Prevent Revoking Management with NinjaOne 

In this article, you will learn how to prevent revoking management with NinjaOne. The ability to prevent users from revoking management is crucial to maintaining control over corporate devices. Revoking management can lead to data loss, security breaches, and disruptions to business operations. MDM solutions often incorporate features to safeguard against unauthorized revocation of management, empowering IT administrators to ensure compliance and protect sensitive information.

Apple Business Manager (ABM) helps organizations maintain control over their devices. However, no security system is completely foolproof. Organizations should implement additional security measures to protect their devices and data. By using ABM and additional security measures, organizations can effectively prevent unauthorized management removal on iOS devices.

How to Prevent Revoking Management With NinjaOne

Preventing revoking management is crucial for maintaining control over corporate devices. One effective strategy is to implement MDM solutions with strong security features.

The company’s devices given to employees should always be under the company’s control. Users shouldn’t be able to bypass this control. To prevent this, these devices can be registered using special company methods. These methods make sure that even if the devices are reset, they’ll still be under the company’s control.

For IOS/IpadOS Devices

ABM – Apple Business Manager

ABM/ASM is a Web portal where IT administrators can view asset (Apps and Books) licenses purchased by their organization and assign devices for remote management to a specific MDM server (in this case, NinjaOne). To create multiple ADE connections in NinjaOne, you will typically create one ADE connection per ABM/ASM from which the devices will be enrolled.

To enroll devices with ADE, the following criteria must be met:

  • A minimum of one Apple Push Notification service certificate added in NinjaOne.
  • Devices registered in ABM/ASM using the Apple Customer Number or Reseller ID. For more information about registering devices in ABM, please see the iOS Supervised Mode doc linked at the end of this page.
  • Devices added to ABM/ASM purchased directly from Apple, Apple-authorized retailers/carriers, which include:
  • iOS devices with iOS 7 or later.
  • iPadOS devices.

Devices not purchased for ADE can be added to ADE with the help of Apple Configurator for iPhone. If Apple Configurator for iPhone is not available, you can also use Apple Configurator for macOS.

Important Information

  • If you have newly purchased devices automatically added into ABM during the purchase process, the enrollment can be locked immediately. However, if you are using Apple Configurator to manually add devices into ABM, then there is a 30-day buffer after enrollment during which the “Leave Remote Management” option is available. After this buffer, the option will be removed. Reference: Add devices from Apple Configurator to Apple Business Manager – Apple Support.
  • Devices added to ABM/ASM must be owned by the business and not an end user. While you can add any iOS device to ABM, doing so will automatically classify it as company-owned, granting the organization full control and preventing the end user from revoking management. If removed from ABM, the user regains control of the device. When enrolling Apple devices through ADE, the phones will be reset per Apple policy requirements.

To add devices to NinjaOne through ABM/ASM, you must:

  1. Configure an APNs certificate, if you have not done so already.
  2. Configure the ADE integration.
  3. Configure the enrollment profile. 
  4. Sync with ABM/ASM.

Add ABM / ASM Devices to NinjaOne:

Once enrolled, you can add the devices associated with the ABM/ASM if the Default device role field is populated.

Devices not purchased for ADE can be added to ABM/ASM with the help of Apple Configurator for iPhone. If Apple Configurator for iPhone is not available, you can also use Apple Configurator for macOS.

The device must be already registered in ABM/ASM. To learn how to add devices to the ABM/ASM so that they can be synced with NinjaOne, please refer to the Apple Business Manager User Guide.

1. Open the MDM app in Administration and click Edit for the ADE enrollment.

2. Open the Devices tab and click Sync with ABM.

Open the Devices tab and click Sync with ABM.

3. If more devices are later added to the ABM, return to this page and click the Sync with ABM button again.

If the end user formats or factory resets the device, once it comes back from reboot and connects to the Internet, the device will be automatically re-enrolled in ABM and NinjaOne. To prevent the end user from factory reset the device, there´s a policy setting in the “Restrictions” section called “Allow Erase All Content and Settings” if you uncheck this setting, the used cannot factory reset the device.

For Android Devices

NinjaOne Android MDM allows for multi-tenancy management, which means more control over mobile devices with different connections all within the same NinjaOne instance.

Enable Device Enrollment:

Prior to adding Android devices to NinjaOne, you must first enable this option in the Administration section using the instructions below.

Important Note: In addition to enabling the MDM app, you must enroll in Android Enterprise to successfully complete any device enrollment process. Android Enterprise is free and requires a Google account to sign in and set up—this does not need to be a shared account, as it will only be used for the purpose of registering Android Enterprise.

1. Go to Administration > Applications > Installed. Open the NinjaOne Android MDM app.

Go to Administration > Applications > Installed. Open the NinjaOne Android MDM app.

2. Click Add Android Enterprise on the right side.

Click Add Android Enterprise on the right side.

The Add Android Enterprise configuration modal displays.

3. For Step 1, add a name for the Android connection that will distinguish it from the other connections in NinjaOne. Then, click the blue hyperlink under Step 2.

You are routed to the Android Enterprise sign-in page.

4. Create a new account by entering an unused password into the available field; you can use your business domain or a regular Google account. Click Next.

Create a new account by entering an unused password into the available field; you can use your business domain or a regular Google account.

You will need to follow the prompts to verify your email and finish setting up your account according to your preferences.

5. During account setup, you may be asked to add subscriptions to your admin account. The Android Enterprise should be included by default and no other action is required.

During account setup, you may be asked to add subscriptions to your admin account.

6. After selecting your subscriptions, you will be asked to create a password for the admin console. Then, confirm your NinjaOne environment/region will be used to manage the Android Enterprise devices by clicking Allow and create accountYour NinjaOne environment will not be the same one as reflected in the screenshot below.

confirm your NinjaOne environment/region will be used to manage the Android Enterprise devices by clicking Allow and create account. 

You should be redirected back to NinjaOne where the Android Enterprise account is added. The enterprise name is displayed on the lockscreen of managed Android devices as the “managed by” entity. Devices will only see updates on the enterprise name once unenrolled and re-enrolled into the MDM.

The connection name is the name that distinguishes the connection from others in NinjaOne and is referenced when creating new QR codes/enrollment tokens.

7. From here, you can edit or delete the connection or Enterprise name—hover your cursor over the row and then click the ellipsis button to see the options.

From here, you can edit or delete the connection or Enterprise name

You are now able to add Android devices to NinjaOne.

Personal Devices

NinjaOne doesn’t directly manage personal devices. However, it can be used to manage company-owned devices that employees use for work, even if these devices are personal devices.

Benefits and Strategies for Preventing Revoking Management with NinjaOne

  • Data Protection: Prevents unauthorized access to sensitive corporate data.
  • Security Maintenance: Maintains a secure environment for devices and network.
  • Compliance Adherence: Ensures compliance with industry regulations and company policies.
  • Operational Efficiency: Reduces disruptions and downtime caused by unmanaged devices.
  • Regularly Update and Maintain: Keep software and systems up to date to avoid vulnerabilities.
  • Awareness Training: Provide users with training on the importance of MDM and the consequences of revoking management.

FAQ

Revoking management refers to the process of removing or disabling the management capabilities of a mobile device. This typically involves uninstalling or disabling the Mobile Device Management (MDM) software that is responsible for controlling and monitoring the device.

Disclaimer: Turning off mobile device management (MDM) may compromise the security and control of your device. Proceed with caution and consult with your IT administrator or device provider if you have any concerns.

NinjaOne’s management app, “NinjaOne Assist,” is designed to prevent unauthorized removal. Unlike some other MDM solutions, users cannot directly uninstall or disable this app. However, in BYOD environments, users may have the option to remove the entire work profile. This action would effectively eliminate both the NinjaOne Assist app and any other applications installed through the NinjaOne platform. To mitigate this risk, organizations may need to implement additional security measures or consider alternative approaches for BYOD device management.

To prevent users from removing the Mobile Device Management (MDM) profile on their devices, you can implement a combination of strategies.

These include using Device Enrollment Program to automatically enroll devices and restrict them to a specific MDM, configuring MDM profile restrictions to prevent device wiping and MDM app removal, requiring authentication for profile removal, enforcing strong passwords and multi-factor authentication, conducting regular security audits, and educating users about device security.

Additionally, platform-specific considerations such as Supervised Mode for iOS and Android Enterprise Work Profile can be utilized. By combining these measures, organizations can significantly reduce the risk of unauthorized MDM removal and maintain control over their corporate devices.

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.