Skip to main content
Matrix42 Self-Service Help Center

Prevent unenrollments and factory wipe

Overview

We are often asked how to prevent unenrollments for managed devices as it is in some case necessary for admins to keep the device fleet managed and don't let users unenroll from the management system. In general, preventing unenrollments is designed for corporate owned devices as users on personal devices should always be free to unenrolled their personal devices from using it in a business context. As each platform has their own specialties, we want to provide you with this article an overview of how to prevent unenrollments:  

Android Enterprise 

Talking about Android Enterprise means Android and Samsung Knox devices, that are either enrolled with the device owner mode (for corporate owned devices) or with the work profile (for personal devices). As the Matrix42 Companion acts as device policy controller, which is a 3rd party application that can configure the operating system, the Android Management underlies a bit a different approach then the Apple or Windows 10/11 management with their built-in clients. This means, that we need to take two parts into the consideration. The first one is the Matrix42 Companion itself, and then the operating system. When managing Android devices, the device policy controller application will be set as Device admin app. This applies, for example, to the Matrix42 Companion as well as to the Samsung Knox Service Plugin, if this in use, too. This ensures that you can enforce device security policies like preventing screenshots and so on. 

So how can you know prevent the unenrollment for devices? Let's start first with the Matrix42 Companion. You may have already recognized that users can launch the Matrix42 Companion application and open the menu and to use the Unenroll option. With just a few clicks you can prevent that this option is available to users:

  • Open your Silverback Management Console
  • Login with your administrative credentials
  • Navigate to Admin
  • Select Companion
  • Select either Android or Samsung Knox
  • Disable the Allow user to unenroll option
  • Press Save 
  • Confirm with OK

After the next device check-in, the Unenroll button becomes unusable as shown in the screenshots below:

With enabled Allow user to unenroll option With Disabled Allow users to unenroll option
Screenshot_20220223-124519_framed.png Screenshot_20220223-125943_framed.png

But as mentioned above, we have two parts (application + operating system) in the management, so creative users will certainly try another way to remove the device from management. In this case the device owner mode protects these ways by default as users are not able to deactivate the Matrix42 Companion as a device admin app and by default they are not able to uninstall the application.

Silverback is listed under the device admin apps Deactivate this device admin app option is deactivated The Uninstall button for Companion is disabled
Screenshot_20220223-125036_framed.png Screenshot_20220223-130014_framed.png Screenshot_20220223-131217_framed.png

The last option for user is to factory wipe the device and try to setup the device as a non managed device. First, you can prevent the user from performing the factory wipe from the operating system with the restriction Allow Factory Wipe, which is applicable for device owner devices. This will ensure that users will receive the message that this action is blocked by your IT admin. To prevent to setup the device as a non managed devices after a factory wipe, you can utilize the Zero Touch Enrollment or the Samsung Knox Mobile Enrollment

When users try to Erase all data (factory reset) A blocked by your IT admin information is shown  
Screenshot_20220223-132853_framed.png Screenshot_20220223-133046_framed.png  

For personal devices equipped with a Work Profile, the options are limited due to the management type that expects devices are personal devices with having access to corporate data in separated container on the device. This leads to the following differences: 

  • Users get asked to activate Matrix42 Companion as device admin app during the enrollment
  • If the Allow user to unenroll option is disabled, the Unenroll option inside Matrix42 Companion in the personal device area will be disabled, but inside the Work Profile the Option Remove Profile will always be active
  • Users can remove the Work Profile either from the operating system (device admin apps) or with the Remove Profile option in the Companion inside the Work Profile
  • After removing the Work Profile and with the next device check-in, the user will receive the information to set up the Work Profile again
  • As an alternative, you can reset the Work Profile from the Device Information for the particular device
  • Users can uninstall the Matrix42 Companion application at all time 
  • Users can deactivate the device admin app at all time
  • Preventing Factory Wipe is not applicable for Work Profiles.
  • The restriction Allow Remove Work Profile affect only device owner mode devices and this management type is not yet supported.

iOS, iPadOS, and macOS

To prevent unenrollments for iOS, iPadOS, and macOS devices, you can utilize the Device Enrollment Program. All you need to do is to disable Profile Removable option for the applied profile for the target device:

  • Open your Silverback Management Console
  • Login with your administrative credentials
  • Navigate to Admin
  • Select Device Enrollment Program

From here you can either modify the standard profile with selecting General settings and the configuration of the Profile Removable option. If you want to prevent the unenrollment only for specific devices, you can create a new profile under Additional Profiles and assign the profile from the devices section. When the device has been enrolled with the Device Enrollment Program, the Remove Management option inside the MDM Profile will not be available. 

If profile removable is allowed on iOS and iPadOS devices, a Remove Management button is available for users If profile removable is disallowed, the Remove Management button is not available
iosprofileremovabledallowed.jpg iosprofileremovabledenied.jpg
If profile removable is allowed on macOS devices, user can remove the main profile by selecting the - button. If profile removable is disallowed on macOS devices, the - button in the main MDM profile is greyed out.
macOS profile removable2.png macOS profile removable.png

Please note that if the Profile Removable option is disabled you still can execute the delete business data action from the Management Console to remove the device from the management. In this scenario users can easily re-enroll their devices via the Self Service Portal, via QR-Code or opening the activation page. In this scenario, the profile will bet set as removable again as the device was not enrolled via the Device Enrollment Program this time. When you now perform a factory wipe and the device will be re-enrolled through the Device Enrollment Program, the Remove Management option will be again not visible for users. 

To prevent a Factory Wipe for iOS, iPadOS, and macOS devices, you can disable the restriction Allow Erase Content And Settings for supervised devices. This will grey out the Erase All Content and Settings option in the operating system as shown below on an iOS device. 

Without the restriction, Erase All Content and Settings is available for the user When the Erase content and settings restriction set, it is shown in the MDM Profile And users won't be able to use the Erase All Content and Settings option anymore. 
IMG_0009.PNG IMG_0011.PNG IMG_0010.PNG

Windows 10/11

On Windows 10 and Windows 11 devices, you can utilize the Experience restriction Allow Manual MDM Unenrollment to prohibit the manual unenrollment. In this case, won't be able to use the Disconnect button in the Access work or school area but be aware that this restriction is only applicable to non-Azure AD joined devices (including Autopilot). If you are using Windows Autopilot, you can configure the Autopilot profile to let enrolled users only become a standard user of the device. This will ensure that users won't be able to unenroll the device due to a lack of permission on the device. Another option is to hide the menu in the settings application completely. Here you can utilize the Configure Page Visibility restriction with the options to hide/show specific areas of the settings application. In case you want to hide the Access work or school account menu, you can set the Visibility to hide and add workplace as the identifier. For additional identifiers, please refer to ms-settings: URI scheme reference. If you want to prevent the factory wipe for users, you can utilize the Page Visibility and hide the Recovery option in the settings application by adding recovery as an identifier.

On Windows 11, the Disconnect button shows in this way if the Allow Manual MDM Unenrollment restriction is set to disabled On Windows 10, the information This work or school account cannot be removed by system policy is shown. 
clipboard_eff99199c0e566e80f6557876ef490541.png clipboard_ed0ec582c1a4191aca3514cbc4318d903.png
If the page visibility is set to hide and specified with workplace, the Access work or school menu is hidden for users.  If the page visibility is set to hide and specified with e.g., workplace;recovery, the Access work or school menu and the recovery menu are hidden for users. 
clipboard_ed3f462946cb7bf16b317a9d9208ccfb5.png clipboard_e55777cd148607949a4695403206b5b08.png