Configuring directory and enrollment settings in the IBM MaaS360 Portal

Administrators can set up user directories, configure user authentication types, device enrollment settings, and enrollment programs by using the Directory and Enrollment settings.

About this task

IBM® MaaS360® supports multiple user authentication types for enrollment. Based on the user-level authentication type, users can authenticate against these directories: AD (or Corporate On-premise), Azure AD (or Corporate Azure), Cloud Hosted Directory (or Corporate SAML based), and MaaS360 Directory (or Local). For example, administrators can have employees authenticate against Azure AD and contractors use IBM MaaS360 credentials.

Follow these steps to configure Directory and Enrollment settings.

Procedure

From the IBM MaaS360 Portal home page, select Setup > Settings, and click Directory and Enrollment.
You can also access the Directory and Enrollment page from Device Inventory > More > Directory and Enrollment.
Configure the following Directory and Authentication settings.

Option	Description
User Directory Setup	Administrators can view and add user directories to sync users and groups from those directories to MaaS360. After syncing, administrators can perform actions such as assign policies, distribute documents, and deploy apps to those users and groups. Note: When configuring user directories, administrators must enable the User Visibility module to import users and groups from those directories to MaaS360. Click Add Directory to add user directories and sync users and groups from those directories to MaaS360. MaaS360 supports the following user directory types. Corporate (On-premise) Connects MaaS360 with AD using Cloud Extender®. For more information on configuring the Corporate (On-premise) directory, see Configuring settings for the Cloud Extender modules. Corporate (Azure) Connects MaaS360 with Azure AD. For more information on configuring the Corporate (Azure) directory, see Integrating Microsoft Entra ID with MaaS360. MaaS360 The MaaS360 Directory is added by default. Select the Auto provision users in MaaS360 checkbox to automatically sync users from the enterprise user directory to MaaS360 after device enrollment and activation, and during device sign-in.
User Authentication Setup	Administrators can view and configure multiple user authentication types. Users are assigned with these authentication types to authenticate during device enrollment, device sign-in, and user portal login. Note: When configuring user authentication types, administrators must enable the User Authentication module to provide access to authenticate users to the user directory. Click Add Authentication Type to add multiple user authentication types. MaaS360 supports authentication for the following user directory types. Corporate (On-premise) Adds authentication type for users from AD using Cloud Extender. For more information on configuring the Corporate (On-premise) directory, see Configuring settings for the Cloud Extender modules. Corporate (Azure) Adds authentication type for users from Azure AD. For more information on configuring the Corporate (Azure) directory, see Integrating Microsoft Entra ID with MaaS360. Corporate (SAML based) Adds authentication type for users from the Cloud Hosted Directory. For more information on configuring the Corporate (SAML based) directory, see Configuring a SAML Single Sign-on services in MaaS360. For more information on mapping SAML attributes, see Mapping SAML attributes in a SAML response. Note: The SAML payload is standardized with mandatory user fields such as email and domain fields. If the user account does not exist in the IBM MaaS360 Portal, use the data in the SAML response to automatically create users. The subject data in the SAML response is always the username of the user. For email address and domain attributes, use the details in the SAML response for the email address and domain fields. The Corporate (SAML based) authentication type is supported for the following devices in the Device Enrollment Program (DEP): iOS 13 macOS 10.15 All Android devices Windows The Corporate (SAML based) authentication type is not supported for Device Enrollment Program (DEP) devices versions earlier than iOS 13 and macOS 10.15. Administrators must use other user authentication types such as AD, Azure AD, or MaaS360 Directory. In the Basic Enrollment Settings > User Input Authentication field, select the username and domain option where users can enter the username, domain, or email address of the user and to enroll or activate DEP devices. MaaS360 The MaaS360 user authentication type is added by default. Note: You can disable the MaaS360 authentication type to restrict authentication for users belonging to this type. However, you cannot disable the same if it is set as the default authentication type. Note: MaaS360 requires users to authenticate against the authentication type that is defined at the user level. The user-level authentication type is automatically defined by the user source (creation or import of users) however, administrators can change the authentication type from the Users workflow. Click the menu icon for the configured authentication type and click Select as default to set the authentication type as the default. Note: During auto-provisioning, MaaS360 uses the default authentication type for authentication. If the Corporate (Azure) and Corporate (On-premise) authentication types are configured, you can enable one or both as the default. Select the Prevent user lockout on corporate directory checkbox to limit consecutive failed authentication attempts from MaaS360 to the corporate directory to prevent user lockout. Select the required Number of failed authentication attempts and Duration for account lockout (hours) on MaaS360 before attempting further authentication. Note: This option is supported for LDAP-based configurations only.

Option

Description

User Directory Setup

Administrators can view and add user directories to sync users and groups from those directories to MaaS360. After syncing, administrators can perform actions such as assign policies, distribute documents, and deploy apps to those users and groups.

Note: When configuring user directories, administrators must enable the User Visibility module to import users and groups from those directories to MaaS360.

Click Add Directory to add user directories and sync users and groups from those directories to MaaS360.
MaaS360 supports the following user directory types.
- Corporate (On-premise)
  
  Connects MaaS360 with AD using Cloud Extender®. For more information on configuring the Corporate (On-premise) directory, see Configuring settings for the Cloud Extender modules.
- Corporate (Azure)
  
  Connects MaaS360 with Azure AD. For more information on configuring the Corporate (Azure) directory, see Integrating Microsoft Entra ID with MaaS360.
- MaaS360
  
  The MaaS360 Directory is added by default.
Select the Auto provision users in MaaS360 checkbox to automatically sync users from the enterprise user directory to MaaS360 after device enrollment and activation, and during device sign-in.

User Authentication Setup

Administrators can view and configure multiple user authentication types. Users are assigned with these authentication types to authenticate during device enrollment, device sign-in, and user portal login.

Note: When configuring user authentication types, administrators must enable the User Authentication module to provide access to authenticate users to the user directory.

Click Add Authentication Type to add multiple user authentication types.
MaaS360 supports authentication for the following user directory types.
- Corporate (On-premise)
  
  Adds authentication type for users from AD using Cloud Extender. For more information on configuring the Corporate (On-premise) directory, see Configuring settings for the Cloud Extender modules.
- Corporate (Azure)
  
  Adds authentication type for users from Azure AD. For more information on configuring the Corporate (Azure) directory, see Integrating Microsoft Entra ID with MaaS360.
- Corporate (SAML based)
  Adds authentication type for users from the Cloud Hosted Directory. For more information on configuring the Corporate (SAML based) directory, see Configuring a SAML Single Sign-on services in MaaS360. For more information on mapping SAML attributes, see Mapping SAML attributes in a SAML response.
  Note:
  
  The SAML payload is standardized with mandatory user fields such as email and domain fields. If the user account does not exist in the IBM MaaS360 Portal, use the data in the SAML response to automatically create users. The subject data in the SAML response is always the username of the user. For email address and domain attributes, use the details in the SAML response for the email address and domain fields.
  
  The Corporate (SAML based) authentication type is supported for the following devices in the Device Enrollment Program (DEP):
  
  iOS 13
  
  macOS 10.15
  
  All Android devices
  
  Windows
  
  The Corporate (SAML based) authentication type is not supported for Device Enrollment Program (DEP) devices versions earlier than iOS 13 and macOS 10.15. Administrators must use other user authentication types such as AD, Azure AD, or MaaS360 Directory. In the Basic Enrollment Settings > User Input Authentication field, select the username and domain option where users can enter the username, domain, or email address of the user and to enroll or activate DEP devices.
- MaaS360
  
  The MaaS360 user authentication type is added by default.
  
  Note: You can disable the MaaS360 authentication type to restrict authentication for users belonging to this type. However, you cannot disable the same if it is set as the default authentication type.
Note: MaaS360 requires users to authenticate against the authentication type that is defined at the user level. The user-level authentication type is automatically defined by the user source (creation or import of users) however, administrators can change the authentication type from the Users workflow.
Click the menu icon for the configured authentication type and click Select as default to set the authentication type as the default.
Note:
- During auto-provisioning, MaaS360 uses the default authentication type for authentication.
- If the Corporate (Azure) and Corporate (On-premise) authentication types are configured, you can enable one or both as the default.
Select the Prevent user lockout on corporate directory checkbox to limit consecutive failed authentication attempts from MaaS360 to the corporate directory to prevent user lockout. Select the required Number of failed authentication attempts and Duration for account lockout (hours) on MaaS360 before attempting further authentication.
Note: This option is supported for LDAP-based configurations only.

Configure the following Basic Enrollment Settings.

Option	Description
Set Corporate Identifier	The corporate identifier for the organization that is displayed in the enrollment URLs sent to users to enroll their devices in MaaS360.
Limit Enrollment and Activation	Set the limitations for the following categories. By User The maximum number of devices that each of your users can enroll in MaaS360. You can set limitations for users in specific groups or add limitations for multiple groups. If the maximum number of devices exceeds these limits, the currently enrolled devices remain as enrolled, but you cannot enroll more devices. Define limits by User Group You can set the limitations for users in specific groups or add limitations for multiple groups enrollment based on criteria such as Device OS and Custom attributes. Click Configure limits to set the user group enrollment limits. On the User group enrollment limits page, you can select the criteria such as Device OS and Custom attributes to set the limits for both existing and newly defined limits. Notes: The custom attribute value is displayed if the Show Custom Attributes during Enrollment checkbox and Allow end users to specify values for these custom attributes checkbox are selected. Select the correct custom attributes to be displayed while setting the limits for a user. This setting is only applied for unified enrollment and unified sign-in types. Only one custom attribute can be selected while setting the user limitations. This setting is only available when the Enable Modernized Settings UI is set to Yes. Restrict Enrollments by IP The devices that are restricted from being enrolled or activated through an IP address or an IP range. The administrator can configure one or more allowed IP addresses or IP ranges to enroll devices in the corporate network. The IP address or IP range must be the final IP address that sends the enrollment request to the MaaS360 servers. If a VPN or a proxy server is used, administrators must configure the final IP address in the allowed range. Contact IBM Support to enable this setting. Note: This field is enabled if the Enable Restrict Enrollment by IP customer property is enabled. This method is not supported for enrollment programs such as Apple Configurator, Apple Device Enrollment Program (DEP), and license-based Windows and Mac enrollments. Allow only specific user groups to enroll or activate devices Device enrollment is limited to specific user groups only. Administrators can specify the list of those user groups. Note: This setting applies to Corporate (On-premise) and Corporate (SAML-based) authentication types. For this setting to work with Corporate (SAML based) authentication type, the identity provider setup must be configured so that user group details are received in the SAML response. The user groups information must be included in the SAML response for the usergroups key. This setting allows the enrollment of devices to specific user groups only and does not update the user group membership in the IBM MaaS360 Portal based on the SAML response. To add a user group in the IBM MaaS360 Portal, see Managing Groups in the IBM MaaS360 Portal. Block self enrollments for devices Restrict self-enrollments for devices that are initiated by the user and to only allow enrollments that are initiated by administrator or administrator workflows. Enabling this setting blocks users to enroll BYOD or employee-owned devices by using the self-enrollment URL. However, the user can still enroll these devices by using the enrollment request URL sent by the administrator. Note: This setting is disabled by default. You can enable the same if required. This setting is applicable for Android (only PO), iOS and macOS devices. The minimum required Android version is 9.35. Important: If an enrollment request is already present for the user in the IBM MaaS360 Portal, then this setting does not work. This setting is not applicable when the Authentication Mode for Enrollment is set as Passcode. Enabling this option automatically disables all the self-enrollment related settings for BYOD and employee-owned devices.
Authentication Mode for Enrollment	The authentication type that users use to enroll their devices in MaaS360. Select the Override authentication mode for enrollment checkbox and select the required option from the Authentication Mode for Enrollment drop-down list. This setting overrides the authentication type that is defined at the user-level. MaaS360 uses the authentication type that is selected in this setting, which is used for all enrollments. Note: The values in the Authentication Mode for Enrollment drop-down list are populated from the authentication types that are configured in the following path: Directory and Enrollment > Directory and Authentication > User Authentication Setup If this checkbox is not checked, MaaS360 uses the user-level authentication type. Upgrade the devices with MaaS360 for iOS app 4.80+, MaaS360 for Android app 7.60+, and MaaS360 for Windows app 4.55+ to authenticate using Corporate (SAML based) authentication type. Windows DTM customers must not clear this checkbox to avoid unexpected issues. MaaS360 supports the following authentication types for enrollment. Passcode Sends a unique passcode to the user's corporate email address and requires the user to enter that passcode during enrollment. If you select this option, the Override authentication mode for DEP enrollment checkbox is displayed where you can select to override the authentication type that is defined at the user-level for enrolling DEP devices with a passcode or MaaS360 credentials. Note: This option is provided temporarily to customers using their MaaS360 credentials as the authentication type to enroll DEP devices, and to customers using a passcode as the authentication type to enroll managed devices. This option is deprecated in at the end of 2022. Make sure that you manually disable this option before the end of 2022. MaaS360 Requires users to enter their MaaS360 credentials during enrollment. Corporate (On-premise) Requires users to enter their AD credentials during enrollment and authenticate against those credentials. Corporate (Azure) Requires users to enter their Azure AD credentials during enrollment and authenticate against those credentials. Corporate (SAML based) Redirects users to the corporate identity provider where the user must enter their Cloud Hosted Directory credentials during enrollment. Select the Enable two-factor authentication for enrollment checkbox to enable two-factor authentication as an additional authentication method when performing device enrollment or activation using Corporate (Azure) or Corporate (On-premise) authentication types. Note: This authentication method is supported for Device Enrollment Program (DEP) from iOS 13 and macOS 10.15 devices.
Self Enrollment	Configure the following Self-Enrollment options: Select the Default addition mode checkbox to allow users to enroll their own devices (default) and determine which enrollment type to use based on whether the device is an enrolled device or an activated device. Note: This section is visible only for mixed-mode customers. Select one of the following options. Enrollment (Managed Device) Activation Based on device activation for SPS mode customers only such as using PIM, IBM Docs, Browser. By Ownership Based on the type of device ownership such as corporate-owned or employee-owned devices, you can choose a self-enrollment method such as MDM enrollment or Activation (SPS only) mode. Note: When you select the By Ownership option, the Prompt user for ownership option is automatically selected as the default ownership mode for self-enrollments and cannot be edited. This setting prompts users to specify whether the device is corporate-owned or an employee-owned device during self-enrollment. When MDM enrollment is selected for employee-owned Apple devices, you can select whether to use managed or user enrollment mode from Advanced Enrollment Settings > Advanced Management For Apple Devices. Select the Default ownership mode checkbox to select the default device ownership mode during self-enrollments and select one of the following options. Employee owned Device ownership is defined as a device owned by the employee. Corporate owned Device ownership is defined as a device owned by the organization. Prompt user for ownership The user is prompted to define whether the device is an employee-owned or corporate-owned device. By default, Prompt user for ownership is selected when the default addition mode for self-enrollment is By Ownership.
User Input at Authentication	The input that a user must enter during authentication. Users are prompted for identification by providing configured inputs when performing authentication for a new device in MaaS360.
Corporate Support Information	The contact details for corporate support. This information is displayed to the user while adding the new device and in the MaaS360 app. Any prompts for over-the-air actions that are scheduled for iOS 7.0 devices uses the iOS Services Hostname.

Configure the following Advanced Enrollment Settings.

Option	Description
Unified Enrollment Flow	Enroll on Behalf Of The administrator can enroll in place of other users from the enrollment URL. If this setting is enabled, a super user can enroll in place of another user. The email address that is configured for this setting is the super user. Note: This type of enrollment works if the authentication type is set to MaaS360 Directory, AD, or Azure AD. Corporate Usage Policy If this setting is enabled, the user is prompted to accept the corporate usage policy to add a device in MaaS360. The user must accept this policy and the standard `End-User License Agreement (EULA)`. You can display the corporate usage policy as a `TXT` or `HTML` file on the device. Show Custom Attributes during Enrollment The device custom attributes that are displayed when you create an enrollment request. Note: Boolean and Enum device custom attributes are displayed during enrollment. You can allow users to specify device custom attributes values that are displayed during enrollment. The device custom attribute value that is entered by a user overrides the default value that is set by the administrator. This feature is supported on MDM enrollment for iOS, Android, and Windows Phone devices. For Android, MaaS360 App 5.25+ is needed. This feature is also supported on SPS activation for iOS and Android devices with iOS App 2.95+ and Android App 5.25+.
Device Platforms allowed to enroll	The types of devices that you want to enroll in MaaS360.
Advanced Management for Apple Devices	The Apple Configurator or the Apple Device Enrollment Program (DEP) is used to enroll your iOS devices. Choose the Enable silent installation of MaaS360 app post enrollment option to silently install apps and related information on the device even if user authentication was not performed during Apple Configurator or DEP enrollment. Choose the Select default enrollment mode to manage the employee owned (BYOD) devices to either allow administrators to fully manage the device or choose to manage only corporate resources on the device by using the user enrollment mode. Note: This option is hidden and not visible if the Block self enrollment for devices option is enabled in the Basic Enrollment Settings > Limit Enrollment and Activation section. Note: MaaS360 does not support the user enrollment mode for macOS enrollment. The device is enrolled as a corporate-owned device.
Advanced Management for Android Devices	Android for Enterprise mode Select default Google Managed Account type Device Account A device account is active on one device only and provides access to the managed Google Play account from the enrolled device. User Account This account type can be active on multiple devices up to 10. Note: Account Type once chosen cannot be changed later. Enroll under Android for Enterprise only if OS version is above Configure the minimum OS version requirement for Android Enterprise enrollments. This setting ensures that only devices running compatible OS versions are enrolled in MaaS360. When enabled, only devices running the specified OS version or higher will be able to enroll in MaaS360. The devices that do not meet the minimum OS requirement are blocked from enrolling in MaaS360. Device's Integrity Run device attestation during Android Enterprise mode of enrollment. Attestation Strictness `Strong` `Moderate` `Basic` Classic framework Hardware backed evaluation Enables the use of hardware-based security features (for example, hardware-backed key attestation) to influence the evaluation for device compatibility. Check device integrity during enrollment This option is used to enable integrity checks during device enrollment. OS Version Limitation Select the Set lowest Android OS version allowed for enrollment checkbox.
Advanced Management for Windows Devices	The Device Health Attestation (DHA) server settings, such as the DHA service type and the service URL that are configurable for Windows devices.
macOS Management	User authentication for macOS is enforced during the enrollment process. You can also install user context or device context for profile configurations.
SSL Certificate Pinning	Enables the validation of Server Certificates presented by MaaS360 servers during an SSL connection.

Configure the following Enrollment Programs. Choose the enrollment program that you want to apply on the device based on the operating system of the device. Click Configure and set up the enrollment method.

Option	Description
iOS	Apple Configurator A free macOS tool for configuring and deploying iOS devices in the enterprise by using a physical USB connection. For more information about this enrollment method, see Apple Configurator. Apple Device Enrollment Program A fast streamlined way to deploy your corporate-owned Apple devices. For more information about this enrollment method, see Apple DEP Configuration Guide.
Android	Android Configurator A method to enroll many Android devices into MaaS360. For more information about this enrollment method, see Android bulk enrollment. KNOX Mobile Enrollment A quick and automated method to enroll many corporate-owned Samsung devices. For more information, see Samsung Knox Mobile Enrollment (KME) program. QR Code for Android Work Managed Device Provisioning A method to configure corporate-owned Android devices by scanning a QR code from the Android setup wizard. For more information about this enrollment method, see QR code. Android Enterprise Zero-Touch Enrollment A method to deploy corporate-owned Android devices in bulk without having to set up each device manually. For more information about this enrollment method, see Configuring Zero-touch Enrollment.
Windows	Windows Out-Of-Box Experience A method that automatically enrolls Windows devices (Windows desktops, tablets, phones) into MaaS360 when a user registers with the Azure Active Directory. For more information about this enrollment method, see Setting up Windows Enrollment in the IBM MaaS360 Portal and Microsoft Entra.
Others	A method to create enrollment requests in bulk by using a CSV or a TXT file.

Click Save to apply your changes.
Optional: Click History to view all changes that are applied to the Directory and Enrollment settings.
You can also filter the change history report by the date that changes were applied to the devices, and then export the report.