ºÚÁϺ£½Ç91Èë¿Ú

ºÚÁϺ£½Ç91Èë¿Ú Mobile Device Trust ensures users can access protected resources only from trusted devices. Using a combination of ºÚÁϺ£½Ç91Èë¿Ú Goâ„¢, ºÚÁϺ£½Ç91Èë¿Ú Device Management, ºÚÁϺ£½Ç91Èë¿Ú Protect®, and Conditional Access Policies (CAPs), you can safeguard access to protected SSO apps on mobile devices. This article covers how to prepare your org to start using ºÚÁϺ£½Ç91Èë¿Ú Go for Mobile and Mobile Device Trust on Apple and Android devices. 

To configure Device Trust, first enable ºÚÁϺ£½Ç91Èë¿Ú Go in the Admin Portal. Next, set up ºÚÁϺ£½Ç91Èë¿Ú Device Management. Depending on your environment, this will require Apple MDM, Android EMM, or both. When your devices are enrolled and managed in ºÚÁϺ£½Ç91Èë¿Ú, then use Software Management to deploy the ºÚÁϺ£½Ç91Èë¿Ú Protect app to your devices. Finally, to enforce Device Trust, create a CAP in the Admin Portal to enforce rules around trusted devices.

Prerequisites: 

• You’ve reviewed Get Started: Mobile Device Trust and are familiar with the prerequisites and considerations of ºÚÁϺ£½Ç91Èë¿Ú Go for Mobile and Mobile Device Trust. 

Considerations:

• For mobile devices to complete ºÚÁϺ£½Ç91Èë¿Ú Go for Mobile registration and be considered trusted, they must meet the following conditions:
  • Devices are enrolled in ºÚÁϺ£½Ç91Èë¿Ú Device Management: Apple MDM and/or Android EMM.
  • ºÚÁϺ£½Ç91Èë¿Ú Protect is deployed to devices using Apple VPP and/or Android Software Management.
  • ºÚÁϺ£½Ç91Èë¿Ú Protect evaluates devices and they must pass integrity and jailbreak detection checks. Otherwise ºÚÁϺ£½Ç91Èë¿Ú Go registration will fail.

Accessing Device Trust Readiness

The Device Trust Readiness page displays if your org is ready to start using Mobile Device Trust. Configure these prerequisites first before enforcing Device Trust via Conditional Access Policies. 

To access Device Trust Readiness:

1. Log in to the .
2. Go to SECURITY MANAGEMENT > Device Trust.
3. Under Device Requirements, review a list of prerequisites for each device type.
   • If the prerequisite is configured, a ✅ appears next to the feature name. 
   • If the prerequisite is not configured, click Manage to open a new tab to the appropriate feature in the Admin Portal and configure it.

Universal Device Requirements

ºÚÁϺ£½Ç91Èë¿Ú Go

All device types (Desktop, Apple iOS, and Android) require ºÚÁϺ£½Ç91Èë¿Ú Go.

1. Enable ºÚÁϺ£½Ç91Èë¿Ú Go in the Admin Portal. See Enabling ºÚÁϺ£½Ç91Èë¿Ú Go to learn more.

Apple Device Requirements

To use Mobile Device Trust on Apple devices:

1. Enable Apple MDM: To meet the requirements for ºÚÁϺ£½Ç91Èë¿Ú Go for Mobile and Mobile Device Trust, Apple devices must be enrolled in Apple MDM. To do so, you must enable Apple MDM in your ºÚÁϺ£½Ç91Èë¿Ú org.
   • See Set Up Apple MDM.
2. Enable Apple VPP: Required to deploy the ºÚÁϺ£½Ç91Èë¿Ú Protect app to mobile devices.
   • See Setting up VPP.
3. Create the ºÚÁϺ£½Ç91Èë¿Ú Protect App in Apple VPP: Use Apple VPP to manage and deploy the ºÚÁϺ£½Ç91Èë¿Ú Protect app to managed iOS devices.
   • See Install VPP Apps on Devices.
4. Enroll Apple Devices in MDM: After completing the Admin Portal configuration, ensure your devices are enrolled in MDM:
   • For company-owned devices, you need to enroll them in MDM. See Add Company-Owned Apple Devices to MDM with Device Enrollment.
   • If users access resources from their personal devices, they can enroll their devices directly from the User Portal without admin intervention using user enrollment (BYOD). See Add Personal Apple Devices to MDM with User Enrollment.
5. Bind Users to Mobile Devices: (Company-owned devices only): Devices enrolled using Apple Automated Device Enrollment (ADE) or Admin Portal enrollments require you to bind the user to the mobile device record in ºÚÁϺ£½Ç91Èë¿Ú. See Bind Users to Devices.

6. Browser Requirements: Safari is the recommended browser for ºÚÁϺ£½Ç91Èë¿Ú Go registration. If another browser is set as the default, users may need to set the default browser as Safari to complete registration.

ºÚÁϺ£½Ç91Èë¿Ú Protect iOS App

When you deploy ºÚÁϺ£½Ç91Èë¿Ú Protect app to Apple devices, the user configuration process varies depending on the device and enrollment type:

• Automated Device Enrollment (Company-owned): ºÚÁϺ£½Ç91Èë¿Ú MDM can silently push a managed instance of ºÚÁϺ£½Ç91Èë¿Ú Protect or silently take over a personally installed version of ºÚÁϺ£½Ç91Èë¿Ú Protect.
• Profile-driven Device Enrollment (Company-owned): ºÚÁϺ£½Ç91Èë¿Ú MDM can push a managed instance of ºÚÁϺ£½Ç91Èë¿Ú Protect or take over a personally installed version of ºÚÁϺ£½Ç91Èë¿Ú Protect, but will prompt users to approve.
• User Enrollment (BYOD): ºÚÁϺ£½Ç91Èë¿Ú MDM can push a managed instance of ºÚÁϺ£½Ç91Èë¿Ú Protect and prompt users to approve. However, if users already have a personally installed version of ºÚÁϺ£½Ç91Èë¿Ú Protect, users can delete the existing app to deploy it via MDM, or you allow users to use the existing ºÚÁϺ£½Ç91Èë¿Ú Protect app on their devices.

Android Device Requirements 

To use Mobile Device Trust on Android devices:

1. Enable Android EMM: To meet the requirements for ºÚÁϺ£½Ç91Èë¿Ú Go for Mobile and Mobile Device Trust, Android devices must be enrolled in Android EMM. To do so, you must enable Android EMM in your ºÚÁϺ£½Ç91Èë¿Ú org.
   • See Set Up Android EMM.
2. Enable Android Software Management: Enabling Android EMM automatically enables Android Software Management, so no additional configuration is required.
   • See Software Management: Android.
3. Create the ºÚÁϺ£½Ç91Èë¿Ú Protect App in Android Software Management: Use Android Software Management to manage and deploy the ºÚÁϺ£½Ç91Èë¿Ú Protect app to Android devices.
   • See Adding Android Apps.

4. Enroll Android devices in Android EMM: After completing the Admin Portal configuration, ensure your Android devices are enrolled in EMM:
   • For company-owned devices, you need to enroll them in EMM. See Enrolling a Company-Owned Android Device to learn more.
   • If your users access resources from their personal devices, they can enroll their devices directly from the User Portal without admin intervention using user enrollment (BYOD). See Enrolling a Personal Device to learn more.
5. Bind Users to Mobile Devices: (Company-owned devices only): Devices enrolled using Android Zero Touch or Admin Portal enrollments require you to bind the user to the mobile device record in ºÚÁϺ£½Ç91Èë¿Ú. See Bind Users to Devices.

6. Browser Requirements: Managed Google Chrome is required for ºÚÁϺ£½Ç91Èë¿Ú Go registration. You must deploy Google Chrome to devices using Android Software Management. Ensure your users are aware of the managed Google Chrome app and that they can download it from the Managed Google Play Store.
   • See Adding Android Apps.

ºÚÁϺ£½Ç91Èë¿Ú Protect Android App

You'll need to configure the ºÚÁϺ£½Ç91Èë¿Ú Protect Android app in Software Management to use it with Mobile Device Trust. 

To configure the ºÚÁϺ£½Ç91Èë¿Ú Protect app for Android:

1. Go to DEVICE MANAGEMENT > Software Management. Select the Google tab.
2. Select the ºÚÁϺ£½Ç91Èë¿Ú Protect app. 
3. In the Details tab, select Configuration.
4. Under Managed configuration, configure the following settings:
   1. Enter a Configuration name.
   2. The OrgID and SystemID values should be prefilled.
   3. Click Save.
      

Configuring Conditional Access Policies (CAPs)

After configuring all the necessary features in ºÚÁϺ£½Ç91Èë¿Ú for Mobile Device Trust, use CAPs to enforce Device Trust.

1. Create a CAP using the Device Management condition to enforce Device Trust and guard appropriate resources.
   • Optionally, use the Operating System condition for granular targeting of platforms, for example Android or Apple iOS / iPad OS devices. See Configure a Conditional Access Policy to learn more. 

Additional Resources

• Enroll: