Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 14509 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Controll App Management - Preventing users from uninstalling the SMC App

Sascha Weber

Hello,

I am just wondering if there is now way to prevent users from uninstalling the SMC App?

And as well I thought, that the compliance notification *Status Managed required* would inform administrators when the SMC App has been deleted form an Device, but it just says "Synchronization interval too large" for devices where the App has been deleted (and that could as well be the case if someone is on vacation/ill/...)?

Can someone help me out there?

Best regards,

Sascha



This thread was automatically locked due to age.
  • 0

    Any ideas?

     

    Btw. our devices are iPhones only.

  • 0

    As far as I can tell, the app only allows certain features:

    • Report the device compliance status.
    • Trigger device synchronization with the EMM server.
    • Install apps from an Enterprise App Store.
    • Display all compliance violations.
    • Receive messages from the EMM server.
    • Display support information.

    We have given up on trying to enforce the App, as profiles push and install correctly without it.

    Regards,
    Bohdan

  • 0

    PUSH!

    +1

     

    Is there a way?

    Because... When someone uninstall the app, then the SMC Server didn't notice this. And says "all okay!"

  • 0 in reply to Stefan Fröchtenicht

    You can set up a compliance rule, based on the SMC App checkin time, so if App checked in more than 24hours ago then flag.

    Regards,
    Bohdan

  • 0 in reply to Bohdan.S

    Ah. thats a good workround. thanks!

  • 0 in reply to Stefan Fröchtenicht

    when people delete the smc app the device profile still keep the device manageable, after re-installing the smc app on the apple device have you found a way to re-configure the app without having to send an email notification to the device for the user to click the configure app link? we have manay devices out there with no email configured and this is a big pain to us

  • +1 in reply to Andrew Mullins

    Hi all,

    first of all, I'd like to clarify something around the management of iOS devices.

    When you manage an iOS device there are two separate things which are involved.

    1. The Sophos Mobile Control app
      This is the start of enrollment process but does not provide any management capabilities. The app is only used for the following things:

      • Detect jailbreak status
      • Locate the device
      • Report the device compliance status
      • Trigger device synchronization with the EMM server
      • Install apps from an Enterprise App Store
      • Display all compliance violations
      • Receive messages from the EMM server
      • Display support information
    2. The Mobile Device Management (MDM) profile
      After the QR code is scanned with the app the user is asked to install the MDM profile. This profile is not directly realted to the SMC app.
      By installing the profiel the actual management capabilities are given such as
      • profile installation
      • app installation
      • wiping the device
      • locking the device

    Due to that, you also have two different synchronization values within the device details in the admin console called "Last MDM synchronization" and "Last SMC synchronization"
    If a user now removes the app, the profile still remains on the device and the device is still listed as "Managed".
    If an "Unenroll" action is performed from within the app, the profile is removed as well. The device then should be shown as "Unenrolled" 

    Preventing the user to uninstall the app is only possible on supervised devices by setting the restriction "Allow app removal".
    This however then applies to all apps.

    Re-deploying the app will result in an unconfigured app on the device. In that case, the "Reconfigure SMC app" task must be sent out to the device.
    Deploying the app in a way that it is configured automatically would be a feature request which has to be raised here.

    Hope this helps.

    Best regards
    Stefan

  • 0 in reply to SDU

    thank you, that was my understanding. ill raise the request for the new feature.

     

    thanks

     

    Andy

Unfiltered HTML