Enterprise Mobile Device Initial Provisioning Workflow
Understanding the processes of initial provisioning and ongoing management of an enterprise mobile device is important because of security policy implications. The processes described here are the most common processes. In some cases, they have been simplified to only the items directly relevant to understanding how the device goes from an unknown device to a fully provisioned and manageable device.
After you decide to manage a device with a mobile device management (MDM) application, follow these steps:
Connect the device to the management console or server so that it can be provisioned.
This means that the URL of the management server needs to be entered on the device. You can use one of these two methods to do that:
Tell the user the URL or send an e-mail with a clickable URL to the user.
Send the URL via SMS from the management server to the device.
Some solutions initially require the user to download a client application from the smartphone application marketplace. With these applications, the flow is similar, but rather than entering the URL into her mobile phone browser, the user enters it into the management client application.
Have the user click the URL or enter it in the appropriate application and authenticate at that login page, verifying the user’s identity.
Upon completion of authentication, the management console typically completes a registration process. At this point, it might verify which policies and configuration to apply to the device based on the user, their role and type of device being registered.
The management console then sends the appropriate configuration information to the mobile device. Often, this is in the form of a configuration file that the device knows how to interpret.
Have the user accept and install the new configuration file when prompted.
This step does involve end user input, and it is important from a security perspective. You certainly don’t want your users accepting updated configuration files from rogue management servers. Make sure that you train your end users on the dangers of accepting unknown configuration files.
After the user has accepted the new configuration file, the device installs the file and is updated with its new settings and policies.
The process described here is the typical over-the-air provisioning process employed by mobile device management solutions. There are other options for deployment of the configuration file to the mobile device, including
E-mail: The configuration file can be e-mailed to the recipient as an attachment, which is then installed on the endpoint device. If you have enforced a policy that restricts the downloading of attachments from e-mail, this would actually conflict with that policy. Ensure that you are not so restrictive that you prohibit your users from installing the security software that you want to see on their devices!
Web-based delivery: The file is placed on a web server that the user browses to in order to install the configuration.
Direct connection to a PC: This option leverages a configuration utility, such as the iPhone Configuration Utility. In this case, the user physically connects his device to a desktop or laptop via USB, and the config file is installed on the device as the device synchronizes to the software on the PC.
After the device has gone through the initial provisioning workflow it is subject to ongoing management by the MDM server. As you make updates and changes to the configuration, the device will accept those updates with minimal additional end user interaction.