Recommendations for MDM

andrewkapsch · 2018-05-09T13:37:15.000Z

Hi.

We are looking for an MDM solution to manage our corporate phone and tablet fleet and were wondering if the community had any suggestions for us. In our environment, we use Office 365, and currently have Sophos MDM. The way we currently setup devices is to create a Google account using an alias of our MDM email account. We have a spreadsheet with all of the information that was typed in when creating the account. So far, we have been using the same mobile number for all of the accounts but ran into an issue where it wouldn’t allow us to use the same mobile number again.

The reason we setup Google accounts for each Android device is to install apps and provision the devices, as well as prevent our users from using their personal accounts from claiming Android FRP incase they leave, and we wipe the device to reissue it.
Here are some abilities we would like to have:

Ability to push out apps (Without the user having to do anything to install them)
Set home and lock wallpaper
Encrypt device
Enforce lock screen protection
Track location of device
Lock/wipe device in case it is stolen

Thank you.

maxim-sophos · 2018-05-09T13:48:51.000Z

You can do a lot of what you’re looking for with Sophos Mobile Control. Many of those features are available in SMC Standard, while some (like pushing out applications) I believe require SMC Advanced. Have you talked to your Sophos partner about helping you make the most of your current SMC product?

andrewkapsch · 2018-05-09T14:15:40.000Z

We have tried using our Sophos MDM, and from my experience, it seems to be hit or miss, and not very intuitive. What would be nice is to get a device completely setup without having to create an account for it, like we were doing before.

I have tried pushing an app out, but all it does is displays a link for the user to click on and install themselves, and that’s it. It doesn’t make sure the app is installed, and it doesn’t force install it.

How do we find out what version of Sophos Mobile we have?

bryancomanici · 2018-05-09T17:56:28.000Z

Currently we are using Soti Mobicontrol in their cloud environment. It has literally all of the settings and features you are asking for. They will set you up a trial license so you can get a feel for it. The control/main page is very modern but the backend still looks a little old but works well.

maxim-sophos · 2018-05-09T18:25:03.000Z

I’m hoping Robert@SOPHOS can help with the question about checking your current version number. I’m not sure why you would have to create a separate Google account. I believe companies enforce SMC installation by restricting access to Exchange email for users that don’t have SMC. If users can’t get their email, they’ll usually be pretty quick to follow the instructions that you sent them!

We’re getting a bit beyond my knowledge of SMC, though. Your best bet would be to reach out to your Sophos partner and/or check out the getting started videos on our YouTube channel.

@robert-sophos

MI50 · 2018-05-09T20:29:04.000Z

What about using GSuite and buy licenses for the device and manage through there MDM?

jackiefornetmotion · 2018-05-10T15:21:00.000Z

bcomanici:

Currently we are using Soti Mobicontrol in their cloud environment. It has literally all of the settings and features you are asking for. They will set you up a trial license so you can get a feel for it. The control/main page is very modern but the backend still looks a little old but works well.

Hi Andrew! Welcome to the community! Adding more to Bryan wrote, just wanted to let you know that SOTI is a partner of ours! I’m attaching a datasheet that offers more insight to MobiControl and how it works being paired with our VPN solution, Mobility . Essentially, they will manage all of your devices (covering all the requirements you stated above) and we will manage your connection to those devices. I hope this info is useful. If you have any questions on the Mobility front, please let me know!

NetMotion_SOTI_Datasheet_FINAL.pdf (445 KB)

maxim-sophos · 2018-05-11T11:45:40.000Z

andrewkapsch, I checked with our mobile product management team, and they had a couple tips. One was to follow up with your Sophos partner, as I previously suggested, and have them get in touch with Sophos if necessary. A second was to look at using Android Enterprise in conjunction with Sophos Mobile Control. This will likely give you the full control you’re looking for, rather than leaving a lot of it in the hands of the users.

@andrewkapsch

brittany-for-vmware · 2018-05-14T18:29:02.000Z

If you do end up switching over to a new MDM from Sophos, AirWatch would be a great option! VMware’s AirWatch can handle everything you listed with a ton of security features. Plus, with Android deployment, users will have the option to separate work and personal applications for any BYOD deployments. Android separates the data at an operating system level, enabling a work profile that’s a dedicated space solely for work apps. As an admin, you’ll be able to deploy, manage, and secure internal and public apps. You can find a full set of resources through the site here: https://www.air-watch.com/solutions/android-management/

And if you have any questions as you do some research, please don’t hesitate to reach out!

jordack2 · 2018-05-14T23:43:25.000Z

We do use Sophos MDM, I will agree it’s not very intuitive.

With Sophos MDM (I’m using onpremise latest version) and setting up Android for Work, you can lock the devices down tight. With AFW there is no need for a google account on the device and it disables all the bloatware.

Currently we are is testing AFW, Sophos has a few short comings using AFW but so far it’s looking good.

guff97 · 2018-05-15T00:14:59.000Z

I’ve used Silverback by Maxtrix42, MobileIron and more recently, Airwatch.

Airwatch has been amazing. We managed to migrate over 800 devices in just under 7 business days! I found the interface easy to use and navigate and find daily maintenance tasks easy to complete. We have been using airwatch for 8months and havent had any major dramas, like we have had in the past with other vendors.

maxim-sophos · 2018-05-16T13:41:42.000Z

Following up: According to the responsible product manager, Sophos Mobile standard is sufficient to do this. For full corporate phones it is recommended to use Android Enterprise – device owner as management mode. This allows for strong control of the device’s features, like silently pushing apps.

andrewkapsch · 2018-05-16T13:46:05.000Z

Hi, I’ve been working on setting up Android Enterprise, but I haven’t been able to figure out how to get it all to work. I have an Enterprise account setup, I added apps to the Work Play Store, created the profile and task bundle. Maybe I’m not deploying it correctly? It still seems like you need to have a Google account to get anything enrolled. It also seems like Sophos can only do Work Profiles, not Work Managed devices. Maybe I’m blind and can’t find where these features are? Let me know if I am.

maxim-sophos · 2018-05-16T13:59:43.000Z

andrewkapsch, you do need to be running a current version of Sophos Mobile Control (8.0+ or 8.1) to deal with Work Managed devices. If you’re using a version of SMC that isn’t part of Sophos Central, you can find “About” at the bottom of the left navigation. This should show your current version number.

If you’re currently running version 7.1 or later, you can upgrade to 8.1 with a single upgrade installation: Service and Support

@andrewkapsch

andrewkapsch · 2018-05-16T14:01:29.000Z

Maxim@SOPHOS, We use Sophos Central, so we don’t have an on-prem server setup. Only what is in the cloud.

@maxim-sophos

kelsea-for-pcm · 2018-05-16T14:18:17.000Z

Hi OP- wanted to quickly jump in and let you know about what PCM can do to help you find and maintain an MDM solution. Due to our long-standing relationships with the industry’s leading manufacturers, we can provide a full start-to-finish solution to help your business be prepared for integrating and securing mobile devices in your organization. Linking to more details below for you as well:

http://www.pcm.com/n/Secure-Mobility/msc-333#activeTab=id01

Let me know if you have any questions!

maxim-sophos · 2018-05-16T14:59:25.000Z

andrewkapsch, take a look at Policies > Android > New policy. This should offer Android enterprise – Device owner.

@andrewkapsch

andrewkapsch · 2018-05-16T17:01:48.000Z

This is what I get:

@maxim-sophos

jordack2 · 2018-05-16T18:10:57.000Z

You want Android enterprise device policy.

Also note: The device must be clean and unprovisioned. Reset to full factory defaults.

When you set the device up, connect it to wifi and when it asks for a google account you use ‘afw#sophos’ and not a google account. This will install Sophos Control and allow you to enroll the device into Sophos without having to add a Google Account to the device.

Are you missing this step? It took me a bit to figure this one out.

It be really nice is Sophos Supported QR Code Enrollment for Work Managed Devices cough AirWatch does

andrewkapsch · 2018-05-17T11:31:48.000Z

That did it! I had the policy created already, but I had no clue about the ‘afw#sophos’ thing. The setup process is actually pretty neat. I was able to get Sophos to enroll with a QR code. I’m not sure how else you would do it.

Anyways, thanks!

@jordack2