Getting Started with NinjaOne Mobile Device Management

Topic

This article explains the role of and use cases for Mobile Device Management (MDM). For information about enrolling Android or Apple devices in MDM, refer to NinjaOne MDM: Getting Started With Android Device Management and NinjaOne Apple MDM: Getting Started with Apple Device Management.

Environment

NinjaOne Mobile Device Management (MDM)
Android OS
Apple iOS
Apple iPadOS
Apple macOS

Description

NinjaOne MDM software automates, controls, and implements administrative policies on various mobile devices. It allows you to view, manage, and secure Android and Apple mobile devices alongside other endpoints.

These devices can include the following:

Smartphones
Tablets and pads
Any Android device (version 8.0 or newer) with Google apps and services or another supported operating system

Select a topic to continue:

MDM Overview
Using the MDM Device Dashboard
Creating MDM Policies
- Apple Policy Configuration
- Android Policy Configuration
Additional Resources

MDM Overview

The Importance of MDM

Mobile device management offers numerous benefits, including:

Streamlined device provisioning through unified, policy‑based controls, enabling secure, compliant, and user‑ready configurations.
Tools to protect and manage assets on mobile devices.
A level of protection against security breaches that stem from employee mobile device usage.
Standardized mobile device management practices and processes with all your devices in one place.
Seamless remote access to mobile devices allows you to access and view users' mobile device screens to gain a clear understanding of device issues.
Complete, accurate, and updated inventories of company-owned and personal mobile devices to reduce the potential for device-based risks.

Compatibility

NinjaOne MDM supports the Google Android operating system (OS) and Apple iOS.

The minimum Android OS version supported for MDM is 8.0. For Apple iOS, the minimum OS version supported is iOS 10.
The minimum Apple iOS version supported for NinjaOne Remote and Quick Connect is 16+.

Terminology

Refer to the table below for an explanation of common terminology used by NinjaOne MDM.

Term	Definition
Android Enterprise (AE)	The connection type used to manage Android devices. Refer to Android Enterprise Resources (external link) for more information.
Apple Push Notification Service (APNs)	A connection type used to manage Apple devices. Refer to Configure devices to work with APNs - Apple Support (external link) for more information.
Apple Business Manager (ABM)	An optional connection used for advanced management of Apple devices.
Automated Device Enrollment (ADE)	A zero‑touch enrollment method used in mobile device management (MDM) that lets organizations automatically enroll and configure devices as soon as users power them on.
Managed Service Provider (MSP)	An organization that assists or fully takes over the management of devices and technology items for another organization.
Kiosk Mode	A setting that restricts devices to approved apps and functions, giving administrators tighter control over device functionality.

For more terminology used in NinjaOne guides, refer to NinjaOne Terminology.
For Apple-specific terminology, refer to Apple Platform Development: Glossary (external link).
For Android-specific terminology, refer to AndroidCentral's The Android Dictionary. (external link).

Personal Profiles Versus Work Profiles

When you add a mobile device to NinjaOne, you can categorize the usage or enrollment type as either For personal and work (Android) and Unsupervised (Apple) or For work (Android) and Supervised (Apple).

Usage types define how a device is enrolled:

For personal and work or unsupervised: These devices are usually personally owned, or bring your own device (BYOD). In this enrollment type, MDM platforms (including NinjaOne) have limited access to device information and actions.
- Admins usually enroll the device from the policy application or a link on an already configured device in active use. After enrollment, the organization can manage the applications and data within the work profile alone, with no visibility or management of the personal profile.
- All items, except for calls and messaging, can be segmented and kept separate between profiles. Work-related policies will not affect the personal profile. Restrictions are applied to the work profile only.
For work or supervised: These devices are usually company-owned and personally activated (COPE). This enrollment type enables platform-level separation of work apps and data.
- NinjaOne provides more detailed information about the device, including serial numbers and network-related data. Enterprises have control over data and security policies within the work profile. Outside the work profile, the device remains suitable for personal use.
- For Android devices, this must be a blank, new device (out of the box), or you will receive an error message when attempting to add the device to NinjaOne.
- During the setup process, the device will prompt users to add their own accounts and information to the configured work profile. The organization has some control over the personal profile for applications such as camera, screenshots, and other DLP policies, but retains limited visibility into activity outside of the work profile.

For more information on enrollment types, refer to one of the following articles:

Android: Refer to NinjaOne MDM: Adding a Company-Owned, Personally Enabled (COPE) Android Device to NinjaOne for more information.
iOS: Refer to Apple MDM: Understanding "Supervised" vs "Unsupervised" for more information.

Device Enrollment Check Expectations

Devices added to NinjaOne's MDM solution check in with the platform at least once a day. The check-in is not set to a specific schedule and may be affected by potential sync offsets, device power, or sleep state, or local conditions.

Any action taken in NinjaOne, such as a policy change, will take effect on the device almost immediately. Some application installations may take a few minutes, depending on the speed of the App Store connection, but should sync to the device as soon as they are deployed.

Using the MDM Devices Dashboard

The Devices dashboard is the central monitoring and management page for all devices, including mobile devices managed by NinjaOne MDM.

Before managing a device, you must activate NinjaOne MDM and complete the enrollment and setup process. For more information, refer to one of our device enrollment guides:

Google Android: NinjaOne Mobile Device Management: Android Enrollment Profiles
Apple iOS: NinjaOne Apple MDM: Getting Started with Apple Device Management

If you want to use Apple Business Manager (ABM), refer to NinjaOne Apple MDM: Integrate with ABM for Automated Device Enrollment (Supervised Devices).

Viewing Mobile Devices in the Dashboard

Follow these steps to view all your MDM-managed devices:

In NinjaOne, click Devices.
Click the Type filter and select Android, Apple Mobile, or both from the drop-down menu. After filtering for mobile devices, click a device to open its dashboard.

Figure 1: Devices → Type (click to enlarge)

View Ownership

The ownership of a device is selected at device setup and determines the policies and actions you can take on a device. If For personal and work or Unsupervised was selected when manually adding a mobile device in NinjaOne, then the device will show as Personally Owned.

View Encryption Settings

The Encryption field, located in Ownership on the Overview tab, indicates whether the device has Data Protection activated, which ensures that the Apple policy enforces a minimum 6-digit passcode. For more information, refer to NinjaOne Apple MDM: Apple Policy Management.

Perform Actions

On the device's dashboard, click the Action icon to view available actions. The device enrollment type (company-owned vs. personally owned) and OS type determine which actions are available. For more information about device actions, refer to NinjaOne Endpoint Management: Manage Devices and Run Actions.

Technicians must have a minimum of View, Update permissions activated for Devices → Default Access to view the action options on the device dashboard. Some actions can be performed only by a system administrator.

Refer to the following table for an explanation of everyday device actions.

Action	Description
Lock Device	Lock the device's work profile.
Clear Passcode	Notify the end user that they must set a new passcode. Select Reset Passcode to create a passcode for the work profile only (if the device is personally owned). If a device is personally owned, the Reset Passcode action potentially allows for two passcodes on a device (one for the work profile and one for the personal profile).
Reboot Device	Reboot the device. Depending on how the device was enrolled, this action may be nested in Security actions.
Erase Device	This action may have different results depending on the OS and ownership. Refer to NinjaOne Mobile Device Management (MDM): Unenroll, Erase, or Delete a Device for more information.
Software	Install apps for Apple devices.

Figure 2: Device dashboard → Action icon (click to enlarge)

Installing Apps Through the Action Icon

As a system administrator, place your cursor over the play/action button and select Software, then click Install apps.

Figure 3: Action → Software → Install apps

NinjaOne will display the installation status in the dashboard when the installation completes and create a log in Activities.

Apple Device Software Settings

When installing apps through the Action icon on the device dashboard, NinjaOne assigns the app a forced install type because it is applied outside the assigned policy, and you will not have the option to remove it from the device. For information about installing apps through the policy, refer to NinjaOne Apple MDM: Apple Policy Management.

Viewing Apps Installed Through The Action Icon

You can view a list of all applications installed on the device by navigating to Software → Inventory. This page shows only applications that were installed via the device or organization dashboard and does not show applications added through the policy. Likewise, the policy does not show applications that were installed via a device's or organization's dashboard.

Managing Apps Installed Through the Action Icon

When an app is force-installed, NinjaOne will present additional options for app management:
- Allow User Removal: Grant the device's end user the ability to delete the app.
- Force Management: Allow the option to manage and remove apps through NinjaOne only.
When you first click Install apps, you will not find any apps listed to select. You must enter the name of the app or vendor into the search field, then click Search to view the options. If unsure what to enter, you can type a single letter and click Search.
Currently, NinjaOne does not support removing applications that were installed outside of a policy. To work around this, you can set the app to Blocked, which inherently uninstalls it and makes it unavailable.

View Additional Device Details

Users can view data specifications for mobile devices in the Details tab on the device dashboard. These details include compliance status, security postures (Android), Cloud backup dates (Apple), system details, and more.

Click the arrow next to Compliance status to view details on the device's compliance state.

Tab	Description
Software inventory	The Software → Inventory tab on the device dashboard displays the applications that have been downloaded to the mobile device. The information displayed here may be different depending on whether the device uses an Android or an Apple OS: Android Software Inventory: Shows system apps and those within the profile NinjaOne manages. Company-managed devices should display all apps, whereas personal devices only report on apps inside the work profile. Apple Software Inventory: Shows non-system apps. If a device is reset to factory defaults and enrolled in MDM, no software will be shown in the inventory until you install apps through either NinjaOne or on the device itself.
Location tracking	NinjaOne MDM allows users to track the detailed location of mobile devices and any other device type that can provide their Global Positioning System (GPS) information. This feature helps track inventory assets and supports loss prevention. Refer to NinjaOne Mobile Device Management (MDM): Location Tracking for more information.
Custom fields	Custom fields allow you to publish data about a user, endpoint, organization, or location in NinjaOne. You create the custom fields and then use those fields to populate the Custom tabs on the dashboards. Refer to NinjaOne Custom Fields: Getting Started for more information.
Activities	The Activity feed is a chronological audit log for NinjaOne that shows all events from the system level to the device level. New activities are displayed at the top, along with a timestamp. Refer to NinjaOne Endpoint Management: Device and System Activity Notification Feed for more information.

Figure 4: Details → Compliance status → Non-compliant details (click to enlarge)

Creating MDM Policies

MDM Policies determine how users can use company-owned devices. Administrators can control what apps users can download, password requirements, default WiFi networks, personal usage policies, and more.

If you change a policy (for example, allowing access to the app store), users will need to restart their devices to view the changes.
There may be times when a device is offline for an extended period or is otherwise unable to process a policy update. If this occurs, or the configuration is not applied to a system, you can resync the policy by using the Action button on the device dashboard.

In NinjaOne, navigate to Administration → Policies → MDM Policies.

Figure 5: Access MDM policies in NinjaOne

Click Create New Policy. Enter policy details and click Save. Refer to NinjaOne Policies: Create and Manage a Policy for detailed instructions.
To change a device's policy, navigate to the Devices tab, select the checkbox next to the device name, then select Edit → Policy.

devices search_change policy.png — **Figure 6**: Change the policy for one or more devices

Apple Policy Configuration

Apple policies have four configuration options. Below is a brief description of these configuration options; for more details, refer to NinjaOne Apple MDM: Apple Policy Management.

Passcode: Manage and define passcode settings.
- Configuration for password values.
- Lock after failed attempts.
- Passcode criteria and update requirements.
- Auto-lock settings.
Restrictions: Add restrictions for any of the following:
- Functionality
- Application
- Security and Privacy
- Media
- iCloud
- Classroom
Applications: Assign available applications from the Public App Store or through the NinjaOne Apple Mobile Device Management (MDM): Apple Apps and Books integration. Apps deployed via Apple Apps and Books do not require the end user to log into a personal Apple ID on their device, and supervised devices can be silently installed.
Network: Add a policy network structure via manual proxy setup or WiFi.
- NinjaOne applies all Wi-Fi networks to the physical device.
- If a global proxy is configured, the user can turn it off on the device.

Android Policy Configuration

Android policy functionality depends on how the device is enrolled when it is added to the NinjaOne console (whether the usage type is set to For work or For personal and work). Policies take complete control over work-only devices. If the device is personally owned, some policy settings, like restrictions, may be limited.

There are six configuration options for Android policies. Below is a brief description of these configuration options; for details, refer to NinjaOne Mobile Device Management (MDM): Android Policy Management.

Passcode: Click through the three tabs in this setting for additional settings.
- Device scope: Set requirements for full device ownership
- Profile scope: Set requirements for the device's work profile only.
Restrictions: NinjaOne pulls most of the Android policy restrictions directly from the Android Management API. Refer to Android Management API (external link) for more information.
Applications: NinjaOne enables technicians to define what happens when mobile device management (MDM) applications, including kiosk app settings, are added or modified within a policy.
Network: Configure the Wi-Fi SSID and security. If necessary, you can manually set up a network proxy. Enabling direct proxy turns off any established Wi-Fi networks. You can edit these settings at any time.
Security: This section allows admins to encrypt the device, manage developer settings, define how users can move data for work, and more.
Policy enforcement: Policy enforcement allows you to block access to specific settings on either a work profile or the entire device for a specified number of days. If certain policy aspects are not applied successfully, there is an additional option to wipe the device.

Additional Resources

For more information about to learn more about NinjaOne Mobile Device Management (MDM): NinjaOne Mobile Device Management (MDM): Resource Catalog.