MDM Integration: SOTI MobiControl

NOTE: Applies to Android devices only.

Mobile Access Management supports MDM integration with SOTI MobiControl.

Android Requirements

  • The Imprivata Locker Android app must be granted Lock Task permissions in the MDM. In SOTI, this is lockdown mode.

  • The Locker app must be added to the allowlist in your MDM.

Locker App Registration

The integration of Mobile Access Management with SOTI MobiControl requires that you configure the API Integration and Android Locker App.

  1. In the MAM console, navigate to Admin > MDMs. Click + Add, and select SOTI MobiControl.

    Click to enlarge

  2. Switch the API Integration setting to ON. Click Configure.

    In the configuration dialog, add API settings that you obtained from the SOTI MobiControl console.

    Click to enlarge

Set Up SOTI MobiControl

Configure the enterprise bindings, if you have not already done so. This is a one-time configuration task.

To configure enterprise bindings:

  1. In the SOTI console, navigate to Global Settings > Enterprise Bindings.

  2. In the Managed Enterprise section, click + and then Continue to add the Google Enterprise account to the enterprise bindings.

To add a device group for the Mobile Access Management Android devices:

  1. In the SOTI console, navigate to Devices and click New Group.

  2. Select New Root Group.

  3. In the Create Group dialog, type a group name. Click Create.

  1. In the SOTI console, navigate to Policies > Apps and click New App Policy.

  2. In the Create App Policy dialog, select Android > Android Enterprise.

  3. On the General tab, type a name in the App Policy Name box.

  4. On the Apps tab, click + to add apps to the policy.

    1. On the Select Apps page, in the Apps section, select the Google Managed Enterprise account you added.

    2. Click Managed Google Play.

    3. Add the Imprivata Locker app from the Managed Google Play Store.

    4. Add any other apps, as needed.

  1. In the SOTI console, set the Manufacturer Serial Number device property to Searchable.

    Click to enlarge

  1. In the SOTI console, click the gear icon for the Imprivata Locker app.

  2. Click the Enable Managed App Config toggle.

  3. Enter AppConfig values from the MAM admin console:

    1. Add three new keys for the AppConfig and paste the values you copied from the MAM MDM tab:

      • Mobile Access Management MDM ID

      • Mobile Access Management Server

      • Device Identifier

        Click to enlarge

      • Optionally, in the Configuration Flags box, type enrollAndroidPIN to allow the use of the native Android PIN.

  4. Click Save.

Configure SOTI Lockdown Mode

SOTI's Lockdown mode replaces the standard device home screen with a customizable launcher interface that provides the user access to authorized apps and device features only. SOTI's Lockdown mode enables the ability to install the Imprivata Locker app in lock mode so the user cannot skip it.

SOTI Lockdown Mode Requirements

To support SOTI's lockdown mode, Mobile Access Management requires the following items to be allowed for opening by other apps but not available to a user:

App package name Description

com.android.settings

 Allows Imprivata Locker to open the Settings app for Force Stop, Clear cache, and Clear all data logout methods.

com.samsung.accessibility

Allows Imprivata Locker open Accessibility settings on Samsung devices.

Required only for Samsung devices.

SOTI Lockdown Mode and Imprivata Locker

When you configure SOTI Lockdown mode with the Imprivata Locker app, Mobile Access Management will use the lock task from SOTI lockdown and will lock the device.

IMPORTANT:

If an app is not explicitly included in the SOTI Lockdown mode, there will be restrictions when trying to access or invoke that app while the lockdown is in place.

To configure SOTI Lockdown mode:

  1. Set up SOTI using the tasks above.

  2. In the SOTI console, navigate to Configurations > Profiles. You can either create a new profile, or edit an existing profile for Lockdown mode.

  3. On the Configurations page of the profile, click + to add a configuration to the profile.

    1. In the Restrictions section, click Lockdown.

      1. On the Device Control tab, in the Custom Home Screen section, in Add Home Screen Items, click +.

        1. Add the Imprivata Locker app.

        2. Add the remaining required app package names - com.android.settings and com.samsung.accessibility (for Samsung devices).

        3. Add any other apps and adjust the display order of the home screen items, if needed.

          The user will only get access to the selected apps.

          Click to enlarge

        4. In the Lockdown Type section, select Native.

          1. Enable Home Button.

          2. Enable Keyguard.

          3. Enable Power Menu.

            Click to enlarge

    2. In the Security section, click Authentication.

      1. In the Device Administrator section, in the Password box, type a password for the administrator. This allows the administrator the ability to exit from SOTI Lockdown.

      2. Click Save.

        Click to enlarge

    3. Apply the profile to the device group.

Configure SOTI Clear Passcodes

To configure SOTI to clear passcodes, see SOTI Clear Passcodes.

Enroll Devices

Create an enrollment policy for the devices.

  1. In the SOTI console, navigate to Policies > Enrollment > All Policies.

  2. Click + New Enrollment Policy and select Android Enterprise.

  3. On the General page, enter the following information:

    1. Type a name for the policy.

    2. Optionally, type a meaningful description.

    3. In the Enterprise Bindings section, select Managed as the Google Account Type.

    4. Select the Managed Enterprise Account created in the previous task.

  4. On the Device Type page, select the management type for this Enrollment policy.

    1. Select Work Managed.

  5. On the Groups page, in the Device Group section, select the device group destination for the devices.

  6. On the Settings page, click Finish.

  7. Take note of the Enrollment ID for later use when enrolling a device.

SOTI device enrollment begins with a factory reset of the device.

To enroll a device:

  1. Wipe the device by using the full factory reset.

  2. Turn on the newly reset device.

  3. On the Welcome screen, select your language.

  4. Connect to the Wi-Fi, and then choose NEXT.

  5. Accept the Google Terms and conditions, and then choose NEXT.

  6. On the Google sign-in screen, enter afw#mobilecontrol instead of a Gmail account, and then choose NEXT

  7. Choose INSTALL for the MobiControl client app.

  8. Enter the Enrollment ID you saved in step 7 of the Step 1: Create an Enrollment Policy task.

  9. Complete the enrollment.