Knowledge base
Safetica Mobile enrollment
Posted by Libor Pazdera, Last modified by Libor Pazdera on 17 September 2020 10:21 AM

Enrollment into WebSafetica

Enrollment into WebSafetica is one of the first steps for initiating device management. Once your devices are enrolled, you can start setting Safetica Mobile policies and other features. Safetica Mobile app connects mobile devices with WebSafetica via invitations bonded to the user and offers solutions for both personal and company-owned devices. Information about supported enrollment modes can be found here.

Creating and sending invitations in WebSafetica

It does not matter whether you want to enroll an Android or an iOS device, your first step always begins with invitations in WebSafetica. If you want to enroll a company-owned (Android Fully Managed) device, you can create an invitation, without sending it to the user. In other cases, send the created invitation to the user's email.

Recommended enrollment mode:

Sending invitation: Creating invitation:
Personal
(Android Work Profile)
Company-owned
(Android Fully Managed)
iOS Unsupervised
iOS Supervised

The invitation stays active until the WebSafetica administrator decides to deactivate it or send a new invitation. This workflow allows us to enroll multiple devices under one user. Android devices can be, however, enrolled also by using QR code or PIN.

To create or send an invitation:

  1. Open Management > Mobile Devices and click the Invite Users button.

  2. In the Invitations view, choose the users you want to create invitations for or send invitations to and click the respective button. You can also edit their email addresses (click their email).
  3. Once the invitation is created or sent, it is active, and users can enroll as many devices as they want.

You can also invite new users by clicking the Add mobile user button. Although this user will not be paired with an Active Directory user.

In the Invitation view, you can also deactivate invitations with the Deactivate button. An alternative way of deactivation is sending a new invitation. In this case, the old invitation is deactivated, while the new one is active.

Each active invitation has its own enrollment credentials. You can view them by clicking the Show link in the Credentials column. The pop-up window contains a QR code and PIN (used by the Android app) or a deployment URL, which is an invitation transformed into a link.

Mobile devices view

Once you send all invitations, the rest of the enrollment process depends on user activity. Back in the Mobile devices view, you can monitor the state of enrollment. You can see user progress in the State column, or you can check device connectivity in the Last connection column.

The Invitation sent state represents a slot for at least one device in the Mobile devices view. Administrators can monitor the enrollment progress without having to switch between Invitations and Mobile devices views. Until the device sends a response to the server, the invitation is displayed with the last known state. In this phase, the system still treats the device as an invitation, so you can deactivate it or display the enrollment credentials of the user. 

Once the mobile device sends its first information, the invitation slot changes to a device item and displays enrollment progress. From now on, it is treated as a device, which means that it can be deleted or notified via the Renew feature. After receiving all necessary information from the device, the row appears as an enrolled device and leads to the Device detail page with technical information and Safetica Mobile features.

After selecting a device in the Mobile devices view, you will see the Renew button, which is a fast and easy way to troubleshoot unresponsive devices. The user receives an email notification stating that their device does not communicate. There is also a QR code and PIN in case they need to re-enroll their Android app. The email also contains a button to forward the user to the Safetica Mobile app or to Google Play (for Android) in case the app is not installed. The renewal email does not generate a new invitation and does not change the PIN or QR code. It only notifies the user about a problem and offers a solution.

Enrolling devices

Via sent invitations

Enrolling devices via email invitation is not a complex process. You simply open it and click Accept invitation. Next steps depend on the device platform:

Android

You will be redirected to a Google Play page where you can install the Safetica Mobile app. After installation, you can create a work profile (only if your organization enabled EMM in Safetica Web Console). When using an app, you can tell that it belongs to the work profile by a briefcase icon in the upper part of the screen.

Note: If you do not want to use the Work Profile, you can install the Safetica Mobile app in the Device Admin mode. Many features, however, will be disabled. This type of enrollment is not recommended for Android 10.

Note: If you installed the Safetica Mobile app in the Device admin mode and your organization enabled EMM in Safetica Web Console, you will see a notification asking you to create a work profile. If you confirm, the app will reboot and a new one will be deployed with an activated work profile.

iOS

For full protection of iOS devices, it is necessary to activate the Supervised mode. You can learn more in the Safetica Knowledge Base. After the invitation is accepted, you will be redirected to profile installation. You need to grant permissions and the app will shortly start to download. The next steps are allowing its installation, running Safetica Mobile from desktop, and allowing rights for notifications.

Via created invitations (Android only)

This enrollment mode is suitable for company-owned devices that will be used in the Android Fully Managed mode. The admin has to have the device physically on themselves and perform the following steps:

  1. Put the device into default factory setting.
  2. After restart, enter the afw#safetica code into the Google Account dialog.
  3. Safetica Mobile is installed and the admin will be asked for credentials from WebSaftica.
  4. Credentials can be displayed in the Invitations view in WebSafetica after clicking the Show link in the Credentials column. The admin can scan the QR code or enter an email address and PIN. You can see the whole process in the following screenshots:

Alternative ways of enrollment

Every invitation has its unique enrollment credentials, which can be displayed in the Invitation or Mobile devices views and serve as an alternative way of enrollment. There are three types of credentials - QR code, PIN, and Deployment URL. You can use them when you come across a problem with email invitations or when the user installs the app from Google Play without using an email invitation. Deployment URL is an invitation transformed into a single link. The administrator can send it by their preferred communication channel. QR code (Android device only) can be scanned from the app. The PIN (Android device only) can be entered together with user email in the app.

Troubleshooting

If there is a problem with mobile device enrollment, look at its state and the time of last connection.

Invitation troubleshooting

If you still see the invitation as sent to the user, you can easily track user activity, which is defined by two invitation states:

Invitation sent means that the user did not even open the invitation. You can contact the user and ask them to inspect their inbox or spam folder.
Invitation opened means that the user has opened the invitation, but hasn't finished the enrollment process. Usually, this happens when the user stops before installing the app or MDM profile or doesn't open the installed app.

Device troubleshooting

If you see a gray text Pending... instead of the device name, the app or MDM profile enrollment process stopped somewhere after installing Safetica Mobile. You should contact the user experiencing this problem and ask them to finish the enrollment while they are connected to the Internet. To make this contact easy, Safetica Web Console offers the Renew feature, which sends notification emails to users. This email can lead the user through the enrollment process and help them complete the enrollment.

If the device was enrolled in the past and now its state has changed from Active MDM to anything else, Safetica Mobile lost some of the crucial permissions to work correctly or is unable to synchronize due to poor connection. The first step to solve this problem can be sending the Renew email. It notifies the user about possible problems with their device and leads them into the app or through the whole enrollment process again, in case they uninstalled Safetica Mobile.

(0 vote(s))
Helpful
Not helpful