To configure default MDM settings for a new device policy in Symantec Mobility: Suite, on the left pane of the Mobility Manager select Settings > Device Configuration > Device management.
The settings that are enabled in any section of the Device Management page are inherited into a new device policy when one is created. Settings on the device management page only define the default device policy template values. Settings on the device management page do not globally enable or disable MDM.
The device management page consists of the following sections:
The policy defaults section contains the following elements that can be set to a default value when creating a device policy.
MDM enablement for iOS, Android or Windows devices. Enabling MDM for iOS devices requires a default definition for MDM access. The following options are available:
App Management - Allows you to manage app and profile installation and removal.
App and Device Management - The default setting; includes the App Management rights and adds the ability to remotely control the device.
App and Device Management with Wipe - Adds the ability to wipe the device.
If you increase the level of iOS access rights, Safari must be an enabled application. Please access iOS Settings > Device Restrictions to confirm Safari application enablement status before changing iOS access rights.
Allow query of Network Information (WiFiMAC, PhoneNumber, VoiceRoamingEnabled, DataRoamingEnabled, PersonalHotspotEnabled)
Allow restriction-related queries
Allow security-related queries
App and Device Management with Wipe
All of the App and Device Management settings
Allow device erase
The location tracking section defines the default setting for device policies to allow or disallow device location tracking.
When Allow device policies to enable location tracking is disabled, the Enable collection and display of user location option does not appear in a newly created device policy.
Use-case: You want to provide Mobility Suite administrators permissions to create device policies. You want to prevent Mobility Suite administrators from changing default device policy settings by disabling access permissions to the Device Management page. Follow the steps listed below:
From the Mobility Manager console, click Settings > Authentication and Roles > Roles and Permissions
Click Add Roll or select an existing role and click the clone button.
Provide a name for the new role.
Within the General section, ensure that Change device management settings is unchecked.
Within the Devices section, ensure that Can add device policy is checked.
Click Save to save your new role.
From the Mobility Manager console, click Users > Users and Groups.
Click Create group.
Provide a Group name for the new group.
Click the Group permissions drop-down and select the role you created in 2.
Click the Members drop-down and add users to this group.
Click the Admin scope field and add an admin scope.
Users that you add to this group have permissions to create a device policy.
Users that you add to this group do not have permissions to define default device policy options (such as the presence of the Enable collection and display of user location option) or values that exist when a device policy is created.
The iOS settings section contains the following elements that can be set to a default value when creating a device policy:
MDM certificate upload reminder.
iOS MDM requires that you upload an iOS MDM certificate to Mobility Suite.