Device Entitlement is a mobile security feature that allows administrators to manage which mobile devices are allowed to use the Egnyte mobile app. Device Entitlement works alongside Enterprise Mobility Management (EMM) solutions to identify whether users are accessing Egnyte on a managed device. Administrators can control whether access on unmanaged devices is allowed or set up additional restrictions to minimize the risk of data loss. Egnyte must enable Device Entitlement for your domain. Admins can contact support@egnyte.com to get Device Entitlement enabled.
Requirements
- Device Entitlement is only available with Egnyte’s Device Control package
- This feature also requires a compatible MDM/MAM/EMM solution
- Users' devices are already enrolled and setup with the MDM
- Minimum Supported version: iOS 10.0 or Android 6.0
Setup
Step 1: The admin enables and configures Device Entitlement from Egnyte’s Web UI
Step 2: Connect Egnyte to your Mobile Management solution
Optionally, there are some additional steps that you can take to tailor security for unmanaged devices to your company’s preference.
Step 1: Setting up Device Entitlement in Egnyte
1. If you have purchased the Egnyte Device Control package, you can enable Device Entitlement from our Web UI. Click Settings.
2. Access the Applications panel by navigating to the Configuration tab, then select the Applications page. Toggle Mobile Device Entitlement on to enable the feature.
3. Once enabled, generate a Mobile Device Entitlement Token and save this string for the second part of the setup.
Note: If you are managing multiple Egnyte domains (via Multi-Entity Management), please set the Mobile Device Entitlement Token to be the same across all of your Egnyte domains. If an end user tries to authenticate into a domain that is using a different Mobile Device Entitlement token, it will be treated as an unmanaged device and will have restricted access.
Step 2: Linking your MDM to Egnyte
Each MDM is slightly different, so we have created separate guides for the common mobile management solutions that we support.
MobileIron
AirWatch
MobileIron
1. From your MobileIron admin console, choose Apps from the top menu, then click +Add.
- Your key should be deviceEntitlementToken
- Your Device Entitlement Token should be copy/pasted from Step 1 into the value field.
Optional:
- You can auto-install our app on managed devices so that your end-users don’t even need to search for the app in the app catalog.
Step 3: Restriction Customization (Optional)
Once you have successfully configured Device Entitlement for your domain, you can choose to further customize access restrictions from the Egnyte Web UI.
For managed users, you can set your restrictions under the Mobile section, right above the Device Entitlement section in Egnyte.
For unmanaged users, you can customize restrictions separately for Admin/Power Users and Standard Users. Enable either section to further block local storage, require a passcode lock, and/or block 3rd party app access.
Note: More restrictive settings will always overwrite less restrictive ones.
Step 4: Scalable Authentication Assist (Optional)
To help onboard your managed users faster, you can pre-install and pre-fill some of your end user’s input fields through your MDM. When your users open the app, all they will simply open the app and type in their password.
Note: Single sign-on users will still have to type in both username and password, but no longer need to fill in the domain field.
In the App Policy view, choose to add the following key-value pairs so that these values are injected into your end user’s device for a seamless authentication experience.
Key |
Value |
Notes |
login |
<user's username or email> |
This field is ignored when the field useSSO is set to true. The value should be filled with a MobileIron variable so that each of your end user's devices will have this field prefilled with their username or email. The available variables that you can select from can be found under the Admin -> Attributes section in your Mobile Iron portal. This value can't be read if the company uses SSO login. Username must follow set convention to work. |
domain |
<domain name> |
iOS: <domain name>.egnyte.com Android: <domain name> |
deviceEntitlementToken |
<String> |
This string needs to match what is set in the Web UI Device Control panel. |
Airwatch
Optional:
- You can choose a Silent Install setup to auto-install (mass deployment) our app on managed devices.
Step 3: Scalable Authentication Assist (Optional)
To help onboard your managed users faster, you can pre-install and pre-fill some of your end user’s input fields through your MDM. When your users open the app, all they will simply open the app and type in their password.
Note: Single sign-on users will still have to type in both username and password, but no longer need to fill in the domain field.
In the App Policy view, choose to add the following key-value pairs so that these values are injected into your end user’s device for a seamless authentication experience.
Key |
Value |
Notes |
login |
<user's username or email> |
This field is ignored when the field useSSO is set to true. The value should be filled with an AirWatch variable so that each of your end user's devices will have this field pre-filled with their username or email. The available variables that you can select from can be referenced under the Insert Lookup Value button, on the right side of the input box. This value can't be read if the company uses SSO login. Username must follow set convention to work. |
domain |
<domain name> |
iOS: <domain name>.egnyte.com Android: <domain name> |
deviceEntitlementToken |
<String> |
This string needs to match what is set in the Web UI Device Control panel. |
End-User Experience
- Your end-users will not need to do anything unique.
- If unmanaged access is restricted, he will simply not be able to log in
- If unmanaged devices are allowed access, but with feature restrictions then those features will simply not be available when the end-user is using the app.
Troubleshooting
Question 1: I’m trying to integrate Device Entitlement with Android for Work. However, my device is not letting me install a work profile. What is wrong?
Answer 1: Your device might be rooted. Android for Work does not support rooted devices.