Mobile Devices

Overview

glueckkanja-gab (GKGAB) delivers standardized processes for managing mobile devices. With the use of the mobile device management service, tasks are performed by a dedicated team of experienced engineers from initial request to delivery.

Intune offers two options to protect company data on mobile devices:

• Mobile Device Management (MDM): The entire device is protected by MDM policies
• Mobile Application Management (MAM): Only the application itself is managed and protected by App Protection Policies

The following options are offered by the service provider as managed service:

• MDM in combination with MAM
• MAM without (MDM-)Enrollment (MAM-WE)

Cost base

Services costs for this Module are calculated based on the active user count of the customer. The number of active users equals the amount of Microsoft 365 user subscriptions and are predefined between the parties.

Standard services and tasks

The following section lists the standard tasks and services included in the service.

Inventory

All devices are tracked in the admin portal for inventory and status tracking once the device is available in the corresponding portal.

MDM in combination with MAM

This scenario is used for company-owned devices. They will be fully managed via MDM. In addition, MAM protects the corporate data and apps that make personal use possible (COPE).

Operating Systems

The following operating systems are managed and supported by the service provider:

• iOS
• iPadOS
• Android Enterprise

Supported devices

The following device types are supported:

• iOS
  • iPhone 12 mini
  • iPhone 12
  • iPhone 12 Pro
  • iPhone 12 Pro Max
  • iPhone 11
  • iPhone 11 Pro
  • iPhone 11 Pro Max
  • iPhone XR
  • iPhone XS
  • iPhone XS Max
  • iPhone X
  • iPhone SE (2. Generation)
  • iPhone 8
  • iPhone 8 Plus
• iPadOS
  • iPad (8. Generation)
  • iPad (7. Generation)
  • iPad (6. Generation)
  • iPad mini 5
  • iPad mini 4
  • iPad Air (2020)
  • iPad Air (2019)
  • iPad Pro (2020)
  • iPad Pro (2018)
• Android
  • Samsung Galaxy S21 Ultra
  • Samsung Galaxy S21 Plus
  • Samsung Galaxy S21
  • Samsung Galaxy S20 Ultra
  • Samsung Galaxy S20 Plus
  • Samsung Galaxy S20
  • Samsung Galaxy S20 FE
  • Samsung Galaxy S10+
  • Samsung Galaxy S10
  • Samsung Galaxy Note 20 Ultra
  • Samsung Galaxy Note 20
  • Samsung Galaxy Note 10
  • Samsung Galaxy Note 10+

Device/App enrollment/onboarding

The Company Portal respectively Intune app will be used for enrollment of the devices. This process is combined with the Apple Business Manager (former DEP) or Samsung Knox Mobile Enrollment. Due to the use of the Company Portal, there is no need to build, maintain and apply custom operating system images. MAM will be configured automatically when logging in with the corporate Azure AD account to dedicated apps (e.g.: Outlook or Teams).

Config Profile

Modify the config profile:

• Device Restriction and Features
• Trusted Certificates with SCEP Man
• Wifi
• Mail App (native)

Update iOS and iPadOS

Software update policies let you force supervised iOS and iPadOS devices to automatically install OS updates. Supervised devices are those that are enrolled via Apple Business Manager.

App Management iOS and iPadOS

The service provider supports the customer to add, modify, and delete applications and assignments. Using Apple Business Manager, applications are purchased from the Apple Store and assigned to the associated AzureAD group in Intune.

App Management Android

The service provider supports the customer add, modify, and delete applications and assignments. Using Managed Google Play, applications are purchased from the store and assigned to the associated AzureAD group in Intune.

App configuration Policy

The service provider supports the customer to update and maintain App Protection Policies for Android, iOS, and iPadOS. One set for managed and another one for unmanaged devices.

Apple Connection

The service provider supports the customer by the annual renewal of the connection to Apple Business Manager (Devices and Apps) and Push certificate. This process to renew the certificate will be started by the service provider, 30 days before the certificate expires.

Samsung Knox

The service provider supports the customer to maintain the enrollment profiles.

MAM (MAM-WE)

This model is used for personal devices (BYOD). It allows employees to use a basic set of apps on their own Android or iOS/iPadOS device without a full MDM enrollment. Corporate data inside those apps will be protected via App Protection policies.

Android enrollment

The Company Portal is required for MAM. It allows an AzureAD registration of the device and is necessary for Conditional Access. It also provides the Intune SDK for all apps. It is recommended to install the Company Portal first, before logging in to apps like Outlook or Teams. Otherwise, the onboarding flow might be confusing for end-users. The service provider supports the customer on deploying App Protection Policies to one user account per device.

iOS and iPadOS enrollment

The Microsoft Authenticator App is mandatory for MAM. Similar to Android is registers the device in AzureAD. The service provider supports the customer on deploying App Protection Policies to one user account per device.

Supported applications

The following apps are supported by the service provider:

• Outlook
• Teams
• OneDrive
• Edge
• Office
• Word
• Excel
• PowerPoint
• ToDo
• OneNote
• Adobe Reader

App Protection Policy

The service provider supports the customer to modify the app protection policies.

The following options are available:

• Conditional Launch
• App Access Requirements
• Data Sharing
• Data Protection

App configuration Policy

The service provider supports the customer to modify the app configuration policies (e.g. for Outlook and Edge).

Compliance

These policies are configured for all MDM enrolled devices. A device is reported as non-compliant when it drifts from our required security baseline.

MAM Wipe

In case of a lost or stolen device company data needs to be removed from the corporate apps without touching the personal space. This will be done via wipe request (on app level). In addition, this mechanism can also be used when an employee leaves the company.

The following task will be performed:

• Create a wipe request

Monitoring

The reports include the following scope. We continuously revise them (adjust or remove if needed, add new if it makes sense)

• Profile deployment
• Compliance
• App installation
• Updates (Device & Apps)
• Enrollment failures
• Devices and protected Apps in Use (per user)
• Wipe requests

On-Demand services and tasks

The tasks and services described in the following section are not included as part of the Service but may be requested and delivered via On-Demand Services.

Ramp-Up

The initial commissioning and setup of our service is defined as ramp-up and is not part of our service. The ramp-up can be carried out via on-demand services or consulting services.

Customer requests and incidents

Requests that do not fall into the items listed under Standard services and tasks and are from direct customer requests will be treated as a normal change and serviced through On-Demand services.

Prerequisites

Services

An IT-Service agreement with glueckkanja-gab is required. The glueckkanja-gab Service Level Agreement and Request definitions also apply to this Service Description.

The Identity Module is required as the basis for the Client Module.

Technical requirements

Deviations and exceptions to these requirements may be discussed and approved on a case-by-case basis. These exceptions shall in no case be considered as a general rule for the provision of services.

General

• Apple Business Manager
• Samsung Knox
• Lastest Version -2 of Android, iOS and iPadOS
• Purchase licenses as required
• Make sure that the CA policies for iOS/iPadOS and Android are already implemented
• Determine the scope of policies and profiles (e.g. All Users/Devices or dedicated groups)

Android

• RAM: 4 GB
• Storage: 64 GB
• Architecture: 64-bit
• Minimum Processor speed: 2 GHz
• Fingerprint reader
• Dual SIM (for personal use)
• Enrollment methods: Samsung Knox Enrollment or Zero-touch
• installed OS on purchase: current version or one previous version
• for "Corporate-owned devices with work profile", Android 11 or higher
• unlocked

Samsung devices:

• only devices which are available as "Enterprise Editions" \ (security updates for a minimum of 4 years, Monthly or Quarterly)
  • see: https://docs.samsungknox.com/admin/knox-suite/kbas/kba-367-enterprise-edition-release-schedule.htm
• Samsung reference models (all as "Enterprise Edition"):
  • Samsung Galaxy S21 5G, S21+ 5G or S21 5G Ultra
  • Samsung Galaxy S20, S20+ or S20 Ultra
  • Samsung Galaxy Note20 or Note20 Ultra
  • Samsung Galaxy XCover 5
  • Samsung Galaxy A32 5G

Non-Samsung devices:

• fulfillment of "Android Enterprise Recommended - Knowledge Workers" mandatory
  • see: https://androidenterprisepartners.withgoogle.com/devices/
• fulfillment of specifications above
• updates:
  • security updates: Monthly or Quarterly for a minimum of 3 years (after release date)
  • see Android Security Bulletins: https://source.android.com/security/bulletin/?_ga=2.253169678.605464472.1626810647-1651718145.1626810647
  • major updates: current shipping release + one major OS upgrade
• Non-Samsung reference models:
  • Google Pixel 5 or Pixel 4a (5G)
  • Nokia X10, X20, G20, G10 or 8.3 5G

iOS

• Storage: 64 GB
• Face or Touch ID
• Dual SIM (for personal use)
• Enrollment methods: Automated Device Enrollment (former "DEP")
• current OS version incl. one previous version
• unlocked

Device model onboarding

• glueckkanja-gab AG needs to test and approve new models from the Customer
• one test device needs to be provided to GKGAB (if not yet approved)
• onboarding to Samsung Knox, Zero-touch or Apple Business Manager needs to be aligned with distributor and GKGAB
• devices outside Samsung Knox, Zero-touch or Apple Business Manager will have limited support (e.g. due to Android Factory Reset Protection or Apple Activation Lock, Apple ID)
• personal devices are not in the scope of MDM

License

The Customer is responsible for the correct licensing of all Microsoft services used and affected.

Optional

• Optionally, the customer can add one of the on-call duty packages (defined in more detail in the Service Level Agreement).

Exclusion

The following tasks are not part of the managed service offering and are not supported by GKGAB:

• Support of end-users in the device enrollment process
• Tracking shipping status
• No local Data recovery: User and team data, including personalization, is stored in OneDrive for Business, with only cache data residing locally. If data is intentionally stored on the device’s internal storage system, any data recovery must be attempted and completed prior to returning the device to Microsoft.
• Devices are delivered to the customer´s address, where they need to be powered on and set up by the customer.