Identifier |
The corporate identifier for the organization that is displayed in the enrollment URLs sent
to users to enroll their devices in MaaS360. |
Limit Enrollment and Activation |
Set limitations for the following categories:
- By User: The maximum number of devices that each of your users can enroll
in MaaS360.
You can set limitations for users in
specific groups or add limitations for multiple groups. If the maximum number of devices exceeds
these limits, the currently enrolled devices remain as enrolled, but you cannot enroll more
devices.
- Restrict Enrollments by IP: The devices that are restricted from being
enrolled or activated through an IP address or an IP range. The administrator can configure one or
more allowed IP addresses or IP ranges to enroll devices in the corporate network.
The IP address
or IP range must be the final IP address that sends the enrollment request to the MaaS360 servers. If a VPN or a proxy server is used, administrators must
configure the final IP address in the allowed range. Contact IBM® Support to enable this setting.
Note:
- This field is enabled if the Enable Restrict Enrollment by IP customer
property is enabled.
- This method is not supported for enrollment programs such as Apple Configurator, Apple Device
Enrollment Program (DEP), and license-based Windows and Mac
enrollments.
- Allow only specific user groups to enroll or activate devices: Device
enrollment is limited to specific user groups only. Administrators can specify the list of those
user groups.
Note:
- This setting applies to Corporate (On-premise) and Corporate (SAML based) authentication
types.
- For this setting to work with Corporate (SAML based) authentication type, the identity provider
setup must be configured so that user group details are received in the SAML response. The user
groups information must be included in the SAML response for the usergroups
key.
- This setting allows the enrollment of devices to specific user groups only and does not update
the user group membership in the MaaS360
Portal based on the SAML
response. To add a user group in the MaaS360
Portal, see Managing groups in the MaaS360 Portal.
- Block self enrollments for devices: Restrict self-enrollments for devices
that are initiated by the user and only allow enrollments that are initiated by administrator or
administrator workflows. Enabling this setting blocks users to enroll BYOD or employee-owned devices
using the self enrollment URL. However, the user can still enroll these devices using the enrollment
request URL sent by the administrator.
Note:
- This setting is disabled by default. You can enable the same if required.
- This setting is currently applicable for iOS and macOS devices only.
- This setting is not applicable when the Authentication Mode for
Enrollment is set as Passcode.
- Enabling this option automatically disables all the self-enrollment related settings for BYOD
and employee-owned devices.
|
Authentication Mode for Enrollment |
The authentication type that users use to enroll their devices in MaaS360.
- Select the Override authentication mode for enrollment checkbox and select the required
option from the Authentication Mode for Enrollment drop-down list.
This setting overrides
the authentication type defined at the user-level. MaaS360 uses the authentication type selected in
this setting, which is used for all enrollments.
Note:
- The values in the Authentication Mode for Enrollment drop-down list are
populated from the authentication types configured in the following path:
- If this checkbox is not checked, MaaS360 uses the user-level authentication type. You must
upgrade the devices with MaaS360 for iOS app 4.80+, MaaS360 for Android app 7.60+, and MaaS360 for
Windows app 4.55+ to authenticate using Corporate (SAML based) authentication type.
- Windows DTM customers must not uncheck this checkbox to avoid unexpected issues.
MaaS360 supports the following authentication types for enrollment:
- Passcode: Sends a unique passcode to the user's corporate email address
and requires the user to enter that passcode during enrollment.
- If you select this option, the Override authentication mode for DEP
enrollment checkbox is displayed where you can select to override the authentication
type defined at the user-level for enrolling DEP devices with a passcode or MaaS360
credentials.
Note: This option is provided temporarily to customers using their MaaS360 credentials
as the authentication type to enroll DEP devices, and to customers using a passcode as the
authentication type to enroll managed devices. This option will be deprecated in at the end of 2022.
Make sure that you manually disable this option before the end of 2022.
- MaaS360: Requires users to enter their MaaS360 credentials during
enrollment.
- Corporate (On-premise): Requires users to enter their AD credentials
during enrollment and authenticate against those credentials.
- Corporate (Azure): Requires users to enter their Azure AD credentials
during enrollment and authenticate against those credentials.
- Corporate (SAML based): Redirects users to the corporate identity
provider where the user must enter their Cloud Hosted Directory credentials during enrollment.
- Select the Enable two-factor authentication for enrollment checkbox to
enable two-factor authentication as an additional authentication method when performing device
enrollment or activation using Corporate (Azure) or Corporate (On-premise) authentication
types.
Note: This authentication method is supported for Device Enrollment Program (DEP) from iOS 13
and macOS 10.15 devices.
|
Self Enrollment |
Configure the following Self Enrollment options:
|
User Input at Authentication |
The input that a user must enter during authentication. Users are prompted for identification by
providing configured inputs when performing authentication for a new device in MaaS360.
|
Corporate Support Information |
The contact details for corporate support. This information is displayed to the user while adding
a new device as well as in the MaaS360 app.
Any prompts for over-the-air actions that are scheduled for iOS 7.0 devices uses the iOS Services
Hostname.
|
-
Configure the following Advanced Enrollment Settings:
Option |
Description |
Unified Enrollment Flow |
- Enroll on Behalf Of: The administrator can enroll in place of other users
from the enrollment URL. If this setting is enabled, a super user can enroll in place of another
user. The email address that is configured for this setting is the super user.
Note: This type of
enrollment works if the authentication type is set to MaaS360 Directory, AD, or Azure
AD.
- Corporate Usage Policy: If this setting is enabled, the user is prompted
to accept the corporate usage policy to add a device in MaaS360. The user must accept this policy and the standard end-user license agreement (EULA).
You can display the corporate usage policy as a TXT or HTML file on the device.
- Show Custom Attributes during Enrollment: The device custom attributes
that are displayed when you create an enrollment request.
Note: Boolean and Enum device custom
attributes are displayed during enrollment.
You can allow users to specify device custom
attributes values that are displayed during enrollment. The device custom attribute value that is
entered by a user overrides the default value that is set by the administrator. This feature is
supported on MDM enrollment for iOS, Android, and Windows
Phone devices. For Android, MaaS360 App 5.25+ is needed.
This feature is also supported on SPS activation for iOS and Android devices with iOS App 2.95+ and
Android App 5.25+.
|
Device Platforms allowed to enroll |
The types of devices that you want to enroll in MaaS360. |
Advanced Management for Apple Devices |
The Apple Configurator or the Apple Device Enrollment Program (DEP) is used to enroll your
iOS devices.
Note: MaaS360 does not support the user enrollment mode for macOS enrollment. The device is
enrolled as a corporate-owned device.
|
Advanced Management for Android Devices |
Android for Enterprise mode
Check for Android device's integrity
- Run device attestation during Android Enterprise mode of enrollment
- Attestation Strictness
- High: MaaS360 evaluates whether the device passed the Android
compatibility tests that are required for the device to qualify as a Google-certified Android
device.
- Moderate: MaaS360 checks whether the device is tampered with or
compromised without performing any Android compatibility tests. For example, rooted devices fail
this test.
- Select attestation evaluation type
- Hardware Backed: Enables the use of hardware-based security features (for
example, hardware-backed key attestation) to influence the evaluation for device compatibility.
Device attestation status based on Attestation Strictness values: High (ctsProfileMatch) and
Moderate (basicIntegrity).
|
Advanced Management for Windows
Devices |
The Device Health Attestation (DHA) server settings, such as the DHA service type and the
service URL that are configurable for Windows
devices. |
macOS Management |
User authentication for macOS is enforced during the enrollment process. You can also
install user context or device context for profile configurations. |
SSL Certificate Pinning |
Enables the validation of Server Certificates presented by MaaS360 servers during an SSL
connection. |
-
Configure the following Enrollment Programs. Choose the enrollment
program that you want to apply on the device based on the operating system of the device. Click
Configure and set up the enrollment method.
Option |
Description |
iOS |
- Apple Configurator: A free macOS tool for configuring and deploying iOS
devices in the enterprise by using a physical USB connection. For more information about this
enrollment method, see Apple Configurator.
- Apple Device Enrollment Program: A fast streamlined way to deploy your
corporate-owned Apple devices. For more information about this enrollment method, see Apple DEP Configuration Guide.
|
Android |
- Android Configurator: A method to enroll many Android devices into MaaS360. For more information about this enrollment method,
see Android bulk enrollment.
- KNOX Mobile Enrollment: A quick and automated method to enroll many
corporate-owned Samsung devices. For more information, see Samsung Knox Mobile Enrollment (KME) program.
- QR Code for Android Work Managed Device Provisioning: A method to
configure corporate-owned Android devices by scanning a QR code from the Android setup wizard. For
more information about this enrollment method, see QR code.
- Android Enterprise Zero-Touch Enrollment: A method to deploy
corporate-owned Android devices in bulk without having to set up each device manually. For more
information about this enrollment method, see Zero-touch.
|
Windows |
Windows Out-Of-Box Experience: A method that automatically enrolls
Windows devices (Windows 10+desktops, tablets, phones) into MaaS360
when a user registers with the Azure Active Directory. For more information about this enrollment
method, see Setting up Windows OOBE in the MaaS360 Portal and Microsoft Azure. |
Others |
A method to create enrollment requests in bulk by using a CSV or a TXT file. |
-
Click Save to apply your changes.
- Optional:
Click History to view all changes that are applied
to the Directory and Enrollment settings.
You can also filter the change history report by the date that changes were applied to the
devices, and then export the report.