TinyMDM offers a wide range of features for managing android mobile devices, simplifying the control and security of your fleet of business terminals. However, to fully leverage the solution, it’s essential to follow certain best practices.
Before creating your account
Best practice n°1: GMS license verification
The GMS (Google Mobile Services) license is a set of applications and services provided by Google that are preinstalled on most certified android devices.
Before purchasing or deploying devices with TinyMDM, ensure you verify with the reseller or manufacturer that they are certified with the GMS license. Currently, without this license, you won’t be able to enroll your mobile devices.
Best practice n°2: Use a generic email address
When creating your TinyMDM account, prefer using a generic email address rather than the personal email of one of your employees. By opting for a generic email address, you ensure that access to the account is not lost in case the employee leaves the company.
Best practice n°3: Multiple administrators for registration
As part of registering a company with Android EMM, Google advises having multiple administrators registered on Android EMM. This ensures the security of the devices in case an employee leaves, an email address is deleted for any reason, or a Google account becomes inactive and is deleted. Indeed, if a TinyMDM account is associated with a single email address and that address is disconnected from the account or becomes inactive and is deleted by Google, the enrolled mobile devices will no longer be linked to Android EMM and will need to be re-enrolled. The inactivity of a Google account can lead to its deletion after a prolonged period of non-use, thereby increasing the risk of losing device management. Learn more here.
After creating your account
Best practice n°4: One device per user
When deploying mobile device management policies, it is recommended to limit enrollment to one device per user. This approach simplifies management within TinyMDM and allows for configuration changes with just two clicks. This makes device management much faster and more efficient, saving administrators time.
Best practice n°5: Regular updates
Keeping TinyMDM up to date is essential to ensure its reliability, security, and optimal performance. We recommend performing updates to the solution at least quarterly.
Best practice n°6: Enhanced security for kiosk mode
When enabling kiosk mode on your devices, it is recommended to always leave a secure way to exit (either via the Info app, the Exit app, or the Shake and quit option). By having one of these options enabled, you anticipate cases where a device is no longer connected to the Internet or faces a technical issue requiring access to settings.
For these three methods, the user must ask their administrator for the admin code, visible on the administration console next to the Enable kiosk mode checkbox. This one-time-use admin code allows switching the device to fully managed mode, even if it is not connected to the Internet. For more details, you can consult this tutorial.
Best practice n°7: Using the secure browser or VPN
When enabling Internet filtering on TinyMDM, the secure browser is automatically installed on the devices within the policy. This browser is strongly recommended for optimal filtering performance. If, for any reason, you do not wish to install this browser, you can activate the option “Use TinyMDM VPN for filtering rather than the integrated secure web browser.” However, we do not recommend using the VPN, as it can cause Internet connection issues and/or excessive battery consumption. Filtering is much more reliable and efficient with the secure browser.
Conversely, if neither the Internet browser is installed nor the VPN is enabled, Internet access will not be filtered.
Best practice n°8: Preconfiguration of FRP
FRP, or Factory Reset Protection, is a Google security feature that protects access to the terminal in case of loss or theft. If someone performs a factory reset on the device and it has FRP protection, only the person with the credentials of the previously used Google account can use the device.
To prevent personal accounts from blocking your business devices, TinyMDM allows you to preconfigure a Google account for FRP. Thus, if FRP is activated after a reset, the device can be unlocked using the Google account configured via TinyMDM. This ensures that devices remain usable even after an employee leaves. This feature is available starting with Android 11. If you have devices with an earlier version, please contact support so we can find the best solution based on your usage.
Best practice n°9: Creating managers
If multiple people are managing the mobile devices in your company, it is strongly advised to create managers for each member of the IT team. This method ensures that each person has their own access and specific permissions.
Best practice n°10: Blocking hard reset
Blocking the possibility of performing a hard reset on the devices may seem like a logical security measure, but it can lead to undesirable consequences. Indeed, if a device cannot be reset by buttons, has an unknown password, and cannot connect to the Internet, it may render the device unusable.
In conclusion, following these ten best practices will optimize your use of TinyMDM.
27th of May 2024