Skip to main content

Staging Group for Enrollment

This new feature with SureMDM that allows administrators to streamline the process of enrolling and preparing devices by first placing them in a Staging group. In this staging environment, essential profiles and jobs can be applied before the devices are moved to their actual device group. The transition from the staging group to the actual user group is controlled through SAML authentication and the input of a staging password.

Please follow the steps below to use the Enrollment Staging:

SureMDM Console Steps:

  1. Configure Active Directory (AD) Sync:

On the SureMDM console, navigate to Account Settings > Enterprise Integrations> AD Integration. Configure the AD sync to pull user and group information from your AD server. Please click here for details.

This step ensures that user groups within the SureMDM environment mirror those in your AD, allowing for accurate user group assignments when devices transition from staging to their final user group.

note

If you have an Azure AD set-up, you would have to whitelist the URL and sync the users & groups to a Windows AD, and then proceed with the previous steps.

  1. Set Up Device Enrollment Authentication to SAML:
  • Navigate to Account Settings > Device Enrollment Settings > Device Enrollment Rules.
  • Select SAML as the Enrollment Authentication Type. You will need to configure the necessary parameters, including the Identity Provider (IdP) details and service URLs. Please refer to link for details.
  • Further check the Enable Staging Enrollment Option to ensures that newly enrolled devices are first placed in the staging group.
  • From the device groups available under Select Staging Group choose the specific staging group to which devices will be initially assigned.
  • Click Apply to apply these changes to finalize the setup.
  1. Create an Enrollment QR Code in Device Owner Mode:
  • In the SureMDM console, navigate to Enrollment > New > Enter the Name > Set the Select Platform as Android > Set Select Management Type > Set Select Enrollment Mode as Fully Managed Device (Device Owner) > Check the Enable Staging Enrollment option.
  • Enroll the device using this QR code and the devices will be placed in the Staging Group.
note

This feature is only supported for DO devices.

Device-Side Steps:

  1. Enroll the Device Using the Generated QR Code:
  • On a fresh (factory reset) device, initiate the enrollment process by scanning the QR code generated from the SureMDM console.
  • Follow the on-screen prompts to complete the enrollment. The device will automatically be placed in the staging group upon successful enrollment.
  1. Device Enrollment into the Staging Group:
  • Once enrolled, the device will appear in the staging group within the SureMDM console.
  • The system will automatically deploy the pre-configured default jobs and profiles associated with the staging group onto the device.
  • The user will be prompted to enter the Staging Password. This additional security measure ensures that only authorized users can enroll the device to the staging group
  1. SAML Authentication and Staging Password:
  • Open the SureMDM agent application on the enrolled device.
  • The user will be prompted to log in using the configured SAML authentication method. This typically involves entering credentials that are validated against your organization’s Identity Provider.
  • Upon successful validation, the device will automatically transition from the staging group to the actual user group as per the settings in the AD server. The default jobs and profiles assigned to the actual user group will then be applied to the device, ensuring it is fully configured and ready for use by the end user.

Summary:

This new enrollment staging feature in SureMDM enhances device management by providing a controlled environment where devices can be fully prepared before being handed off to users. By utilizing AD sync, SAML authentication, and the staging password, administrators can ensure that devices are properly configured and securely deployed to the correct user group with minimal manual intervention.